Re: Organization IP address is getting redirected to a website which does not belong to the organization.

[Alberto ----]

A security scan is only a probe and does not change in any way a web server 
content or configuration.


performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does 
not involve DNS in any way


IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses 
and not with DNS names.


When you ask a NAME (not an IP) is resolved from any DNS configured inside your 
TCP/IP configuration but if you ask a direct IP , DNS is totally jumped and is 
a DIRECT CALL





From: bind-users  on behalf of Bhangui, 
Sandeep - BLS CTR 
Sent: Saturday, September 17, 2016 6:33 PM
To: John Miller
Cc: bind-users@lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks John

Security Dept from BLS reported this to our team which manages the DNS and 
infrastructure.   I think some scans run by them on the network may have caught 
this not sure though.

And yes we do not have any record for that IP in our DNS for bls.gov zone.

Sandeep



-Original Message-
From: John Miller [mailto:johnm...@brandeis.edu]
Sent: Saturday, September 17, 2016 12:14 PM
To: Bhangui, Sandeep - BLS CTR 
Cc: bind-users@lists.isc.org 
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Hi Sandeep,

The redirect part isn't a DNS issue: I telnetted to port 80 on the IP address 
and got:

john@millspad:~$ telnet 146.142.7.113 80 Trying 146.142.7.113...
Connected to 146.142.7.113.
Escape character is '^]'.
GET / HTTP/1.1
Host: 146.142.7.113

HTTP/1.1 302 Found
Date: Sat, 17 Sep 2016 16:30:46 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.9-4ubuntu2.3
location: http://www.watcheezy.com/
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html

Connection closed by foreign host.

But something is definitely listening on that IP address.  Could be a rogue 
device or some sort of routing issue.  Here's a traceroute from the Brandeis 
network:

traceroute to 146.142.7.113 (146.142.7.113), 30 hops max, 60 byte packets
 1  129.64.99.1 (129.64.99.1)  1.112 ms  1.127 ms  0.981 ms
 2  * * *
 3  * * *
 4  * * *
 5  te0-7-0-23.ccr21.bos01.atlas.cogentco.com (38.97.106.1)  2.471 ms
2.427 ms  2.375 ms
 6  be2094.ccr41.jfk02.atlas.cogentco.com (154.54.30.13)  8.046 ms
7.721 ms  7.546 ms
 7  be2806.ccr41.dca01.atlas.cogentco.com (154.54.40.106)  13.692 ms
13.661 ms  13.665 ms
 8  be2171.ccr41.iad02.atlas.cogentco.com (154.54.31.106)  14.765 ms
14.832 ms  14.701 ms
 9  verizon.iad02.atlas.cogentco.com (154.54.10.198)  13.629 ms
204.148.79.53 (204.148.79.53)  12.886 ms  12.862 ms
10  0.ae3.XT1.DCA5.ALTER.NET (140.222.225.195)  49.347 ms 
0.ae4.XT2.DCA5.ALTER.NET (140.222.225.207)  15.000 ms 0.ae3.XT1.DCA5.ALTER.NET 
(140.222.225.195)  49.297 ms
11  GigabitEthernet7-0-0.GW9.DCA5.ALTER.NET (152.63.40.21)  14.489 ms
14.502 ms  14.311 ms
12  bls-gw.customer.alter.net (152.179.53.66)  15.437 ms  16.771 ms  16.918 ms
13  146.142.7.129 (146.142.7.129)  17.427 ms  17.338 ms  17.421 ms
14  146.142.7.96 (146.142.7.96)  20.523 ms  20.475 ms  20.421 ms
15  146.142.7.97 (146.142.7.97)  21.510 ms  21.471 ms  21.409 ms
16  146.142.7.83 (146.142.7.83)  18.520 ms  18.453 ms  18.359 ms
17  146.142.7.142 (146.142.7.142)  21.138 ms  21.098 ms  19.436 ms
18  146.142.7.93 (146.142.7.93)  43.152 ms  43.061 ms  43.062 ms
19  146.142.7.66 (146.142.7.66)  133.226 ms  133.169 ms  133.147 ms
20  146.142.7.112 (146.142.7.112)  130.701 ms  130.606 ms  130.737 ms
21  * * *
22  146.142.7.68 (146.142.7.68)  135.039 ms  134.986 ms  134.897 ms
23  146.142.7.132 (146.142.7.132)  127.341 ms  127.256 ms  127.221 ms
24  146.142.7.87 (146.142.7.87)  126.358 ms * *
25  146.142.7.113 (146.142.7.113)  154.693 ms  156.353 ms  156.385 ms

That's one convoluted route to stay in the same /24!  I'd have a chat with your 
network admins and see what's up--this doesn't look normal.

Question for you: how'd you uncover the issue?  Do any DNS records point to 
146.142.7.113?  There's no reverse record for it that I can see.

John

On Sat, Sep 17, 2016 at 11:51 AM, Bhangui, Sandeep - BLS CTR 
 wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113";   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is 

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

[Alberto ----]

hmmm if they manage firewalls , they should be aware of TCP/IP 
foundamentals and HTTP working and much more


the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 
146.142.7.113 say item moved / redirect to http://us.watcheezy.com/


you have to check web server configuration or HTML / PHP /  pages on 
root link from the web server 146.142.7.113


when the browser get a REDIRECT , is the browser on client machine that perform 
a new GET statement on the new address


is normal that firewall team see nothing else if not a packet capture and 
analisys is performed





From: bind-users  on behalf of Bhangui, 
Sandeep - BLS CTR 
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users@lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.

Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113";   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Organization IP address is getting redirected to a website which does not belong to the organization.

[Alberto ----]

big security problem if you have an uncontrolled and not authorized web server 
on that ip and that is not firewalled


to find it out check arp tables on switches to follow switch port where it 
isphisical linked

[cid:bdc2d58d-9e89-4c5a-8ac8-8232cd9e10a8]





https://www.linkedin.com/in/alberto-colosi



From: Bhangui, Sandeep - BLS CTR 
Sent: Saturday, September 17, 2016 7:52 PM
To: Alberto ; bind-users@lists.isc.org
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.


Understood and I am sure they are aware of those protocols.



We do not have a webserver which is hosted on 146.142.7.113 that I can 
categorically say as that falls under our team.



Network folks are having a tough time even finding an active device with that 
IP on the network.



Thanks

Sandeep





From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alberto 

Sent: Saturday, September 17, 2016 12:52 PM
To: bind-users@lists.isc.org
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.



hmmm if they manage firewalls , they should be aware of TCP/IP 
foundamentals and HTTP working and much more



the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then 
146.142.7.113 say item moved / redirect to http://us.watcheezy.com/



you have to check web server configuration or HTML / PHP /  pages on 
root link from the web server 146.142.7.113



when the browser get a REDIRECT , is the browser on client machine that perform 
a new GET statement on the new address



is normal that firewall team see nothing else if not a packet capture and 
analisys is performed











From: bind-users 
mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Bhangui, Sandeep - BLS CTR 
mailto:bhangui.sand...@bls.gov>>
Sent: Saturday, September 17, 2016 6:43 PM
To: Lyle; bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: RE: Organization IP address is getting redirected to a website which 
does not belong to the organization.



Thanks

We suspected that but network folks are not able to find any device with that 
IP on the BLS network.

Also it seems firewall folks claim they looked for the traffic coming in the 
BLS network and if the redirect is happening from a host which is 146.142.7.113 
they should have seen some traffic correct and apparently we do not see any 
traffic.

Thanks
Sandeep


-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Lyle
Sent: Saturday, September 17, 2016 12:01 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: Re: Organization IP address is getting redirected to a website which 
does not belong to the organization.

On 09/17/16 10:51, Bhangui, Sandeep - BLS CTR wrote:
> Hi
>
> Not exactly sure whether this is a DNS issue but hoping someone here on this 
> forum can provide some advice/suggestion as I am trying to figure out what is 
> going on.
>
> Our organization BLS owns ( registered with the registrar )  the network 
> address 146.142.xxx.xxx.
>
> But if someone  from the Internet [ outside of BLS network )  tries to go to 
> "http://146.142.7.113";   it gets redirected to a site in UK called 
> "us.watcheezy.com"
>
> I have checked the DNS from the BLS  side and we do not have any entry of  
> any kind for  the record  146.142.7.113 on our DNS.
>
> I have also done DNS lookups for watcheezy.com and those seem to be good too 
> with respect to IP and the NS and as to what those NS are reporting.
>
> Can anyone throw some light on as to what is going on here.does not look 
> like a DNS issue to me but I could be wrong.
>
> Thanks
> Sandeep
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
> https://lists.isc.org/mailman/listinfo/bind-users
There is a host listening on 146.142.7.113 tcp port 80. It's issuing a
302 redirect to http://www.watcheezy.com at ip address 37.187.76.95.
That host is issuing a 301 redirect to http://us.watcheezy.com at 37.187.76.95.

Lyle Giese
LCR Computer Services, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.

Re: base domain doesn't respond with an IP

[Alberto ----]

yes , so simple , as origin or @ after NS declarations put


@INAip.ip.ip.ip

If I correctly understood the question




From: bind-users  on behalf of lbutlr 

Sent: Wednesday, November 2, 2016 10:09 AM
To: bind-users@lists.isc.org
Subject: base domain doesn't respond with an IP

On a domain all the subdomain names resolve to IP address (mail, ns1, www, etc 
etc) but the base domain name does not.

the config files looks like:

$ORIGIN .
$TTL 86400  ; 1 day
covisp.net. IN SOA  
ns1.covisp.net. root.covisp.net. 
(
   2016103100 ; serial
 1H ; refresh
 15 ; retry
 1w ; expire
 600 ; minimum
   )
   NS  ns1.covisp.net.
   NS  ns2.covisp.net.
   NS  mail.covisp.net.
   MX  10 mail.covisp.net.
$ORIGIN covisp.net.
mailA   65.121.55.42
ns1 A   65.121.55.43
ns2 A   65.121.55.44
www A   65.121.55.45

dnscheck.pingdom.com shows everything is fine.



# dig covisp.net @ns2.covisp.net
...

;covisp.net. IN A

;; AUTHORITY SECTION:
covisp.net. 600 IN SOA 
ns1.covisp.net. root.covisp.net. 
2016103100 3600 15 604800 600

(I have also tried the following, with no change:

$ORIGIN covisp.net.
.A   65.121.55.42
mail A   65.121.55.42

I'm sure it's something stupid

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS and cache-expiration modification

[Alberto ----]

never heared was possible even becouse is a populating on the fly from 
forwarders and TLD


cache is populated from answers and is not a physical zone


expiration is regulated from TTL ever send on answer and admin can change and 
specify different TTL per each record and different from SOA


for cache as is a dynamic populated area , I don't think is possibe to change 
what domain admin put as TTL and you receive as answer and put in cache





From: bind-users  on behalf of Job 

Sent: Friday, November 18, 2016 10:24 AM
To: bind-users@lists.isc.org
Subject: DNS and cache-expiration modification

Hello,

for heavy-use cache improvements, i was thinking to "alter" the expire time of 
cache records.
I would like to try to "alter" the expiration of records present in cache.

Do you know if with Bind is possible?

Thank you,
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

security BIND

[Alberto Rasillo]

Hi what are recomendations regarding security and DNS service?
Thnks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Define an internal zone with only a couple of A records, then forward to an external dns server

[Alberto Zanon]

Hi all, 

I googled all the morning without success :( I'm using Bind 9.9.1 and i'm a 
newbie of Bind. This is my goal: 

- I want to define in my dns server a zone "external_partner.com", which is the 
domain of our partner who manages it with his dns public server 
"dns.external_partner.com". 
- I need to define into this zone a couple of servers ("vpn_host_1. 
external_partner.com ", " vpn_host_2. external_partner.com ") because we 
connect via vpn to our partner. 
- I want that the rest of the names, e.g. "www.external_partner.com", are 
resolved forwarding the requests to the dns of our partner. 

I tried this without success: 

- in "named.conf": 

zone " external_partner.com " { type master; file "master/ external_partner.com 
.zon"; forwarders {xxx.xxx.xxx.xxx;}; }; 

and I have "recursion yes" in the options. 


- in " external_partner.com .zon" I have only the two entries: 

$TTL 300 
@ IN SOA dns.edistar.com. admin.dns.edistar.com. ( 
2013011701 ; Serial 
300 ; Refresh 
300 ; Retry every hour 
300 ; Expire after a week 
300 ) ; Minimum ttl of 1 day 

IN NS dns.edistar.com. 
TXT "vpn servers" 


vpn_host_1. external_partner.com . IN A xxx.xxx.xxx.xxx 
vpn_host_2. external_partner.com . IN A xxx.xxx.xxx.xxx 


I read about "forward first" option but is the opposite of my goal, correct? 




