Re: bugs for cname can not be working properly with bind 9.11.4
the domain name is kaixinduole.com Querying the SOA record for kaixinduole.com shows the SOA serial number is less than what you showed in the screenshot: ;; ANSWER SECTION: kaixinduole.com.21600 IN SOA ns1.kaixinduole.com. shawn.kaixinduole.com. ( 2022041566 ; serial 3600 ; refresh (1 hour) 900; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) I just create a cname record for testing, which is www cname to www.baidu.com. please see the below : When you update the zone file and add the CNAME, you must increase the SOA serial number to anything higher than what it currently is. The zone seems to use MMDDnn format, but you can also just increment the current number. After storing the zone file, I recommend you use named-checkconf -z to make sure you see no error messages, and then you should be able to load the zone with an rndc reload kaixinduole.com Good luck, -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: There are some prombles in the query log
All queries are from the same client whose ip is 192.168.100.126, but why the port which each query from is so different? The source port is random and it should be different. I disabled the recursion of bind 9 ,but all the Recursion Desired flag was set '+', this confused me. > If you add the +norec (no recursion) flag to dig, it will not request recursion The client object identifiers are not the same although all queries are from the same client. That is correct, and you can safely ignore them. BIND developers can use those for intense debugging. One more thing, I use dlz to allows zone data to be retrieved from postgresql. I think (actually I'm pretty sure) that DLZ at you have been using it is meanwhile deprecated, so I would consider migrating to something else, i.e. plain zone master files. (Please do not confuse DLZ as you've been using it with the new DLZ loadable modules.) -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
I also get the same value for the serial number from a dig soa . A couple of questions. 1) I assume you are updating the serial number on the master (primary) zone file. Correct? Is this a stealth (hidden) master? 2) On that same server, what are your values for NOTIFY and if specified, EXPLICIT-NOTIFY. 3) Is there a firewall between the master (primary) and any.all slave (secondary) servers? If yes, does the firewall allow port 53 botj UDP and TCP traffic between those servers? 4) Are you logging everything? (yeah, I know query logging can use alot of resources) Just from a cursory glance at the zone with dig, it looks as though the domain wasn't reloaded. Also, it looks like NS2 doesn't responf. Bob -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
I just modified the serial number this is not currently a problem, but please note that you've changed the first four digits which are likely to 2023. Also if the zone is reloaded there's no need to restart named. Actually nothing changed , Indeed. Are you doing these changes on the server we know as NS1.kaixinduole.com with the IP address shown below? As Bob mentions, the second NS2 is not responding: $ dig kaixinduole.com +nssearch SOA ns1.kaixinduole.com. shawn.kaixinduole.com. 2022041566 3600 900 604800 86400 from server 52.130.145.30 in 343 ms. From here we're still seeing the unchanged SOA serial number. -JP -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND9 TSIG from Windows Server 2016 DNS Server Zone
Dear all,
I have a zone local.grf.hr administered by AD, DHCP and DDNS ran by
Windows Server 2016
(not by my architectural choice). However, since Windows Server 2016 had
round-robin
strategy of inquiring the forwarders, it performed worse than BIND9 on
old Debian server.
So, I had the BIND9 as the secondary server ("slave" is somewhat
politically incorrect) and I
wanted to secure transactions with TSIG HMAC-SHA256 or stronger, as
between Debian
BIND9 servers.
I've been Googling around, and they say it cannot be done, because
Windows Server uses
special proprietary GSS-TSIG. The article was for an earlier version of WS.
Has there been some improvement in the meantime?
We are thinking about moving DHCP server to Linux, but it is a huge job
to convert the
reservations, so it may not be done in the next couple of months.
I would like to secure DNS xfers from zone poisoning in the meantime,
considering the recent
surge of cyber attacks since the recent war started, and our country
voted support for the
defending party.
Frankly, I am not in deep with Microsoft DNS, and I guess there can be
some tweaking with
the PowerShell, and maybe even some undocumented features, but right now
I am presented
with a problem I can't seem to solve because it is not an open system.
Thanks for any help.
Kind regards,
Mirsad Todorovac
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
BIND9 TSIG from Windows Server 2016 DNS Server Zone
Dear all,
I have a zone local.grf.hr administered by AD, DHCP and DDNS ran by
Windows Server 2016
(not by my architectural choice). However, since Windows Server 2016 had
round-robin
strategy of inquiring the forwarders, it performed worse than BIND9 on
old Debian server.
So, I had the BIND9 as the secondary server ("slave" is somewhat
politically incorrect) and I
wanted to secure transactions with TSIG HMAC-SHA256 or stronger, as
between Debian
BIND9 servers.
I've been Googling around, and they say it cannot be done, because
Windows Server uses
special proprietary GSS-TSIG. The article was for an earlier version of WS.
Has there been some improvement in the meantime?
We are thinking about moving DHCP server to Linux, but it is a huge job
to convert the
reservations, so it may not be done in the next couple of months.
I would like to secure DNS xfers from zone poisoning in the meantime,
considering the recent
surge of cyber attacks since the recent war started, and our country
voted support for the
defending party.
Frankly, I am not in deep with Microsoft DNS, and I guess there can be
some tweaking with
the PowerShell, and maybe even some undocumented features, but right now
I am presented
with a problem I can't seem to solve because it is not an open system.
Thanks for any help.
