bind-9-packages: RPS and both '--enable-static' and '--disable-static'?
Thank you for the https://www.isc.org/blogs/bind-9-packages/ blog post and various binary distributions mentioned in it. I am an end user, not a programmer, and I rely on Linux distributions and application packages and so having up-to-date content from authoritative sources is both helpful and very reassuring. As a result of this, I now have the "stable" currently-9.12.2 version from https://launchpad.net/~isc/+archive/ubuntu/bind installed on Ubuntu 18.04 here on my home desktop in order to hack away at something. *** And that something is RPS... slight wrinkle: it doesn't seem to be enabled in this build. *Question:* Would it cause any problems to enable RPS the next time you have a reason to kick off a build for this package? This is not a crisis. However, over on my server, a year ago I learned how to use Perl to write nfqueue handlers for use with nftables and one of the things that I put in place was IPv4-and-IPv6 UDP DNS request filtering with PCRE patterns figuring prominently in the logic. The scary part is how well it works. 12 months of real-world experience indicates that well over 99% of those requests that I do want to block a) arrive on UDP and b) fit into the first packet, and after that it's the amazing collection of Perl libraries that do all the heavy lifting so that I just need to glue it together with some pretty ugly script... but it works! So I was looking forward to RPS having the effect of adding TCP to the mix and doing a much more respectable job of extracting the queries. Which does lead to the question about some RPS documentation but that's sorta moot at this point. *** Also, when running "named -V", I see both '--enable-static' and '--disable-static' in the output. I have no idea if this is sensible or not but it sure looks a little funny: user@pc:~$ named -V BIND 9.12.2-P2-1+ubuntu18.04.1+deb.sury.org+1-Ubuntu running on Linux x86_64 4.15.0-34-generic #37-Ubuntu SMP Mon Aug 27 15:21:48 UTC 2018 built by make with '--build=x86_64-linux-gnu' '--prefix=/usr' '--includedir=/usr/include' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--disable-silent-rules' '--libdir=/usr/lib/x86_64-linux-gnu' '--libexecdir=/usr/lib/x86_64-linux-gnu' '--disable-maintainer-mode' '--disable-dependency-tracking' '--libdir=/usr/lib/x86_64-linux-gnu' '--sysconfdir=/etc/bind' '--with-python=python3' '--localstatedir=/' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-gost=no' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-libidn2' '--with-libjson=/usr' '--with-lmdb=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl' '--enable-filter-' '--disable-static' '--disable-native-pkcs11' '--enable-dnstap' 'build_alias=x86_64-linux-gnu' 'CFLAGS=-g -O2 -fdebug-prefix-map=/build/bind-BNj4_3/bind-9.12.2.P2+dfsg=. -fstack-protector-strong -Wformat -Werror=format-security -fno-strict-aliasing -fno-delete-null-pointer-checks -DNO_VERSION_DATE -DDIG_SIGCHASE' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now' 'CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2' compiled by GCC 7.3.0 compiled with OpenSSL version: OpenSSL 1.1.0g 2 Nov 2017 linked to OpenSSL version: OpenSSL 1.1.0g 2 Nov 2017 compiled with libxml2 version: 2.9.4 linked to libxml2 version: 20904 compiled with libjson-c version: 0.12.1 linked to libjson-c version: 0.12.1 compiled with zlib version: 1.2.11 linked to zlib version: 1.2.11 threads support is enabled user@pc:~$ -- - James ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Recursion Question
Hello All. I have a recursion via forwarder question. Consider the following scenario: - A client sends a query to an internal recursive DNS server for the following A record: 'a.b.c.private.dns.com' - The Recursive DNS server is unaware of this domain and sends the request to its Forwarding DNS - The Forwarding DNS server has Internet access and begins the recursion process o It successfully determines the NS authoritative for 'private.dns.com' o It is unable to continue the resolution process as it does not have access to the NS authoritative for 'private.dns.com' o It times out and returns a failed response to the Recursive DNS Is it possible to return the information that it has to the Recursive DNS server? And if so, is it possible for the Recursive DNS server to complete the lookup against NS private.dns.com (it has network access)? I have been unable to find any guidance on this and am concerned that this is not a supported scenario. Alternatives under consideration are: - Allow Forwarding DNS access to NS responsible for 'private.dns.com' - Make Recursive DNS aware of zone 'private.dns.com' so that it does not use the Forwarding DNS - ?? (open to suggestions!) Thanks in advance! Daniel J. LeBlanc, P.Eng., MBA, DTME ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Response Policy Regular Expression Question
Hello All. I am trying to create an NXDOMAIN response-policy for the following example domain: x.yy.*.*.dns.* I have reviewed RFC1034 & RFC4592 and many online articles and blog postings, but thus far have not found anything suggesting that this type of match is possible. Am I expecting too much? :) Thanks and have a great weekend! Daniel J. LeBlanc, P.Eng., MBA, DTME ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Response Policy Regular Expression Question
Thanks Havard. Appreciate the candor. This was my understanding given the articles and documentation that I reviewed. Dan -Original Message- From: Havard Eidnes Sent: Monday, January 24, 2022 10:13 AM To: LeBlanc, Daniel James Cc: bind-users@lists.isc.org Subject: [EXT]Re: Response Policy Regular Expression Question > I am trying to create an NXDOMAIN response-policy for the following > example domain: > > x.yy.*.*.dns.* > > I have reviewed RFC1034 & RFC4592 and many online articles and blog > postings, but thus far have not found anything suggesting that this > type of match is possible. Am I expecting too much? > :) In a word: yes. If I'm not terribly mistaken, the DNS response policy code uses normal DNS lookup mechanisms. What you see sometimes in the DNS is '*' which is a "wildard". It is not used to form Regular Expressions(!) Furthermore, it has the limitation that it can only occur once in a query, and match a single label at the leftmost edge of the looked-up name, and if registered in a zone, its data will be returned if the looked-up name doesn't otherwise exist in the zone (or if it's explicitly queried for). Regards, - HÃ¥vard -- External Email: Please use caution when opening links and attachments / Courriel externe: Soyez prudent avec les liens et documents joints ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