Thanks in advance for your responses. 


Alberto Zanon 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

[Alberto Zanon]

Thank you for all your replies! 

I'll try to implement your suggestions using a subdomain. 



Best regards. 

Alberto Zanon 


- Messaggio originale -
Da: "Ben Croswell"  
A: "Alberto Zanon"  
Cc: bind-users@lists.isc.org 
Inviato: Giovedì, 17 gennaio 2013 16:21:36 
Oggetto: Re: Define an internal zone with only a couple of A records, then 
forward to an external dns server 



If you load the zone your server will believe it knows everything about the 
zone and not forward anything below it. 

If you load foo.com with two records, nothing but those two records will ever 
resolve on that server for foo.com . 

One way to make it work would be to load two zones. Vpn1.foo.com and 
vpn2.foo.com each with their A records. Then you would only blackhole things 
below vpn1.foo.com and vpn2.foo.com . 
On Jan 17, 2013 10:09 AM, "Alberto Zanon" < alberto.za...@edistar.com > wrote: 




Hi all, 

I googled all the morning without success :( I'm using Bind 9.9.1 and i'm a 
newbie of Bind. This is my goal: 

- I want to define in my dns server a zone " external_partner.com ", which is 
the domain of our partner who manages it with his dns public server " 
dns.external_partner.com ". 
- I need to define into this zone a couple of servers ("vpn_host_1. 
external_partner.com ", " vpn_host_2. external_partner.com ") because we 
connect via vpn to our partner. 
- I want that the rest of the names, e.g. " www.external_partner.com ", are 
resolved forwarding the requests to the dns of our partner. 

I tried this without success: 

- in "named.conf": 

zone " external_partner.com " { type master; file "master/ external_partner.com 
.zon"; forwarders {xxx.xxx.xxx.xxx;}; }; 

and I have "recursion yes" in the options. 


- in " external_partner.com .zon" I have only the two entries: 

$TTL 300 
@ IN SOA dns.edistar.com . admin.dns.edistar.com . ( 
2013011701 ; Serial 
300 ; Refresh 
300 ; Retry every hour 
300 ; Expire after a week 
300 ) ; Minimum ttl of 1 day 

IN NS dns.edistar.com . 
TXT "vpn servers" 


vpn_host_1. external_partner.com . IN A xxx.xxx.xxx.xxx 
vpn_host_2. external_partner.com . IN A xxx.xxx.xxx.xxx 


I read about "forward first" option but is the opposite of my goal, correct? 




Thanks in advance for your responses. 


Alberto Zanon 


___ 
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list 

bind-users mailing list 
bind-users@lists.isc.org 
https://lists.isc.org/mailman/listinfo/bind-users 
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: rDNS

[Alberto Colosi]

I manage delegated and not but ISP delegate (can do but is not forced to do it) 
only if you own at least the C subnet (all).


If you only own some IP from a C subnet as DNS ZONEs on reverse lookups handle 
an entire C subnet and can't be delegated only 3, 5, 10 IP from a subnet


so if you don't own a full C subnet or ISP don't want to delegate (if your DNS 
server will be unreachable could arm something on ISP) you only can try to ask 
the ISP to map names on their DNS , ISP DNS and even this not all ISP do or is 
done with default IN-ADDR-ARPA naming.



Alberto Colosi

ITC , NetWork & Security Architect & Admin



From: bind-users  on behalf of Reindl Harald 

Sent: Friday, January 20, 2017 5:06 PM
To: bind-users@lists.isc.org
Subject: Re: rDNS



Am 20.01.2017 um 16:57 schrieb Ron Wingfield:
> I am having difficulty configuring reverse DNS.  This has been a problem
> for over a year between my server(s) and my ISP, AT&T.  Specifically, I
> cannot  eMail to any recipient that requires rDNS verification, e.g.,
> SBCglobal.net, Comcast.net, or AOL.  Very frustrating.
>
> In both cases, the reported server is an AT&T server ;; SERVER:
> 68.94.157.9#53
> . . .why shouldn't this "point" to my server, 162.202.233.81 and not AT&T's?

because the rDNS has *nothing* to do with your domain and mostly also
not with your DNS server (except you have a own subnet and it's
delegated by the ISP)

you are not the netowner - you must talk to your ISP
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 goes rogue and revert zone information

[Alberto Colosi]

hi is unclear named structure if is a slave a master if dynamic updates are 
enabled and if the unix box has been hacked

as last , zones are static files on fs ?



From: bind-users  on behalf of Raul Dias 

Sent: Tuesday, February 7, 2017 3:03 PM
To: bind-users@lists.isc.org
Subject: bind 9 goes rogue and revert zone information

Hello,

I have a very strange behavior that I am failing to understand.

2 to 5 times a week, a named server revert back to a previous version os
a master zone.
This happens during the night, usually around 20h EST.

This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the
past).
When it reverts its zone information, it goes back to 3016060101.

I have updated, restarted the host, clean all cache and journal files,
grep all files in the host for 3016060101 (just shows up in the logs).

So, I have no clue why, or how it is happening. Where does it get the
old information.

I thought first about the serial, but it would have happened in the past
too, right?  As it should be a 32bit unsigned integer, it shouldn't be a
problem, IMHO.

Yet, when "dig domain -t SOA @server", it is there again.

The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8
more specifically.


Thanks for any direction.
-rsd
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 goes rogue and revert zone information

[Alberto Colosi]

IP ports not open does not mean is not hacked.

a vulnerability can be used to make a change or an access


try to change and audit file access and permission firewall log analisys can 
give a plus to find a solution (check all IP traffic out from TCP/UDP 53)


If you have RNDC , change KEY or disable it




From: Raul Dias 
Sent: Tuesday, February 7, 2017 3:34 PM
To: Alberto Colosi; bind-users@lists.isc.org
Subject: Re: bind 9 goes rogue and revert zone information


Sorry,
Static files.
It is the master server.
No dynamic updates.
Host under lxc with only bind ports open.

On Tue, Feb 7, 2017, 12:27 Alberto Colosi 
mailto:al...@hotmail.com>> wrote:

hi is unclear named structure if is a slave a master if dynamic updates are 
enabled and if the unix box has been hacked

as last , zones are static files on fs ?



From: bind-users 
mailto:bind-users-boun...@lists.isc.org>> on 
behalf of Raul Dias mailto:r...@dias.com.br>>
Sent: Tuesday, February 7, 2017 3:03 PM
To: bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
Subject: bind 9 goes rogue and revert zone information

Hello,

I have a very strange behavior that I am failing to understand.

2 to 5 times a week, a named server revert back to a previous version os
a master zone.
This happens during the night, usually around 20h EST.

This zone has a serial of 3017020401 (yes, I typo the 3 somewhere in the
past).
When it reverts its zone information, it goes back to 3016060101.

I have updated, restarted the host, clean all cache and journal files,
grep all files in the host for 3016060101 (just shows up in the logs).

So, I have no clue why, or how it is happening. Where does it get the
old information.

I thought first about the serial, but it would have happened in the past
too, right?  As it should be a 32bit unsigned integer, it shouldn't be a
problem, IMHO.

Yet, when "dig domain -t SOA @server", it is there again.

The host is a debian Jessie and bind is 9.9.5, 1:9.9.5.dfsg-9+deb8u8
more specifically.


Thanks for any direction.
-rsd
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org<http://lists.isc.org>
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org<http://lists.isc.org>
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 goes rogue and revert zone information

[Alberto Colosi]

lucky you say


zombie host and hijacked resourced poisoned DNS are not an hack


In years as Security Desk Seat I had at leat one attack from zombie hosts from 
a US University. Admins even not known was hacked.


Target of hackers is not only credit cards or other so valuable things. Even 
only a zombie host is a valuable item for them.




From: bind-users  on behalf of Alan Clegg 

Sent: Tuesday, February 7, 2017 10:48 PM
To: bind-users@lists.isc.org
Subject: Re: bind 9 goes rogue and revert zone information

On 2/7/17 8:42 AM, Alberto Colosi wrote:
> IP ports not open does not mean is not hacked.
>
> a vulnerability can be used to make a change or an access

Occam's razor... if you were a hacker and broke into someone's DNS
server, would the thing that you focus on be resetting the data every 24
hours?

This isn't a hack, this is a screwed up backup/restore or virtualization
configuration.

Don't waste time chasing ghosts.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind 9 goes rogue and revert zone information

[Alberto Colosi]

The truth is to solve it not to ask what an hacker (maybe a child runned a tool 
found on internet as virus toolkits).

To quote me is not a solution to the issue.

Good your last line only on your last mail.

- Reply message -
From: "Reindl Harald" 
To: "bind-users@lists.isc.org" 
Subject: bind 9 goes rogue and revert zone information
Date: Tue, Feb 7, 2017 23:38



Am 07.02.2017 um 23:31 schrieb Alberto Colosi:
> lucky you say
>
> zombie host and hijacked resourced poisoned DNS are not an hack
>
> In years as Security Desk Seat I had at leat one attack from zombie
> hosts from a US University. Admins even not known was hacked.
>
> Target of hackers is not only credit cards or other so valuable things.
> Even only a zombie host is a valuable item for them.

yeah, but why should they be so dumb and set your dns zone to the values
24 hours before so that you notice the issue and much better question:
from where do they have the exactly data of your own zone 24 hours before?

try "chattr +i" on your zonefile so that it can't be touched and with
some luck the stuff trying to replace it will error out in cronmails or
syslog

> 
> *From:* bind-users  on behalf of Alan
> Clegg 
> *Sent:* Tuesday, February 7, 2017 10:48 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: bind 9 goes rogue and revert zone information
>
> On 2/7/17 8:42 AM, Alberto Colosi wrote:
>> IP ports not open does not mean is not hacked.
>>
>> a vulnerability can be used to make a change or an access
>
> Occam's razor... if you were a hacker and broke into someone's DNS
> server, would the thing that you focus on be resetting the data every 24
> hours?
>
> This isn't a hack, this is a screwed up backup/restore or virtualization
> configuration.
>
> Don't waste time chasing ghosts
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recognizing remote IP in shared connections

[Alberto Colosi]

Hi, let me to say that is a bit strange what you say. If you mean a NAT many to 
1 can't be reached in reverse way but "many" can only exit and receive reply 
packets for esthabilished session or udp related packet


if you mean for example an application server that give as output different web 
content reading the name after domain name , is possible but ever is one server 
and not many to 1


if you mean that several nets are shared to one single IP address (NAT) , no, 
you can only know the IP of application or appliance that perform NAT . You 
can't know MAC or IP after a NAT (NAT is even a route action that encapsulate 
IP packet inside another IEEE 802.2 packet with the MAC address from who 
perform the NAT (extrnal interface)


over it in all case, bind can log QUERIES , check CHANNELS for LOG action 
inside BIND documentation


you can log DNS queries but is so a large log file (as network accounting, 
can't be live for "too much".



Alberto Colosi

IT NetWork & Security Architect Engineer




From: bind-users  on behalf of Job 

Sent: Tuesday, February 28, 2017 2:35 PM
To: bind-users@lists.isc.org
Subject: Recognizing remote IP in shared connections

Hi,

for policies purpuose, we need to know which remote site is resolving a Bind 
9.x public DNS Server.
The problem occurs when some carriers "share" the same IP address between more 
customers and they surf behind a shared NAT.

Is there a way? Perhaps with DNS crypt o dnssec?

Thank you!
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Recognizing remote IP in shared connections

[Alberto Colosi]

sorry, let me only to add a comment to previous mail


if who make the query use a DNS Forwarding System (like use ISP DNS as 
forwarders or direct resolver) you'll only have ISP DNS on last forward action




From: bind-users  on behalf of Job 

Sent: Tuesday, February 28, 2017 2:35 PM
To: bind-users@lists.isc.org
Subject: Recognizing remote IP in shared connections

Hi,

for policies purpuose, we need to know which remote site is resolving a Bind 
9.x public DNS Server.
The problem occurs when some carriers "share" the same IP address between more 
customers and they surf behind a shared NAT.

Is there a way? Perhaps with DNS crypt o dnssec?