Kind regards,
Mirsad Todorovac
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
BIND9 TSIG from Windows Server 2016 DNS Server Zone
Dear all,
I have a zone local.grf.hr administered by AD, DHCP and DDNS ran by
Windows Server 2016
(not by my architectural choice). However, since Windows Server 2016 had
round-robin
strategy of inquiring the forwarders, it performed worse than BIND9 on
old Debian server.
So, I had the BIND9 as the secondary server ("slave" is somewhat
politically incorrect) and I
wanted to secure transactions with TSIG HMAC-SHA256 or stronger, as
between Debian
BIND9 servers.
I've been Googling around, and they say it cannot be done, because
Windows Server uses
special proprietary GSS-TSIG. The article was for an earlier version of WS.
Has there been some improvement in the meantime?
We are thinking about moving DHCP server to Linux, but it is a huge job
to convert the
reservations, so it may not be done in the next couple of months.
I would like to secure DNS xfers from zone poisoning in the meantime,
considering the recent
surge of cyber attacks since the recent war started, and our country
voted support for the
defending party.
Frankly, I am not in deep with Microsoft DNS, and I guess there can be
some tweaking with
the PowerShell, and maybe even some undocumented features, but right now
I am presented
with a problem I can't seem to solve because it is not an open system.
Thanks for any help.
Kind regards,
Mirsad Todorovac
--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
--
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bugs for cname can not be working properly with bind 9.11.4
Hello Bob, thank you for the support. please find the answer below 1.yes , I have already update the serial number from master server ,it is not a stealth master, it can provide the dns resolution publicly 2. [image: image.png] 3. they can communicate without any block by using internal ip address ,for the public ip address communication, there is ACL between them ,but I have already allow port 53(udp and tcp) for everyone . 4.now I have enabled querylog [image: image.png] 5. Since i was thinking just wanna be easy so that I shutdown the slave server , now I have already enable the slave server . but the serial number is different with the master server ,even if I restart/reload the service from slave server . thank in advance for the help . On Thu, May 26, 2022 at 12:30 AM Bob McDonald wrote: > I also get the same value for the serial number from a dig soa . > > A couple of questions. > > 1) I assume you are updating the serial number on the master (primary) > zone file. Correct? Is this a stealth (hidden) master? > 2) On that same server, what are your values for NOTIFY and if specified, > EXPLICIT-NOTIFY. > 3) Is there a firewall between the master (primary) and any.all slave > (secondary) servers? If yes, does the firewall allow port 53 botj UDP > and TCP traffic between those servers? > 4) Are you logging everything? (yeah, I know query logging can use alot of > resources) > > Just from a cursory glance at the zone with dig, it looks as though the > domain wasn't reloaded. > > Also, it looks like NS2 doesn't responf. > > Bob > -- Best Regards Bian Mingkai (边明凯) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND9 TSIG from Windows Server 2016 DNS Server Zone
As far as I know, GSS-TSIG is only used for DNS updates, not zone transfers.
https://bind9.readthedocs.io/en/v9_16_5/advanced.html#dynamic-update
Sorry, don't know what capabilities AD has for securing zone transfers
beyond IP ACLs, which of course is not much security at all. I've never had
luck getting AD admins to offer anything better. I'm definitely no AD
expert myself.
One possibility of course is to secure at the IP layer, a.k.a. IPsec. You
could secure all traffic between the servers with transport mode AH. That
would probably blow some minds in your organization. There are many who
only know IPsec as encrypted tunnels, i.e. VPNs.
On Wed, May 25, 2022 at 3:38 PM Mirsad Goran Todorovac <
mirsad.todoro...@alu.unizg.hr> wrote:
> Dear all,
>
> I have a zone local.grf.hr administered by AD, DHCP and DDNS ran by
> Windows Server 2016
> (not by my architectural choice). However, since Windows Server 2016 had
> round-robin
> strategy of inquiring the forwarders, it performed worse than BIND9 on
> old Debian server.
>
> So, I had the BIND9 as the secondary server ("slave" is somewhat
> politically incorrect) and I
> wanted to secure transactions with TSIG HMAC-SHA256 or stronger, as
> between Debian
> BIND9 servers.
>
> I've been Googling around, and they say it cannot be done, because
> Windows Server uses
> special proprietary GSS-TSIG. The article was for an earlier version of WS.
>
> Has there been some improvement in the meantime?
>
> We are thinking about moving DHCP server to Linux, but it is a huge job
> to convert the
> reservations, so it may not be done in the next couple of months.
>
> I would like to secure DNS xfers from zone poisoning in the meantime,
> considering the recent
> surge of cyber attacks since the recent war started, and our country
> voted support for the
> defending party.
>
> Frankly, I am not in deep with Microsoft DNS, and I guess there can be
> some tweaking with
> the PowerShell, and maybe even some undocumented features, but right now
> I am presented
> with a problem I can't seem to solve because it is not an open system.
>
> Thanks for any help.
>
> Kind regards,
> Mirsad Todorovac
>
> --
> Mirsad Goran Todorovac
> CARNet sistem inženjer
> Grafički fakultet | Akademija likovnih umjetnosti
> Sveučilište u Zagrebu
>
> --
> CARNet system engineer
> Faculty of Graphic Arts | Academy of Fine Arts
> University of Zagreb, Republic of Croatia
> tel. +385 (0)1 3711 451
> mob. +385 91 57 88 355
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