Thank you!
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - Internet Systems 
Consortium
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

views

[Alberto Rinaudo]

Hello,
I have a bind installation on a aws server and I'm trying to set up views
to give different responses based on the source location.
It works fine when this dns server is the first dns used by a client, I
guess because the source address used to discriminate between views is the
last hop.
If the query goes first to google dns instead I end up in the wrong view.
So here's the question: is it possible to use the original source address
to chose the view?
Am I looking at the right option or should I use something different than
views?
Thanks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: views

[Alberto Rinaudo]

I understand the concept, but I'm not sure I fully understand how to
configure it.
I've updated my bind to 9.11 P05 compiled with "--with-ecdsa", and as far
as I can read EDNS is enabled for authoritative bind installations
automatically.
But I'm still getting wrong answers from my installation.
Here are my configurations:

named.conf:
options {
  listen-on port 53 { any; };
  listen-on-v6 port 53 { any; };
  directory "/var/named";
  dump-file "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";
  allow-recursion { internal; };
  allow-query { any; };
  allow-query-cache { none; };
};
acl internal {
  service_server_subnet/24;
  service_server_wan_ip;
};
view "internal" {
  match-clients { internal; };
  zone "example.net" IN {
type master;
file "/etc/named/example.net.internal";
  };
};
view "external" {
  match-clients { any; };
  zone "example.net" IN {
type master;
file "/etc/named/example.net.external";
  };
};



example.net.external:
$TTL 3600
example.net. IN SOA ns1.example.net. example.net. (
2001062501
21600
3600
604800
3600 )
example.net. IN NS ns1.example.net.
example.net. IN NS ns2.example.net.
example.net. IN MX 10 mx.zoho.com.
example.net. IN MX 20 mx2.zoho.com.
ns1.example.net. IN A bind_wan_ip
ns2.example.net. IN A bind_wan_ip
example.net. IN A service_server_wan_ip
www.example.net. IN CNAME example.net.
mail.example.net. IN A service_server_wan_ip
mail.example.net. IN MX 10 mail.example.net.
mail.example.net. IN SPF "v=spf1 +a +mx +include:mail.example.net -all"
service.example.net. IN A service_server_wan_ip



example.net.internal:
$TTL 3600
example.net. IN SOA ns1.example.net. example.net. (
2001062501
21600
3600
604800
3600 )
example.net. IN NS ns1.example.net.
example.net. IN NS ns2.example.net.
example.net. IN MX 10 mx.zoho.com.
example.net. IN MX 20 mx2.zoho.com.
ns1.example.net. IN A bind_wan_ip
ns2.example.net. IN A bind_wan_ip
example.net. IN A service_server_lan_ip
www.example.net. IN CNAME example.net.
mail.example.net. IN A service_server_lan_ip
mail.example.net. IN MX 10 mail.example.net.
mail.example.net. IN SPF "v=spf1 +a +mx +include:mail.example.net -all"
service.example.net. IN A service_server_wan_ip



When I dig my subdomain however I get this replies:
# dig +noall +answer service.example.net @ns1.example.net
service.example.net.3600INAservice_server_lan_ip
# dig +noall +answer service.example.net @8.8.8.8
service.example.net.    3599INAservice_server_wan_ip

Can you spot anything wrong with it?
Thanks


On 19 April 2017 at 09:37, Tony Finch  wrote:

> Alberto Rinaudo  wrote:
>
> > I have a bind installation on a aws server and I'm trying to set up views
> > to give different responses based on the source location.
> >
> > It works fine when this dns server is the first dns used by a client, I
> > guess because the source address used to discriminate between views is
> the
> > last hop.
> >
> > If the query goes first to google dns instead I end up in the wrong view.
> >
> > So here's the question: is it possible to use the original source address
> > to chose the view?
>
> This is what the EDNS client subnet option is about. You can use it in
> BIND by adding "ecs" clauses to your address match lists for views or
> acls. However it isn't documented in the ARM and it has significant
> problems. See
> https://kb.isc.org/article/AA-01432/0/BIND-9.11.0-Release-Notes.html
> and especially
> https://kb.isc.org/article/AA-01480/0/BIND-9.11.1rc3-Release-Notes.html
>
> EDNS client subnet specification:
> https://tools.ietf.org/html/rfc7871
>
> Google Public DNS support for ECS on authoritative servers:
> https://groups.google.com/forum/#!topic/public-dns-announce/67oxFjSLeUM
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/  -  I xn--zr8h
> punycode
> Viking, North Utsire: Southwesterly 5 or 6, decreasing 4 at times. Slight
> or
> moderate. Rain at times. Good, occasionally poor.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Query on the Overload control mechanism for DNS Server

[Alberto Colosi]

Use isc RRL feature


if are simple queries no mass bombing query, plan a LB structure as per RFC 
(dead DNS swirching) is not designed for load issues and can't solve it.


when a query is performed from a remote dns is supposed to be putted inside 
cache ! so if u r not an ISP you cold only use isc bind RRL


https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html



i use it on my auth dns box



Alberto Colosi

Network & Security Admin & Architect Engineer






From: bind-users  on behalf of 
ramkishor...@gmail.com 
Sent: Sunday, April 30, 2017 3:04 PM
To: comp-protocols-dns-b...@isc.org
Subject: Query on the Overload control mechanism for DNS Server

Hi,
To protect the DNS server from overload, is there any feature already part of 
Bind software(Or can be achieved with any configuration changes) which can be 
enabled/disabled.
I came across relevant feature called response rate limit(rrl) documentation, 
and it looks like it is mostly useful while taking the decision at the time of 
response transmission after the handling of incoming request.
Correct me if I am wrong here.

But What I am looking for a feature which calculates the incoming rate and 
rejects the messages above certain limit at the initial stage itself before 
handling them and dropping. So that no resource utilization processing will be 
wasted.
This type of mechanism will be very much useful in defining the benchmark limit 
for any particular server based on its CPU and resources utilization.

The Bind version we currently use is Bind 9.11.

Any expertise inputs are very much appreciated. Thanks.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS forwarding

[Alberto Colosi]

If u 've as forwarder the dns master for such zones (meaning that dns know how 
to resolve)


   >check acl inside conf

   >check authoritative (master dns) logs and if not 
implemented , put some log channels inside conf to check




From: bind-users  on behalf of Elias Pereira 

Sent: Wednesday, May 17, 2017 10:44 PM
To: bind-users@lists.isc.org
Subject: DNS forwarding

Hello,

Our scenario today consists of one:

- DNS Server (Authoritative to our subdomains. Ex: 
www.mydomain.com*, 
moodle.mydomain.com, etc)
MyDomain | Domain Names, Web Hosting, and Free Domain 
Services
www.mydomain.com
Small business web hosting offering additional business services such as: 
domain name registrations, email accounts, web services, online community 
resources and ...

- samba3 PDC server
- Openldap server (user base for samba)

All our IPs are public.

This scenario above works like a charm!! :D

Now, I'm implementing a new samba4 AD server.

In order for me to be able to put users in the AD domain, I need to configure 
the samba4 AD IP as primary dns on the computers. In the bind installed on 
samba4 AD I configured the "forwarder" variable with the IP of our DNS server.

The problem is that from this computer, if I need to access an internal 
subdomain, for example our webserver*, I can not access. Gives resolution 
error. For any other site, for example, google.com, I can 
access.
[http://upload.wikimedia.org/wikipedia/commons/thumb/3/30/Googlelogo.png/220px-Googlelogo.png]

Google
google.com
Search the world's information, including webpages, images, videos and more. 
Google has many special features to help you find exactly what you're looking 
for.


I'm not finding the problem. Any idea?

--
Elias Pereira
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to generate authoritative DNS64 reverse zone

[Alberto Colosi]

Hi, is hard an ISP give to you a reverse lookup zone


first of all , is needed you to "own" all zone (ipv4 , all C class) for example.

as second thing, is really hard to move definitions on TLD like ripe , arin, 
apnic or others 

is more possible ISP give to you (if first line is true)  controll of reverse 
zone and ISP transfer from you reverse zone definitions without involving 
ripe/arin/apnic/...


I spoke as I was in the need with an ipv4 reverse zone and ISP only accepted on 
that way.


if you don't "own" entire zone , is no way to have this from your ISP.


Remember ipv6 or ipv4 reverse zones are queried only if right referenced on 
ripe/arin/apnic/... or your ISP transfer from you the ipv6 zone.


repeating if you not "own" entire zone , ISP never will accept to move to you 
or to transfer from you the zone as other IP don't belong to you






From: bind-users  on behalf of Aleksi Suhonen 

Sent: Friday, May 19, 2017 3:24 PM
To: bind-users@lists.isc.org
Subject: How to generate authoritative DNS64 reverse zone

Hello,

Suppose that I have a NAT64 prefix 2001:67c:2b0:db32:0:1::/96 and a
couple of DNS64 resolvers that use it. The resolvers will also generate
nice CNAMEs that point to in-addr.arpa for that prefix. This is nice.

But other resolvers in the world won't do that, so I'd need to have a
real reverse zone for this fantastical NAT64 prefix for their benefit.
But if I configure a DNS64 prefix on an authoritative server, it will
start messing with my normal zones too, won't it?

So how do I configure Bind9 to generate one authoritative DNS64 reverse
zone that contains CNAMEs to in-addr.arpa, but otherwise not mess with
anything?

Yours,

--
Aleksi Suhonen / Axu TM Oy
Internetworking Consulting
Cellular: +358 44 975 6548
World Wide Web: www.axu.tm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd bind9.service file?

[Alberto Colosi]

Main needs are


start

stop

and pid file location


ater you change a file in systemd you need to reload config ith a systemd 
statement.


read sometutorials like https://wiki.archlinux.org/index.php/systemd



is obvious files need to go where are scripts and linked inside "dierent run 
level" as as with services files rc.d



systemd - ArchWiki - Arch Linux
wiki.archlinux.org
>From the project web page: systemd is a suite of basic building blocks for a 
>Linux system. It provides a system and service manager that runs as PID 1 and 
>...





From: bind-users  on behalf of Tom Browder 

Sent: Friday, July 21, 2017 10:46 PM
To: bind-users@lists.isc.org
Subject: Systemd bind9.service file?

How does one install bind9 from source and set it up to work with systemd?

I copied a bind9.service file from a Debian 9 package installation but
I think it's more complicated than that.

Thanks.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Systemd bind9.service file?

[Alberto Colosi]

as just said inside previous mail


ever if you edit some , you should understand




From: bind-users  on behalf of Tom Browder 

Sent: Friday, July 21, 2017 10:48 PM
To: bind-users@lists.isc.org
Subject: Re: Systemd bind9.service file?

On Fri, Jul 21, 2017 at 3:46 PM, Tom Browder  wrote:
> How does one install bind9 from source and set it up to work with systemd?
>
> I copied a bind9.service file from a Debian 9 package installation but
> I think it's more complicated than that.


Sorry, I should have looked at the Debian docs first.  I'll check back
later if I have problems.

-Tom
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How do I reset a DNSSEC zone ?

[Alberto Colosi]

is like is missing the file referenced in log

SHA-1 RSA signing is obsolete and banned from NIST and ENRISA is a CVE or 
should if I remember ell

All CA only use SHA-2 no more version 1 as said before.


SHA-2 and 2048 or greater


yor problem is like file permission or file is missing






From: bind-users  on behalf of Pierre Couderc 

Sent: Sunday, August 20, 2017 1:21 PM
To: bind-users@lists.isc.org
Subject: How do I reset a DNSSEC zone ?

I did do it roughly on a test zone, by erasing the key and erasing all
zone.jnl, zone.signed, etc

hoping come back to the initial status. But I get the message :

dns_dnssec_keylistfromrdataset: error reading private key file
zone/RSASHA1/21477: file not found

That is normal as I have erased it but how to get rid of this message ?

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to pause master zone updates to slave for couple of minutes

[Alberto Colosi]

simply firewall port TCP and UDP 53 if behind a firewall or use ACL or change 
NS records if not propagated in a public domain


if you want to test from clients , see that RFC sap is around 5 minutes if I am 
not wrong and use PC firewall or simply firewall it or shutdown master engine 
and so on


for updates , if you want to see if slave anser , see that nothing have to be 
done, simply use dig or nslookup statements or use only slave dns inside TCP/IP 
stack


see simply that slave is a normale DNS , only put in shutdon if not reaching 
master per SOA TTL


unclear what u want to do






From: bind-users  on behalf of rams 

Sent: Monday, September 4, 2017 1:36 PM
To: bind-users
Subject: How to pause master zone updates to slave for couple of minutes

Hi,
Greetings.
I want to test bulk updates master to slave in Bind. Is there any way to pause 
to send updates to slave from master?

Thanks & Regards,
Ramesh
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

[Alberto Colosi]

why to write here on the list ?

simply is a problem rom your script (file overwrite) or nist file could be 
dirty.


I hate automatic update special each day specia for roots inside dns (they 
change one time every twenty years ... if is a change).


I don't kno nist file, I ever used internic for my dns where installed inside 
IBM Corporate or inside clients site.


With internic file ever I found fine. Have you simply tried to stop named , put 
a good root file , clean logs and start named again ?.


If all go fine the hole is inside your home, if not , nist file have some chars 
dirty or your transfer go in a wrong way.


Even try other sources like internic ... all root files should , HAVE TO BE the 
same if you want dns to work fine, so all sources SHOULD/COULD be fine.


>From my side, let a sugestion, leave CENTOS (forget that exist) and use ubuntu 
>or BETTER fedora core (server) and use last ISC BIND from source (I ever 
>compiled my daemons as like BIND from myself with options and libs as needed 
>and even you can anser mor quick to a vulnerability issue).


As last, don't use beta or RC in a production enviroment.


ITC Security and NetWork Architect and Admin / Engineer

ITC Senior Specialist






From: bind-users  on behalf of Stefan Sticht 

Sent: Saturday, September 9, 2017 6:43 PM
To: bind-users@lists.isc.org
Subject: checkhints: view “internal”: b.root-servers.net/ (2001:500:200::b) 
extra record in hints

Hi,

since a couple of weeks i repeatedly see this in all my nameserver logs:

Sep  8 12:12:56 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra record in hints
Sep  8 12:13:03 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:84::b) missing from hints
Sep  8 12:13:03 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra record in hints
Sep  8 12:13:07 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:84::b) missing from hints
Sep  8 12:13:07 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra record in hints
Sep  8 12:13:11 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:84::b) missing from hints
Sep  8 12:13:11 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra record in hints

I have two views named internal and external. Only the internal view has this 
problem. Both views use

 zone "." IN {
 type hint;
 file "named.ca";
 };

I update the hints file daily.

All nameservers use bind, some the standard bind on CentOS 6, some the one on 
Centos7.

  BIND 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.4
  BIND 9.9.4-RedHat-9.9.4-50.el7_3.1

Anyone an idea?

Thanks!

Stefan


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

[Alberto Colosi]

I haven't seen as from a while I have no servers to admin

as I ever say to who I teach ... right source for right content. nist ok 
but .. better internic as maintaining DNS


https://www.internic.net/domain/named.root


[cid:2158d269-d79e-445b-8112-c7fce0fbb65f]

as obvious , here is right address.





From: bind-users  on behalf of Suzanne Woolf 

Sent: Saturday, September 9, 2017 8:11 PM
To: Stefan Sticht
Cc: bind-users@lists.isc.org
Subject: Re: checkhints: view “internal”: b.root-servers.net/ 
(2001:500:200::b) extra record in hints


On Sep 9, 2017, at 12:43 PM, Stefan Sticht 
mailto:ste...@sticht.net>> wrote:

Hi,

since a couple of weeks i repeatedly see this in all my nameserver logs:

Sep  8 12:12:56 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra 
record in hints
Sep  8 12:13:03 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:84::b) 
missing from hints
Sep  8 12:13:03 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra 
record in hints
Sep  8 12:13:07 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:84::b) 
missing from hints
Sep  8 12:13:07 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra 
record in hints
Sep  8 12:13:11 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:84::b) 
missing from hints
Sep  8 12:13:11 ns-01 named[17926]: checkhints: view “internal”: 
b.root-servers.net/ (2001:500:200::b) extra 
record in hints

You’re looking to an out-of-date source. The  in the global root zone for 
b.root-servers.net was changed several weeks ago; 
the “missing” address is the old address, and the “extra record” is the new one.




Suzanne

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

[Alberto Colosi]

is really normal ! I have seen even with DNS from VODAFONE or COLT-TELECOM , 
ALBACOM / BT.COM and so on. I used more but all here have some that give some 
trouble. Telecom Italia / TIM so to say are good.


not all are good or fast updating (not depending on TTL)


At work as ITC Engineer I have seen and used lines and services from many ISP.


I have a question ... caching or not .. 
   WHY TO USE FORWARDERS ? I stopped to use a long time ago (many and many 
years)


A sugestion:FORGET FORWARDERS , DON'T USE


Really better .. and don't use Google DNS (  1) google know what 
you do   2) are really slow 3) I never seen any difference like protecion 
or other)



Alberto Colosi

ITC NetWork & Security Architect & Administrator & CED Handling ..




From: bind-users  on behalf of Omid Kosari 
via bind-users 
Sent: Saturday, September 16, 2017 12:18 PM
To: bind-users@lists.isc.org
Subject: Different forwarder for certain response ip (result ip )

Hello,

This is my first post to this mailing list .

I have a caching bind dns server with forwarders like this .
forwarders {
8.8.8.8;
8.8.4.4;
};

I want to use another forwarders if the response of the query is for example
1.2.3.4
I've found that rpz-ip is what i want but i was unable to create relation to
forwarders .

   //if response ip or rpz-ip = 1.2.3.4 then
forwarders {
208.67.222.222 port 443;
208.67.220.220 port 443;
};


Thanks



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
Bind-Users forum | Mailing List 
Archive<http://bind-users-forum.2342410.n4.nabble.com/>
bind-users-forum.2342410.n4.nabble.com
Bind-Users forum and mailing list archive. BIND is the original, classic, 
full-featured open source DNS software system. The BIND9 distribution includes 
a DNS ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

[Alberto Colosi]

even on hotel . why not to use a BIND on unix or window on ur box u r 
using ?


it is so easy




From: bind-users  on behalf of Reindl Harald 

Sent: Saturday, September 16, 2017 12:46 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )



Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:
> 1. who runs DNS servers on port 443?

likely people which where bitten by hotel access points where 53 is
catched to a internal nameserver and outgoing only 80/443 are possible,
the same reason many people have a VPN server on 443
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for cerain response ip (result ip )

[Alberto Colosi]

I read so well your answer and wasn't an answer to you


in all case ,who said I can't use port 53 if blocked ? 😲
 are many ways   without a VPN that usually is a paid service or a company 
service for who have it.


In all case even VPN even 443 is open, can be dropped 😲 ... pass 443 (browser) 
but not VPN.


In all case here wasn't a discussion on hacking or bypassing protections or 
limitations! So I'll quit any other answer on this topic over the real question.



Have a good day on





From: bind-users  on behalf of Reindl Harald 

Sent: Saturday, September 16, 2017 12:59 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )



Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
> even on hotel . why not to use a BIND on unix or window on ur
> box u r using ?

did you read what i repsoned and too and did you try to understand my
answer?

a default bind with recursion won't work when it can't connect to the
world in case it is redirected to a hotel nameserver and when you can
only connect to 80/443, well then your BIND on the box you are using may
use a nameserver you own in the web running on 443

> 
> *From:* bind-users  on behalf of
> Reindl Harald 
> *Sent:* Saturday, September 16, 2017 12:46 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: Different forwarder for certain response ip (result ip )
>
>
> Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:
>> 1. who runs DNS servers on port 443?
>
> likely people which where bitten by hotel access points where 53 is
> catched to a internal nameserver and outgoing only 80/443 are possible,
> the same reason many people have a VPN server on 443

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

[Alberto Colosi]

port 53 is only open directed to forwarders

as I read , you think to use different forwarders so , port 53 should be open 
to all IP ,   right ?


I think u should read how DNS works, TLD and so on


simply drop forwarders only use TLD





From: bind-users  on behalf of Omid Kosari 
via bind-users 
Sent: Saturday, September 16, 2017 1:19 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )

Wow . I love active community .

Actually my situation is a bit strange . But as explanation i can say that
our upstream provider do dns manipulation on normal ports 53 tcp/udp (please
don't ask why). We may not use vpn or tunnels . The only way is using
alternate ports as forwarders.

But i can not use alternate ports as my main forwarders because if so , then
upstream provider may be aware of that and manipulate them also . So if i
could use them only for certain requests then everything may work fine.

Note:My BIND dns server is caching server .



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
Bind-Users forum | Mailing List 
Archive
bind-users-forum.2342410.n4.nabble.com
Bind-Users forum and mailing list archive. BIND is the original, classic, 
full-featured open source DNS software system. The BIND9 distribution includes 
a DNS ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for cerain response ip (result ip )

[Alberto Colosi]

>your answer to "Actually my situation is a bit strange . But as
>explanation i can say that our upstream provider do dns manipulation on
>normal ports 53 tcp/udp" coming with "port 53 is only open directed to
>forwarders" and "I think u should read how DNS works, TLD and so on
>simply drop forwarders only use TLD" is nonsense


nonsense ? :O I use from tons of years and even on single computers


forwarders are not a needed stuff even for caching even for authoritative


use only TLD but if port 53 is closed you have no "normal" way to gain access 
to root TLD DNS engines


see you



From: bind-users  on behalf of Reindl Harald 

Sent: Saturday, September 16, 2017 2:12 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for cerain response ip (result ip )



Am 16.09.2017 um 13:30 schrieb Alberto Colosi:
> I read so well your answer and wasn't an answer to you
>
>
> in all case ,who said I can't use port 53 if blocked ?
> 😲 are many ways   without a VPN that usually is a paid
> service or a company service for who have it.
>
>
> In all case even VPN even 443 is open, can be dropped 😲 ... pass 443
> (browser) but not VPN.
>
>
> In all case here wasn't a discussion on hacking or bypassing protections
> or limitations! So I'll quit any other answer on this topic over the
> real question.

jesus fix your quoting style and english - non of your responses was in
any case helpful and other than you people with expierience guess what
the reason for somenon.default configs likely is

your answer to "Actually my situation is a bit strange . But as
explanation i can say that our upstream provider do dns manipulation on
normal ports 53 tcp/udp" coming with "port 53 is only open directed to
forwarders" and "I think u should read how DNS works, TLD and so on
simply drop forwarders only use TLD" is nonsense

when the ISP of his upstream internet connection mangles traffic on port
53 and you still recommend drop forwarders and use port 53 who is the
one which don't undertand DNS or the topic

can you please refrain from answering to each and every post in a thread
you obvisouly don't understand?

> 
> *From:* bind-users  on behalf of
> Reindl Harald 
> *Sent:* Saturday, September 16, 2017 12:59 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: Different forwarder for certain response ip (result ip )
>
>
> Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
>> even on hotel . why not to use a BIND on unix or window on ur
>> box u r using ?
>
> did you read what i repsoned and too and did you try to understand my
> answer?
>
> a default bind with recursion won't work when it can't connect to the
> world in case it is redirected to a hotel nameserver and when you can
> only connect to 80/443, well then your BIND on the box you are using may
> use a nameserver you own in the web running on 443
>
>> 
>> *From:* bind-users  on behalf of
>> Reindl Harald 
>> *Sent:* Saturday, September 16, 2017 12:46 PM
>> *To:* bind-users@lists.isc.org
>> *Subject:* Re: Different forwarder for certain response ip (result ip )
>>
>>
>> Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:
>>> 1. who runs DNS servers on port 443?
>>
>> likely people which where bitten by hotel access points where 53 is
>> catched to a internal nameserver and outgoing only 80/443 are possible,
>> the same reason many people have a VPN server on 443
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Logging resolved IP

[Alberto Colosi]

strange as need , see channels inside logging engine


is user query log , create a log channel for queries done


it does not change if done from a client or another dns


really it is a huge volume log (depending on number of queries)





From: bind-users  on behalf of Job 

Sent: Tuesday, September 19, 2017 5:16 PM
To: bind-users@lists.isc.org
Subject: Logging resolved IP

Hi guys,

is there a way to log resolved IP in Bind log files?
Example:
www.google.com 4.3.2.1
[https://www.bing.com/th?id=OVF.UNnVFvuQ1WzNDdjSafbMlA&pid=Api]

Celebrating Eduard Khil
www.google.com
Celebrating Eduard Khil! #GoogleDoodle



I am able to do it with tcpdump, but i do not like a "sniffering" solution!

Best,
F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SOA serial increment when we update SOA RR

[Alberto Colosi]

SOA is a special record. As already said to read 


you update SOA (should be only for email address if not ONLY intranet NS).


In all case if u make n update mean is needed n update. So the question is: 
  wy to not reflect on slave NSif any


Increasing SN , start a NOTIFY to NS defined as slave and ALSO NOTIFY.


If n update is made and r slaves or a distribution recursive and 
secondary(slave) and so on, is correct to update and start a ZONE TRANSFER.


If u hve only 1 DNS at all and is not internet faced, u can decide to not 
update SN


Simply , the change start an incremental transer o a total transfer (depending 
on DNS engine on slaves NS and also notify)







From: bind-users  on behalf of rams 

Sent: Wednesday, October 4, 2017 11:39 AM
To: bind-users
Subject: SOA serial increment when we update SOA RR

Greetings!!
When we change any resource record like A or , then SOA serial number gets 
incremented. But If we update only SOA record ,Is serial number of SOA remain 
same as before or serial number of SOA will increment?.

Do we have any RFC for this?

Regards,
Ramesh
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forcing external domains TTL value

[Alberto Colosi]

TTL if not record specific on other DNS is defined inside SOA


usually shoulbe be 24H on internet and if an admin as me , put it low , it is 
for a specific purpose as a server change.


is strange u have so many low ttl. I think u only can work on cache ttl on ur 
dns


if are other way to arrive to ur goal, I don't know as never needed specially 
becouse ttl on 99% of records should be 24H






From: bind-users  on behalf of Job 

Sent: Saturday, October 7, 2017 9:59 AM
To: Job; bind-users@lists.isc.org
Subject: Forcing external domains TTL value

Dear guys,

Due to heavy traffic caching performance, i would like to force external 
domains TTL - for external domains - to at least 600 seconds.

Is there a way to do it, maybe by recompiling the package?

Thank you, very best!
/F
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-pkcs11-9.9.4-51.el7.x86_64 using bind-dyndb-ldap in CentOS it triggering an assertion failure

[Alberto Colosi]

SELinux in passive ? , you can putSETEnforce OFF
 in conf





From: bind-users  on behalf of Radu Pantiru 

Sent: Friday, October 13, 2017 10:49 AM
To: bind-users@lists.isc.org
Subject: Re: bind-pkcs11-9.9.4-51.el7.x86_64 using bind-dyndb-ldap in CentOS it 
triggering an assertion failure

I also want to add that SELinux is in permissive mode.

On 10/10/17 14:14, Radu Pantiru wrote:
I did request help with CentOS but my feeling is that you may be able to give 
me some information what happens at the code level.

It is not happening every time when reloading the named-pkcs11 service.

The backtrace:

(gdb) thread apply all bt

Thread 8 (Thread 0x7f4083cbc700 (LWP 21357)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at 
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x7f40890bd4be in dispatch (manager=0x7f4089aa9010) at task.c:1065
#2 run (uap=0x7f4089aa9010) at task.c:1286
#3 0x7f4087227e25 in start_thread (arg=0x7f4083cbc700) at 
pthread_create.c:308
#4 0x7f408629f34d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 7 (Thread 0x7f40844bd700 (LWP 21356)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at 
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x7f40890bd4be in dispatch (manager=0x7f4089aa9010) at task.c:1065
#2 run (uap=0x7f4089aa9010) at task.c:1286
#3 0x7f4087227e25 in start_thread (arg=0x7f40844bd700) at 
pthread_create.c:308
#4 0x7f408629f34d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 6 (Thread 0x7f40824b9700 (LWP 21360)):
#0 
pthread_cond_timedwait@@GLIBC_2.3.2 
() at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_timedwait.S:238
#1 0x7f40890d6e48 in isc_condition_waituntil 
(c=c@entry=0x7f4089aaa078, 
m=m@entry=0x7f4089aaa028, 
t=t@entry=0x7f4089aaa06c) at condition.c:66
#2 0x7f40890c1ef3 in run (uap=0x7f4089aaa010) at timer.c:825
#3 0x7f4087227e25 in start_thread (arg=0x7f40824b9700) at 
pthread_create.c:308
#4 0x7f408629f34d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 5 (Thread 0x7f40786d7700 (LWP 21875)):
#0 0x7f4086294a3d in poll () at ../sysdeps/unix/syscall-template.S:81
#1 0x7f407bbcebdb in poll (__timeout=, __nfds=, __fds=) at /usr/include/bits/poll2.h:46
#2 ldap_int_select (ld=, timeout=) at os-ip.c:1138
#3 0x7f407bbb90bd in wait4msg (result=0x7f40786d6558, timeout=, all=2, msgid=4, ld=0x7f4070002b40) at result.c:312
#4 ldap_result (ld=0x7f4070002b40, msgid=4, 
all=all@entry=2, timeout=, 
result=result@entry=0x7f40786d65b8) at result.c:117
#5 0x7f407bbe555c in ldap_sync_poll 
(ls=ls@entry=0x7f407000d720) at ldap_sync.c:879
#6 0x7f4080124362 in ldap_sync_doit 
(inst=inst@entry=0x7f4089aacf40, conn=, 
filter_objcs=filter_objcs@entry=0x7f408013a550
 "(|(objectClass=idnsZone) (objectClass=idnsForwardZone) 
(objectClass=idnsRecord))",
mode=mode@entry=3) at ldap_helper.c:4651
#7 0x7f408012485f in ldap_syncrepl_watcher (arg=0x7f4089aacf40) at 
ldap_helper.c:4727
#8 0x7f4087227e25 in start_thread (arg=0x7f40786d7700) at 
pthread_create.c:308
#9 0x7f408629f34d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 4 (Thread 0x7f4081cb8700 (LWP 21361)):
#0 0x7f408629f923 in epoll_wait () at ../sysdeps/unix/syscall-template.S:81
#1 0x7f40890ce916 in watcher (uap=0x7f4089aac010) at socket.c:3913
#2 0x7f4087227e25 in start_thread (arg=0x7f4081cb8700) at 
pthread_create.c:308
#3 0x7f408629f34d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 3 (Thread 0x7f40834bb700 (LWP 21358)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at 
../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x7f40890bd4be in dispatch (manager=0x7f4089aa9010) at task.c:1065
#2 run (uap=0x7f4089aa9010) at task.c:1286
#3 0x7f4087227e25 in start_thread (arg=0x7f40834bb700) at 
pthread_create.c:308
#4 0x7f408629f34d in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 2 (Thread 0x7f4089ae5840 (LWP 21355)):
#0 0x7f40861dc572 in do_sigsuspend (set=0x7ffe7ce76400) at 
../sysdeps/unix/sysv/linux/sigsuspend.c:32
---Type  to continue, or q  to quit---
#1 __GI___sigsuspend (set=set@entry=0x7ffe7ce76400) at 
../sysdeps/unix/sysv/linux/sigsuspend.c:46
#2 0x7f40890c475c in isc__app_ctxrun 
(ctx0=ctx0@entry=0x7f40892efd20 ) at 
app.c:695
#3 0x7f40890c4b4c in isc__app_run () at app.c:722
#4 0x563558d91595 in main (argc=, argv=) at 
./main.c:1118

Thread 1 (Thread 0x7f4082cba700 (LWP 213

Re: "rule based" A records

[Alberto Colosi]

go to read isc bind view




---

Alberto Colosi

ITC NetWork & Security



From: bind-users  on behalf of Lucio Crusca 

Sent: Sunday, January 14, 2018 12:27 PM
To: bind-users@lists.isc.org
Subject: "rule based" A records

I'm not sure this feature exists, and, even then, I don't know how it's
called.

I need my Bind to resolve names to different IP addresses based on the
subnet the request comes from.

E.g. I have a Bind instance on a Debian virtual server 10.7.33.111
(network 10.7.33.0/24). Then I have a web server on another Debian
virtual server 10.7.33.103, same local network.
The host system has only one public IP address and forwards connections
to the correct virtual server based on the TCP/UDP port.

PHP code of the websites often needs to contact the same hosted websites
by name: however all the websites names resolve to the public IP address
of the host, and the host does not route connections coming from the
virtual hosts back to the same virtual hosts.

By now, I'm adding each domain name to the /etc/hosts file of the
webserver, so that it takes precedence over the DNS name resolution. It
works, but it's not a clean solution.

Is it possible to configure Bind so that 
www.example.com<http://www.example.com> resolves to
Example Domain<http://www.example.com/>
www.example.com
Example Domain. This domain is established to be used for illustrative examples 
in documents. You may use this domain in examples without prior coordination or 
asking ...


1.2.3.4 when the request comes from the internet, but resolves to
10.7.33.103 when the request comes from the local network?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: baby steps...

[Alberto Colosi]

In the years I had bad issue with ISC bind and Fedora box.

Possible was my box but moving to NIC IP all was fine.


yes inside resolv.conf NIC IP instead of localhost eg 127.0.0.1


in all case IP socket have to open on layer 3 and shouldn't go on layer2 as 
socket know that IP as REACHED.


it happened many years ago and I don't remember what was the problem but better 
to put NIC IP instead of localhost (I remember performance issue and some miss).




From: bind-users  on behalf of Hika van den 
Hoven 
Sent: Friday, March 23, 2018 7:30 PM
To: bind-users@lists.isc.org
Subject: Re: baby steps...

Hoi Adam,

If you're running Linux and I do not know if it works on all distros,
add a text file in /etc named "resolv.conf.head" and put in there:

nameserver 127.0.0.1

It should put the lines in there at the start of your resolv.conf
after getting the info through dhcp.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users -- BIND Users Mailing List - lists.isc.org 
...
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: clean up an ddns zone

[Alberto Colosi]

radius is only an AAA and transmit Auth OK/KO to VPN terminator and IP 
allow/deny rules to VPN terminator (ip filtering like iptable)


So radius only Auth termination of VPN tunnel and transmit per user linked 
policy deny and allow rules (like iptable as said).


I think VPN terminator can be configured to use an IP pool internal or on an 
external DHCP server like DHCP proxy if u know.


You should check on VPN concentrator manuals.


If not you could see a client like DDNS over internet that support ISC DHCP to 
D. update DNS zone starting from a daemon running on remote pc but this is only 
an idea to be scouted.




From: bind-users  on behalf of Matthew 
Pounsett 
Sent: Friday, March 23, 2018 8:00 PM
To: Meike Stone
Cc: bind-users@lists.isc.org
Subject: Re: clean up an ddns zone



On 23 March 2018 at 13:32, Meike Stone via bind-users 
mailto:bind-users@lists.isc.org>> wrote:
Hello,

at the moment, I use ISC dhcpd to register all client names in the DNS
(Bind) via isc's ddns api. Every thing is working well.
But now, some notebook clients should get company access via UMTS or
VPN. In this case, a radius server is controlling the IP addresses,
not the ISC dhcpd.

What's the mechanism for getting the IP address to the client?  Is there a 
RADIUS client on the client machine, or is your VPN using DHCP to get addresses 
to the client?  If the latter, then it likely has a mechanism for sending the 
same DNS Update messages that ISC's dhcpd does (DNS Update messages are a part 
of the DNS standard, and the ability to send them to maintain DNS for dynamic 
addresses is almost ubiquitous among DHCP implementations).

It's possible your RADIUS server also can do DNS Update messages, but I'm so 
far removed from the time when I ran RADIUS servers that I confess I can't 
recall whether that was a common option.

Is there any possibility, maybe that the clients send their lease time
and the Bind does delete the RR (like isc it would do), if the lease
time is over and if no ddns refresh was made?

I'm not aware of any way to automatically expire records in a dynamic zone.

It's an ugly hack.. but if you could get your clients to also register a TXT 
record with a timestamp in it, you could have some sort of cron-based garbage 
collection script run to scan the zone for those TXT records, and delete all 
the records related to that name when the right amount of time has elapsed.  
That still has some obvious problems though, like what to do if a client 
doesn't update the TXT record if/when it renews its lease.


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Somehow my DNS is not starting up

[Alberto Colosi]

Hi is a common problem! when you start as user or root

service take shell permission not service permission

check if exist group and user named if directory and file access mask is right 
and if owner is right

as last check bind log not systemd for any error


now I don't remember but should even be a debug mode on daemon startup

if I'm not wrong is -d x  check bind manuals


often is even tmp and specially PID creatiion inside pid directory (if you 
haven't moved it from conf).





From: bind-users  on behalf of Blason R 

Sent: Wednesday, April 18, 2018 10:57 AM
To: Reindl Harald
Cc: bind-users
Subject: Re: Somehow my DNS is not starting up

Well it just loads fine when I run from command line i.e. named -u named -n 4 
-c /etc/named.conf

On Wed, Apr 18, 2018 at 2:25 PM, Reindl Harald 
mailto:h.rei...@thelounge.net>> wrote:
named.service start operation timed out
362086 zones

well, it may take too long to load them

TimeoutStartSec defaults to DefaultTimeoutStartSec
on Fedora: DefaultTimeoutStartSec=90s

https://www.freedesktop.org/software/systemd/man/systemd.service.html
TimeoutStartSec=
Configures the time to wait for start-up. If a daemon service does not
signal start-up completion within the configured time, the service will
be considered failed and will be shut down again. Takes a unit-less
value in seconds, or a time span value such as "5min 20s". Pass
"infinity" to disable the timeout logic. Defaults to
DefaultTimeoutStartSec= from the manager configuration file, except when
Type=oneshot is used, in which case the timeout is disabled by default
(see systemd-system.conf(5)).

Am 18.04.2018 um 09:47 schrieb Blason R:
> Not sure what is gone wrong but my DNS is not starting up. and I am
> getting below error. I have around  362086 zones with 4 core CPU and 8
> GB RAM.
>
> This is a sinkhole DNS server
>
> Apr 18 13:09:02 dnsfw named[1644]: command channel listening on
> 127.0.0.1#953
> Apr 18 13:09:02 dnsfw named[1644]: command channel listening on ::1#953
>
>
> Apr 18 13:10:01 dnsfw systemd: named.service start operation timed out.
> Terminating.
> Apr 18 13:10:01 dnsfw systemd: Failed to start Berkeley Internet Name
> Domain (DNS).
> Apr 18 13:10:01 dnsfw systemd: Unit named.service entered failed state.
> Apr 18 13:10:01 dnsfw systemd: named.service failed

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: problems changing NS records

[Alberto Colosi]

have you changed zone registration?

there is DNS FQDN reference


if you change dns fqdn you have to update zone on your NIC


as it on NIC it or where you registered the domain





From: bind-users  on behalf of Lucio Crusca 

Sent: Thursday, April 26, 2018 3:18 PM
To: bind-users@lists.isc.org
Subject: problems changing NS records

Until a few hours ago, I had several domains and 3 nameservers for them:

ns1.virtualbit.it (master, 136.243.232.142)
ns11.virtualbit.it (slave, 158.69.210.19)
ns2.virtualbit.it (slave, 136.243.232.143)

Then I tried to migrate to a new master, 
names.virtualbit.it (46.4.38.130). Here is the 
migration steps I followed:

1) I configured Bind on the new server as master for all domains
2) I added the master IP address to the two slaves with:

masters vbitdnsmasters { 136.243.232.142; 46.4.38.130; };

zone "acquaritalia.it" {
type slave;
masters { vbitdnsmasters; };
file "/var/lib/bind/acquaritalia.it.db";
};

and so on for all other zones.

3) I updated the NS records in the zone files, and in the control panel of the 
domain registrar

Now all the domains have problems. IntoDNS reports:

"
Nameservers A recordsERROR: Some of your DNS servers do not have A records 
at all. I could not find any A records for the following DNS servers:
ns2.virtualbit.it

You must have A records for all of your nameservers.
"

However:

dig @136.243.232.143 -t ns 
acquaritalia.it
dig @136.243.232.143 
acquaritalia.it
dig @136.243.232.143 
www.acquaritalia.it
dig @136.243.232.143 -t mx 
acquaritalia.it

all work as expected. Meanwhile, the same queries against 8.8.8.8 sometime 
work, sometime reply SERVFAIL.

I don't know what I did wrong. Please help.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need to move an NS server out of service

[Alberto Colosi]

No , you have to NOT REMOVE untile epire of SOA TTL the DNS A record and don't 
stop DNS engine

if you don't want loss of name resolution on your domain


Remove NS record from your zone and restart engine so slaves and internet can 
be updated


after epire of SOA TTL you can remove A record and stop engine


https://en.wikipedia.org/wiki/SOA_record



Alberto Colosi






From: bind-users  on behalf of King, Harold 
Clyde (Hal) 
Sent: Monday, August 6, 2018 7:37 PM
To: Bind Users
Subject: Need to move an NS server out of service

I have ns2.example.com one of my DNS servers. The building, and the reason for 
the NS server, is ending. Should I remove the host from our domain name 
provider then my actual NS record in DNS, or NS record then provider?

I'd appreciate any help I could get.


--
Hal King


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists<https://lists.isc.org/mailman/listinfo/bind-users>
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives.. Using bind-users: To post a message to all the list members, send 
email to bind-users@lists.isc.org.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need to move an NS server out of service

[Alberto Colosi]

sorry for missing letters but my keyboard ia broken


so to say, usually DNS admin low TTL on NS and/or A records that will have a 
change

look bind docs to apply it


without specific record TTL , SOA ttl is used





From: bind-users  on behalf of King, Harold 
Clyde (Hal) 
Sent: Monday, August 6, 2018 7:37 PM
To: Bind Users
Subject: Need to move an NS server out of service

I have ns2.example.com one of my DNS servers. The building, and the reason for 
the NS server, is ending. Should I remove the host from our domain name 
provider then my actual NS record in DNS, or NS record then provider?

I'd appreciate any help I could get.


--
Hal King


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives.. Using bind-users: To post a message to all the list members, send 
email to bind-users@lists.isc.org.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

[Alberto Colosi]

are your compiler and libs updated ?




From: bind-users  on behalf of Howard, 
Christopher 
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service 
refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue 
on CentOS 7 and was able to fix it by making sure that rngd is running before 
the named service starts. That same fix is not working for CentOS 6. I'm at a 
loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot 
be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve 
this (besides upgrading this box to CentOS 7)?

-Christopher

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: PRNG not seeded, service won't start

[Alberto Colosi]

ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION


check


# ls -l /dev/random /dev/urandom
crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random
crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom




From: bind-users  on behalf of Howard, 
Christopher 
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start

I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2-P1 and the service 
refuses to start. This is on a CentOS 6.10 machine. I ran into the same issue 
on CentOS 7 and was able to fix it by making sure that rngd is running before 
the named service starts. That same fix is not working for CentOS 6. I'm at a 
loss as to how to fix this and Google is failing me now.

The error in the log says:
Sep 17 18:59:08 nsm named[3926]: openssl_link.c:296: fatal error:
Sep 17 18:59:08 nsm named[3926]: OpenSSL pseudorandom number generator cannot 
be initialized (see the `PRNG not seeded' message in the OpenSSL FAQ)

Does any one have any ideas of what I'm missing or what I can do to resolve 
this (besides upgrading this box to CentOS 7)?

-Christopher

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Which timeouts are used by BIND when resolving recursive queries?

[Alberto Colosi]

RFC say all

read RFC


BIND is a DNS system not an alien so follow RFC


Go and read RFC




From: bind-users  on behalf of ip admin via 
bind-users 
Sent: Friday, October 5, 2018 4:13 PM
To: bind-users@lists.isc.org
Subject: Which timeouts are used by BIND when resolving recursive queries?

Hi,

 I understand that I can configure a global timeout for resolving recursive 
queries (resolver-query-timeout) but find that I cannot configure the timeout 
for an individual query used during DNS resolution.

 For testing I configured one unreachable forwarder (and enabled forward only) 
and saw (tcpdump) that BIND (9.10.6-P1) is first trying two queries with EDNS 
which each seems to have a timeout of 1.2s. Afterwards queries without ENDS are 
sent which seem to have a timeout of 1.6s, then 3.2s, then 6.4s, then 9s, 
finally the maximum (=total) resolver-query-timeout of 30s is reached.

 Is the timeout behaviour documented anywhere (similar to a stub resolver or 
dig, i.e. how long are timeouts, how many tries per server etc).

 If someone did find a logging setting that shows which servers are used when 
recursing (forwarding or delegations) to find a response (and when the 
individual queries time out) that would be helpful as well.

Regards
 Tom

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS Propagation

[João Alberto Kuchnier]

Hi Everyone!

Recently I enabled a new IP range on my firewall. I used this bigger
range to organize my DNS records like mail, www, ns1, ns2, and others. I
did this last weekend.

I find out that some DNS servers updated themselves with my new
registers. However, CheckDNS
(http://www.checkdns.net/quickcheckdomainf.aspx) stills resolving to my
old servers. 

I changed every record, every file of all my domains, serials, firewall
rules using the new IPs but I'm still having problems. Moreover, some
mail servers are rejecting messages from my main domain.

Here are some logs:

Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving
'otwbhqbg.net/A/IN': 200.xxx.xxx.xxx#53
Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving
'yuogkiz.net/A/IN': 200.xxx.xxx.xxx#53
Oct 14 11:51:05 ns1 named[2929]: client 65.202.203.203#9026: query
(cache) '12.8-15.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied
Oct 14 11:51:05 ns1 named[2929]: client 65.202.203.203#1765: query
(cache) '12.8-15.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied --> this query
problem is pointing to my old reverse.

Can someone help me?

João K.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Propagation

[João Alberto Kuchnier]

Lyle,

Domain registrar like Network Solutions? My domain account is set to ns1
and ns2, no by IP address.

João K.

Em Qui, 2010-10-14 às 13:15 -0500, Lyle Giese escreveu:
> You need to go to your domain registrar and change the ip address
> there for these name servers.  That data is inserted as glue records
> to the root servers.
> 
> Without the domain name and name servers involved I could not have
> helped you find this issue.
> 
> I get my own messages back from the list, but you do need to reply to
> the list and I sometimes forget as this list server does not put the
> list in as the from address and my reader does not pick that up.
> 
> Lyle Giese
> LCR Computer Services, Inc.
> 
> João Alberto Kuchnier wrote: 
> > Sorry about that. The domain is dataprom.com.
> > 
> > ns1.dataprom.com -> 200.198.101.3
> > ns2.dataprom.com -> 200.198.101.4
> > 
> > More log errors:
> > 
> > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > '96.197.97.81.sbl-xbl.spamhaus.org/A/IN': 200.198.101.4#53
> > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > '96.197.97.81.bl.spamcop.net/A/IN': 200.198.101.4#53
> > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/SPF/IN':
> > 200.198.101.4#53
> > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > 'ns1.virginmedia.net/A/IN': 200.198.101.4#53
> > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/TXT/IN':
> > 200.198.101.4#53
> > Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query
> > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#40978: query
> > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#45863: query
> > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query
> > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#50880: query
> > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#20633: query
> > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > Oct 14 14:06:33 ns1 named[4602]: client 189.26.117.170#1032: query
> > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > Oct 14 14:07:03 ns1 named[4602]: error (connection refused) resolving
> > 'orsp.f-secure.akadns.net/A/IN': 200.198.101.4#53
> > 
> > Looks like my slave DNS is refusing masters connection. Some querys are
> > pointing to my old reverse configuration
> > (8-15.101.198.200.in-addr.arpa). Now it is:
> > 0-15.101.198.200.in-addr.arpa
> > 
> > I'm not receiving the discussion list e-mails. Is that normal?
> > 
> > Em Qui, 2010-10-14 às 11:16 -0500, Lyle Giese escreveu:
> >   
> > > João Alberto Kuchnier wrote:
> > > 
> > > > Hi Everyone!
> > > > 
> > > > Recently I enabled a new IP range on my firewall. I used this bigger
> > > > range to organize my DNS records like mail, www, ns1, ns2, and others. I
> > > > did this last weekend.
> > > > 
> > > > I find out that some DNS servers updated themselves with my new
> > > > registers. However, CheckDNS
> > > > (http://www.checkdns.net/quickcheckdomainf.aspx) stills resolving to my
> > > > old servers. 
> > > > 
> > > > I changed every record, every file of all my domains, serials, firewall
> > > > rules using the new IPs but I'm still having problems. Moreover, some
> > > > mail servers are rejecting messages from my main domain.
> > > > 
> > > > Here are some logs:
> > > > 
> > > > Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving
> > > > 'otwbhqbg.net/A/IN': 200.xxx.xxx.xxx#53
> > > > Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving
> > > > 'yuogkiz.net/A/IN': 200.xxx.xxx.xxx#53
> > > > Oct 14 11:51:05 ns1 named[2929]: client 65.202.203.203#9026: query
> > > > (cache) '12.8-15.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied
> > > > Oct 14 11:51:05 ns1 named[2929]

Re: DNS Propagation

[João Alberto Kuchnier]

Yes! Found it! Thank you!

Now, if you could help me, these log info are from my master DNS:

Oct 14 16:00:42 ns1 named[4602]: error (connection refused) resolving
'guide.opendns.com/A/IN': 200.198.101.4#53

200.198.101.3 -> Master
200.198.101.4 -> Slave

Slave is refusing connections?

There is this query problem too:

Oct 14 16:01:56 ns1 named[4602]: client 201.39.197.2#53: query (cache)
'2.0-63.102.3.189.in-addr.arpa/PTR/IN' denied
Oct 14 16:01:59 ns1 named[4602]: client 201.39.197.2#53: query (cache)
'2.0-63.102.3.189.in-addr.arpa/PTR/IN' denied

Some of my slave logs:

Oct 14 15:26:06 ns2 named[503]: error (unexpected RCODE REFUSED)
resolving 'km13718-05.keymachine.de/TXT/IN': 87.118.100.101#53
Oct 14 15:31:08 ns2 named[503]: error (unexpected RCODE SERVFAIL)
resolving '21.76.60.212.in-addr.arpa/PTR/IN': 212.60.66.245#53

Can you help me to fix this issues?

João K.

Em Qui, 2010-10-14 às 13:51 -0500, Lyle Giese escreveu:
> When you created these as name servers or used them for the first time
> at Network Solutions, you had to create name server records and
> register the IP address at that time.  That's how glue records get
> inserted into the root servers.
> 
> Otherwise the world could not find dataprom.com.  If the world was not
> given the ip address of ns1 or ns2.dataprom.com via glue records, the
> world would not know how to find your name servers.
> 
> At Network Solutions, you log into your account there, go to Manage
> Domains, then manage the dataprom.com domain.  On the next page that
> comes up from Network Solutions, scroll down and under More Domain
> Options, click on Manage Name Servers.  This is where you manage the
> glue records for your name servers.
> 
> Lyle Giese
> LCR Computer Services, Inc.
> 
> João Alberto Kuchnier wrote: 
> > Lyle,
> > 
> > Domain registrar like Network Solutions? My domain account is set to ns1
> > and ns2, no by IP address.
> > 
> > João K.
> > 
> > Em Qui, 2010-10-14 às 13:15 -0500, Lyle Giese escreveu:
> >   
> > > You need to go to your domain registrar and change the ip address
> > > there for these name servers.  That data is inserted as glue records
> > > to the root servers.
> > > 
> > > Without the domain name and name servers involved I could not have
> > > helped you find this issue.
> > > 
> > > I get my own messages back from the list, but you do need to reply to
> > > the list and I sometimes forget as this list server does not put the
> > > list in as the from address and my reader does not pick that up.
> > > 
> > > Lyle Giese
> > > LCR Computer Services, Inc.
> > > 
> > > João Alberto Kuchnier wrote: 
> > > 
> > > > Sorry about that. The domain is dataprom.com.
> > > > 
> > > > ns1.dataprom.com -> 200.198.101.3
> > > > ns2.dataprom.com -> 200.198.101.4
> > > > 
> > > > More log errors:
> > > > 
> > > > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > > > '96.197.97.81.sbl-xbl.spamhaus.org/A/IN': 200.198.101.4#53
> > > > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > > > '96.197.97.81.bl.spamcop.net/A/IN': 200.198.101.4#53
> > > > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > > > 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/SPF/IN':
> > > > 200.198.101.4#53
> > > > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > > > 'ns1.virginmedia.net/A/IN': 200.198.101.4#53
> > > > Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving
> > > > 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/TXT/IN':
> > > > 200.198.101.4#53
> > > > Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query
> > > > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > > > Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#40978: query
> > > > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > > > Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#45863: query
> > > > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > > > Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query
> > > > (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied
> > > > Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#50880: query
> > > > (cache) '10.8

Re: DNS Propagation

[João Alberto Kuchnier]

I already talked with google. But i will try again.

Thank you for your time! Looks like the new IPs are functional!

João K.

Em Qui, 2010-10-14 às 14:23 -0500, Lyle Giese escreveu:
> João Alberto Kuchnier wrote:
> > Yes! Found it! Thank you!
> >
> > Now, if you could help me, these log info are from my master DNS:
> >
> > Oct 14 16:00:42 ns1 named[4602]: error (connection refused) resolving
> > 'guide.opendns.com/A/IN': 200.198.101.4#53
> >
> > 200.198.101.3 -> Master
> > 200.198.101.4 -> Slave
> >
> > Slave is refusing connections?
> >
> > There is this query problem too:
> >
> > Oct 14 16:01:56 ns1 named[4602]: client 201.39.197.2#53: query (cache)
> > '2.0-63.102.3.189.in-addr.arpa/PTR/IN' denied
> > Oct 14 16:01:59 ns1 named[4602]: client 201.39.197.2#53: query (cache)
> > '2.0-63.102.3.189.in-addr.arpa/PTR/IN' denied
> >
> > Some of my slave logs:
> >
> > Oct 14 15:26:06 ns2 named[503]: error (unexpected RCODE REFUSED)
> > resolving 'km13718-05.keymachine.de/TXT/IN': 87.118.100.101#53
> > Oct 14 15:31:08 ns2 named[503]: error (unexpected RCODE SERVFAIL)
> > resolving '21.76.60.212.in-addr.arpa/PTR/IN': 212.60.66.245#53
> >
> > Can you help me to fix this issues?
> >
> > João K.
> >   
> Google is your friend! Please use it.  You have mistakes of some sort in
> your named.conf and/or your zone files.
> 
> Lyle Giese
> LCR Computer Services, Inc.
> 
> 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Propagation

[João Alberto Kuchnier]

Stephane,

I have three bind servers. One internal and two (master and slave) for
external queries. On master named.conf.options, slave is in forwarders
list with OpenDNS e my ISP DNS servers. This option is causing this
issues?

João K.

Em Qui, 2010-10-14 às 21:21 -0600, Stephane Bortzmeyer escreveu:
> On Thu, Oct 14, 2010 at 04:04:20PM -0300,
>  João Alberto Kuchnier  wrote 
>  a message of 148 lines which said:
> 
> > Oct 14 16:00:42 ns1 named[4602]: error (connection refused) resolving
> > 'guide.opendns.com/A/IN': 200.198.101.4#53
> > 
> > 200.198.101.3 -> Master
> > 200.198.101.4 -> Slave
> 
> Master and Slave have a meaning only for authoritative DNS service
> (serving zones you manage). Here, you try to resolve the name
> guide.opendns.com which is probably not yours, so this is the
> recursive service, not the authoritative one. It is highly recommended
> to separate the two services (to have them on different BIND
> instances, for instance on different machines), to ease debugging.
> 
> The two must have quite different setups: for the authoritative
> service, you will deny recursion, and allow the whole world to query
> your name server. For the recursive service, it is the opposite: you
> allow recursion but you limit the right to query to only your
> machines.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse Configuration

[João Alberto Kuchnier]

Hello Everyone!

I have 6 domains configured in only one server. Is this a problem? Is
bether to create one file for each domain or can I create one file for
all of them?

Dispite of that, I'm having some problems with reverse DNS. MxToolBox,
for example, is saying that my reverse DNS is not configured.

Below is one my reverse configuration on named.conf.local:

zone "dataprom.com-0-15.101.198.200.in-addr.arpa" {
type master;
file "/etc/bind/dataprom.com/rev";
allow-transfer { slave; };
};

$TTL 216000
$ORIGIN 101.198.200.IN-ADDR.ARPA.
@   IN  SOA ns1.dataprom.com. postmaster.dataprom.com. (
2010101405 ; Serial
10800 ; Refresh
3600 ; Retry
1209600 ; Expire
3600 ) ; Negative Cache TTL
;
@   IN  NS  ns1.dataprom.com.
@   IN  NS  ns2.dataprom.com.
3   IN  PTR ns1.dataprom.com.
4   IN  PTR ns2.dataprom.com.

Are there any problems in this setup?

Thanks for your help!

João K.



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Configuration

[João Alberto Kuchnier]

Ari,

I fixed it to use only one reverse file. Like this below:

zone "0-15.101.198.200.in-addr.arpa" {
type master;
file "/etc/bind/rev";
allow-transfer { slave; };
};

The rev file is like this:

; 101.198.200.in-addr.arpa
$ORIGIN 0-15.101.198.200.IN-ADDR.ARPA.
$TTL86400
@   IN  SOA ns1.dataprom.com. postmaster.dataprom.com. (
2010101501 ; Serial
10800 ; Refresh
3600 ; Retry
1209600 ; Expire
3600 ) ; Negative Cache TTL
;
@   IN  NS  dataprom.com.
3   IN  PTR ns1.dataprom.com.
4   IN  PTR ns2.dataprom.com.
5   IN  PTR mail.dataprom.com.

There are more domains in the same file using the same IPs. Is this a
problem?

João K.


Em Sex, 2010-10-15 às 16:33 +0100, Ari Constancio escreveu:
> 2010/10/15 João Alberto Kuchnier :
> > Hello Everyone!
> >
> > I have 6 domains configured in only one server. Is this a problem? Is
> > bether to create one file for each domain or can I create one file for
> > all of them?
> >
> > Dispite of that, I'm having some problems with reverse DNS. MxToolBox,
> > for example, is saying that my reverse DNS is not configured.
> >
> > Below is one my reverse configuration on named.conf.local:
> >
> > zone "dataprom.com-0-15.101.198.200.in-addr.arpa" {
> >type master;
> >file "/etc/bind/dataprom.com/rev";
> >allow-transfer { slave; };
> > };
> >
> > $TTL 216000
> > $ORIGIN 101.198.200.IN-ADDR.ARPA.
> > @   IN  SOA ns1.dataprom.com. postmaster.dataprom.com. (
> >2010101405 ; Serial
> >10800 ; Refresh
> >3600 ; Retry
> >1209600 ; Expire
> >3600 ) ; Negative Cache TTL
> > ;
> > @   IN  NS  ns1.dataprom.com.
> > @   IN  NS  ns2.dataprom.com.
> > 3   IN  PTR ns1.dataprom.com.
> > 4   IN  PTR ns2.dataprom.com.
> >
> > Are there any problems in this setup?
> >
> > Thanks for your help!
> >
> > João K.
> 
> Hi,
> 
> dataprom.com-0-15.101.198.200.in-addr.arpa doesn't seem to be a valid
> address in the in-addr.arpa domain, only 15.101.198.200.in-addr.arpa .
> 
> Regards,
> Ari Constancio
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Configuration

[João Alberto Kuchnier]

Yes! I have eight domains in the same server using the same IP
distribution.

My rev file, have PTR entries for all of them. Its not necessary?

João K.


Em Sex, 2010-10-15 às 22:44 -0400, Barry Margolin escreveu:
> In article ,
>  João Alberto Kuchnier  wrote:
> 
> > Ari,
> > 
> > I fixed it to use only one reverse file. Like this below:
> > 
> > zone "0-15.101.198.200.in-addr.arpa" {
> > type master;
> > file "/etc/bind/rev";
> > allow-transfer { slave; };
> > };
> > 
> > The rev file is like this:
> > 
> > ; 101.198.200.in-addr.arpa
> > $ORIGIN 0-15.101.198.200.IN-ADDR.ARPA.
> > $TTL86400
> > @   IN  SOA ns1.dataprom.com. postmaster.dataprom.com. (
> > 2010101501 ; Serial
> > 10800 ; Refresh
> > 3600 ; Retry
> > 1209600 ; Expire
> > 3600 ) ; Negative Cache TTL
> > ;
> > @   IN  NS  dataprom.com.
> > 3   IN  PTR ns1.dataprom.com.
> > 4   IN  PTR ns2.dataprom.com.
> > 5   IN  PTR mail.dataprom.com.
> > 
> > There are more domains in the same file using the same IPs. Is this a
> > problem?
> 
> Do you mean that both foo.dataprom.com and bar.someotherdomain.com both 
> resolve to the same IP?  That's not a problem.
> 
> While you can legally have multiple reverse entries for the IP, it's not 
> generally necessary or recommended.  Pick one of the names and use that 
> in the reverse entry.
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Configuration

[João Alberto Kuchnier]

Thanks Niobos! I already talked with my ISP. I informed them my new
records. In the begining of the next week I think this will finally be
solved.

João K.

Em Sex, 2010-10-15 às 20:02 +0200, Niobos escreveu:
> On 2010-10-15 17:14, João Alberto Kuchnier wrote:
> > Dispite of that, I'm having some problems with reverse DNS. MxToolBox,
> > for example, is saying that my reverse DNS is not configured.
> That's because it isn't:
> 
> if I query for 3.101.198.200.in-addr.arpa (i.e. the reverse lookup for
> IP 200.198.101.3), I don't get the delegation that you have configured.
> Instead I get an NXDOMAIN with SOA 101.198.200.in-addr.arpa.
> 
> In other words: ns.ipaccess.diveo.net.br. is not configured to delegate
> the reverse zones to your server. Instead, it responds authoritatively
> that this reverse mapping does not exist. Best to verify with them why
> they are not delegating correctly
> 
> > Below is one my reverse configuration on named.conf.local:
> > 
> > zone "dataprom.com-0-15.101.198.200.in-addr.arpa" {
> > type master;
> > file "/etc/bind/dataprom.com/rev";
> > allow-transfer { slave; };
> > };
> > 
> > $TTL 216000
> > $ORIGIN 101.198.200.IN-ADDR.ARPA.
> Your zone is configured as dataprom.com-0-15.101.198.200.in-addr.arpa.
> In the file itself, you leave out the dataprom.com-0-15 part, so the
> whole file will be considered as out-of-zone data and ignored.
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Configuration

[João Alberto Kuchnier]

Thanks everybody! Everything is fine now! 

My ISP included my reverse in their DNS.

João K.

Em Dom, 2010-10-17 às 10:25 +0100, Matthew Seaman escreveu:
> On 16/10/2010 21:48, Kevin Oberman wrote:
> > To be completely clear, unless there is special software on the client
> > to deal with PTRs, you really only want ONE PTR for each address. Most
> > standard network tools tend to assume only one PTR per address and some
> > get very confused when multiple PTRs are returned.
> 
> I'm intrigued as to what software it is that gets confused by having
> multiple PTRs for IPs?  Given I've been running with exactly that
> configuration for many years, and never noticed any problems nor had any
> complaints.
> 
> Still, I hope this whole argument will be rendered moot with the advent
> of IPv6, where addresses are available in such enormous bounty that the
> sensible admin would not only assign an IP per network interface, but
> pretty much an IP per service too.  No more fiddling about with TTLs or
> waiting for changes to propagate should you need to shuffle things
> about, and a natural consequence is that only one PTR would be needed
> per .
> 
>   Cheers,
> 
>   Matthew
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Maintain task frequency

[Jorge Alberto Martínez Melo]

Hello bind users,

I am preparing some scripts to maintain some cache dns servers and I am
thinking about the most appropriate frequency of these tasks:
- to generate the root hints file (root cache).
- to clear the cache with rndc flush
- to generate the stats file with rndc stat

Thank you in advance for your comments

-- jamm


Aviso de Privacidad: http://www.telmex.com/web/acerca-de-telmex/aviso-triara


AVISO DE CONFIDENCIALIDAD: 
Este correo electrónico, incluyendo en su caso, los archivos adjuntos al

mismo, pueden contener informacion de carácter confidencial y/o
privilegiada, y se envian a la atención única y exclusivamente de la persona
y/o entidad a quien va dirigido. La copia, revisión, uso, revelación y/o
distribución de dicha informacion confidencial sin la autorización por escrito
de Triara está prohibida. Si usted no es el destinatario a quien se dirige el
presente correo, favor de contactar al remitente respondiendo al presente
correo y eliminar el correo original incluyendo sus archivos, asi como
cualesquiera copia del mismo. Mediante la recepción del presente correo
usted reconoce y acepta que en caso de incumplimiento de su parte y/o de
sus representantes a los términos antes mencionados, Triara tendrá
derecho a los daños y perjuicios que esto le cause.


CONFIDENTIALITY NOTICE: 
This e-mail message including attachments, if any, is intended only for the

person or entity to which it is addressed and may contain confidential and
/or privileged material. Any review, use, disclosure or distribution of such
confidential information without the written authorization of Triara is
prohibited. If you are not the intended recipient, please contact the sender
by reply e-mail and destroy all copies of the original message. By receiving
this e-mail you acknowledge that any breach by you and/or your
representatives of the above provisions may entitle Triara to seek for
damages.

05/09/16 17:53:58
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Maintain task frequency

[Jorge Alberto Martínez Melo]

Thank you both, rob0 and Barry, very usefull notes.

It seems that my maintain proposed tasks are unnecessary. Furthermore
occasional backups and updates, in your opinion what are frequent
necessary maintain tasks for a cache dns server.

Thank you in advance for your comments

-- jamm

On 09/05/16 20:34, Barry S. Finkel wrote:

On Mon, 9 May 2016 17:54:22 -0500, Jorge Alberto Mart?nez Melo
 wrote:

Hello bind users,

I am preparing some scripts to maintain some cache dns servers and I am
thinking about the most appropriate frequency of these tasks:
- to generate the root hints file (root cache).
- to clear the cache with rndc flush
- to generate the stats file with rndc stat

Thank you in advance for your comments

-- jamm


If I interpret your question correctly - here are my answers:

1) root hints - There is nothing you need to do, as BIMD will get
the information when it starts, based on the hints
that are built into the code.  And the hints information
rarely changes.

2) Clear cache - There is no need to clear the cache, as BIND will
 remove automatically any entry whose TTL has
 expired.

3) Generating stets - I have no answer for this.  You can generate
  stats at any interval you want.  The interval
  might depend upon  how busy the DNS server is.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users





Aviso de Privacidad: http://www.telmex.com/web/acerca-de-telmex/aviso-triara


AVISO DE CONFIDENCIALIDAD: 
Este correo electrónico, incluyendo en su caso, los archivos adjuntos al

mismo, pueden contener informacion de carácter confidencial y/o
privilegiada, y se envian a la atención única y exclusivamente de la persona
y/o entidad a quien va dirigido. La copia, revisión, uso, revelación y/o
distribución de dicha informacion confidencial sin la autorización por escrito
de Triara está prohibida. Si usted no es el destinatario a quien se dirige el
presente correo, favor de contactar al remitente respondiendo al presente
correo y eliminar el correo original incluyendo sus archivos, asi como
cualesquiera copia del mismo. Mediante la recepción del presente correo
usted reconoce y acepta que en caso de incumplimiento de su parte y/o de
sus representantes a los términos antes mencionados, Triara tendrá
derecho a los daños y perjuicios que esto le cause.


CONFIDENTIALITY NOTICE: 
This e-mail message including attachments, if any, is intended only for the

person or entity to which it is addressed and may contain confidential and
/or privileged material. Any review, use, disclosure or distribution of such
confidential information without the written authorization of Triara is
prohibited. If you are not the intended recipient, please contact the sender
by reply e-mail and destroy all copies of the original message. By receiving
this e-mail you acknowledge that any breach by you and/or your
representatives of the above provisions may entitle Triara to seek for
damages.

05/10/16 10:08:46

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

ISC BIND

[Alberto Colosi/SI/RM/GSI/it]

Hi, why I have BIND from 4 and 8 releases and from born of 9 release I 
lifted up till 9.5.1b3 that is working fine.

I tried to compile and run ISC BIND 9.6.0b1 with some configure switches 
and /etc/rc.d/init.d/rc-script statements.

Why I get back no errors inside ISC BIND files but in the end ISC BIND 
9.6.0b1 does not remain as daemon serving user requests?!.




---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
 *-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS

Member of
IBM Information Security WW CoP


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND

[Alberto Colosi/SI/RM/GSI/it]

For sure as IBM or Microsoft or an org so big could have!.
My named.conf is really full of ACL and confs.

my logging channels are: (but I should find something inside one of 
them or /var/log/messages ;) mainly from 9.0 till 9.5.1b3 
is working! what is different inside 9.6 

logging{
channel sec{
file "/var/named/log/sec.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
};
channel in_out{
file "/var/named/log/xfer.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
};
channel named_log{
file "/var/named/log/general.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
};
channel upd_log{
file "/var/named/log/update.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
};
channel log_lame{
file "/var/named/log/lame.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
};
channel dnssec_log {
file "/var/named/log/dnssec.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
channel edns {
file "/var/named/log/edns.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
severity debug 3;
};
channel "querylog" {
file "/var/named/log/queries.log" versions 2 size 2m;
print-time yes;
print-category yes;
print-severity yes;
};

---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
 *-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS

Member of
IBM Information Security WW CoP






David Ford <[EMAIL PROTECTED]> 
27/11/2008 00.31

To
Alberto Colosi/SI/RM/GSI/it <[EMAIL PROTECTED]>
cc
bind-users@lists.isc.org
Subject
Re: ISC BIND






Look at your log files, commonly in /var/log/

Did you define other logfiles in your named.conf that you had working
with 9.51b3?

-david

Alberto Colosi/SI/RM/GSI/it wrote:
>
> Hi, why I have BIND from 4 and 8 releases and from born of 9 release I
> lifted up till 9.5.1b3 that is working fine.
>
> I tried to compile and run ISC BIND 9.6.0b1 with some configure
> switches and /etc/rc.d/init.d/rc-script statements.
>
> Why I get back no errors inside ISC BIND files but in the end ISC BIND
> 9.6.0b1 does not remain as daemon serving user requests?!.


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC BIND

[Alberto Colosi/SI/RM/GSI/it]

no, if not I was not writing here.

I compile and run bing from version 4 and I have compiled and runned each 
bind version one by one... 
till today I can't count how many ;)


---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
 *-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS

Member of
IBM Information Security WW CoP






David Ford <[EMAIL PROTECTED]> 
27/11/2008 00.52

To
Alberto Colosi/SI/RM/GSI/it <[EMAIL PROTECTED]>
cc
bind-users@lists.isc.org
Subject
Re: ISC BIND






Is there any indication about why named shuts down immediately in those
logfiles?

-david

Alberto Colosi/SI/RM/GSI/it wrote:
>
> For sure as IBM or Microsoft or an org so big could have!.
> My named.conf is really full of ACL and confs.
>
> my logging channels are: (but I should find something inside one
> of them or /var/log/messages ;) mainly from 9.0 till
> 9.5.1b3 is working! what is different inside 9.6 


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Dropping external recursive requests

[Alberto Colosi/SI/RM/GSI/it]

why not? beter handled by isc and done in a clean way then 1.000.000 of 
dirty ways as these ;)

---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
 *-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS

Member of
IBM Information Security WW CoP






Mark Andrews <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
04/12/2008 00.26

To
[EMAIL PROTECTED]
cc

Subject
Re: Dropping external recursive requests







One needs to be really, really careful here.  There are lots of
unverifiable assumptions in the OP query.  Also rd being set my
just be the result of someone testing with a tool which sets rd by
default.

Going silent on a query reponses protocol is not a good idea.  There
are already too many firewalls / nameservers that do this to
legitimate queries.  We really don't want to encourage this sort
of behaviour.

If it is a forged packet it should be dropped regardless of the setting
of RD.  If the only reason to think the packet is forged is the setting
of RD=1 then the OP has committed a reasoning error.

Mark

In message <[EMAIL PROTECTED]>, Chris Buxton 
writes:
> That ought to work, and work well.
> 
> This will not impact outside name servers that query your name server,
> because they send iterative queries. If they're sending recursive
> queries, they're abusing your server. I can't see any problems with this
> approach.
> 
> If you have authoritative data in the third view, make sure that when
> the first view wants to look it up, its iterative query to the server
> machine itself is routed through to the third view (rather than being
> captured by the first view).
> 
> Chris Buxton
> Men & Mice
> 
> On Tue, 2008-12-02 at 17:10 -0800, [EMAIL PROTECTED] wrote:
> > Our DNS server occasionally get requests for recursion with forged src
> > addresses.
> > Currently our server returns "Standard query response, Refused" since
> > our named.conf
> > only allows recursion for our internal machines.  This, of course,
> > results in the poor
> > machine whose address was forged receiving spurious traffic.
> > 
> > Some of the Cisco firewalls support DNS inspection and can be
> > configured to drop
> > requests which want recursion.  What are the ramifications of enabling
> > this?
> > 
> > Can bind be configured to do this?  I was thinking about something
> > like:
> > 
> > view "internal" {
> >   match-clients { localhost; localnets; };
> >   ...
> > }
> > 
> > view "external-recursive" {
> >   match-clients { any; };
> >   match-recursive-only yes;
> >   blackhole { any};
> > }
> > 
> > view "external" {
> >   ...
> > }
> > 
> > -- John
> > [EMAIL PROTECTED]
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [EMAIL PROTECTED]
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How to modify "A" records on the slave when master is down?

[Alberto Colosi/SI/RM/GSI/it]

better to use an ftps then an sftp.

use

vsftpd with SSL compile option
GNU lftp

lftp is really simple and can be configured to bypass RSA CA verify sso to 
allow selfsigned and many other settings.

The difference is that if you lose RSA keys or in all cases, using the RSA 
keys to allow SCP, you could have a command line session too if used with 
SSH instead.

The main difference is a bit of security more ;)



---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
 *-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS

Member of
IBM Information Security WW CoP






"Mike Bernhardt" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
03/12/2008 22.59

To
<[EMAIL PROTECTED]>, <[EMAIL PROTECTED]>
cc

Subject
RE: How to modify "A" records on the slave when master is down?






What we used to do is we had 2 masters. After an update was done on one of
them, we ran a perl script that would scp the db files to the other and 
then
send rndc reload to itself and the other master. That way both were always
up to date. It seems like if you had one master and one slave at each
datacenter, this would work very well. After the down datacenter comes 
back
up, simply run the script from the up-to-date master.

I can send you the perl script to save you some time if you want. The main
trick was getting scp to work with rsa keys so no password is required
(although it could work fine with a password if you're running the script
manually).

Mike

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
Sent: Friday, November 21, 2008 9:10 PM
To: [EMAIL PROTECTED]
Subject: How to modify "A" records on the slave when master is down?

Hello.  I have two geographically different datacenters.  Each
datacenter has two instances of BIND.

There is one master out of these four.  The zones will have multiple
"A" records (pointing to the two datacenters to provide some minimal
amount of redundancy and load balancing)

What I want to do is put together a plan for when the master either
fails or the master becomes unavailable.

So if your master fails, or more likely, it becomes unavailable, and I
need to change the "A" records on the other slaves, how do you do it?

Can I have a master in each datacenter and a slave in each datacenter,
but a change made to any master propagates to all slaves?  For that
matter, can I just have four masters and be done with it?

It doesnt make sense that I could have multiple masters.. but I have
no idea how to solve this problem.  If datacenter A goes down for
three days, i want to be able to modify the slave "A" records to stop
pointing to the bad datacenter.  And when the datacenter comes back up
and the old master is alive, I want everything to work.




___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users