Filter dns update requests?
Is there a way to setup bind to use an external filtering script to filter out requests? example1: Say I have a cisco dhcp server and some windows clients and some other clients. Further lets say I have two domains on my dhcp scope. WinCli1 is on ad.abc.org WinCli2 is on ad.xyz.org Printer1 gets its domain from the dhcp server which is ad.abc.org bind allows ddns for both ad.abc.org and ad.xyz.org currently I see entries as follows WinCli1 has DNS A entries WinCli1.ad.abc.org WinCli1.ad.abc.org.ad.abc.org and PTR => WinCli1.ad.abc.org.ad.abc.org WinCli2 has DNS A entries WinCli2.ad.xyz WinCli2.ad.xyz.org.ad.abc.org and PTR => WinCli2.ad.xyz.org.ad.abc.org Printer1 has DNS A entry Printer1.ad.abc.org and PTR => Printer1.ad.abc.org The only device I like how it is is the printer. I would like to filter out the DNS entries for the Windows Clients So that in the example above. I would like what I think is obvious as follows WinCli1 has DNS A entry WinCli1.ad.abc.org and PTR => WinCli1.ad.abc.org WinCli2 has DNS A entry WinCli2.ad.xyz and PTR => WinCli2.ad.xyz Printer1 has DNS A entry Printer1.ad.abc.org and PTR => Printer1.ad.abc.org further more I was wondering if there isn't a way to filter out some entries all together. example2: Say I do not want some entry in my DNS ever. Curently PrinterBadName has DNS A entry PrinterBadName and PTR => PrinterBadName I would like no entries filtering out bad names. Is there a way to do things like this with bind? Or someway to intercept DNS update requests and only send what I want to the DNS servers? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Filter dns update requests?
On Thu, Jan 29, 2015 at 10:02 AM, Tony Finch wrote:
> Jeff Sadowski wrote:
>
>> Is there a way to setup bind to use an external filtering script to
>> filter out requests?
>
> Have you read the ARM's section on dynamic update policies? The built-in
> facilities are quite flexible, and there is also an "external" policy
> which you can implement yourself.
>
> http://ftp.isc.org/isc/bind9/9.10.2b1/doc/arm/Bv9ARM.ch06.html#dynamic_update_policies
>
Nice I setup
zone "my.test" {
type master;
update-policy { grant any external local:2525; };
file "updateable/db.test";
};
Now I'll have to write my own program to take the input and process it.
I pretty sure I'll want to deny just about everything rewrite it in my
own program and resubmit with the names I want.
Is there any way to get requests for all domains?
Or can I only process domains I am a master for?
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> Fair Isle, Faeroes: Northwest 5 to 7 veering north 7 to severe gale 9,
> occasionally storm 10 later in Faeroes. Very rough or high, becoming high or
> very high except in east Fair Isle. Rain or squally wintry showers. Moderate
> or poor, occasionally good in east Fair Isle.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Fwd: Different answer when querying @server from different clients
P.S. I think that is an outdated method. It should break DNSSEC. Views from bind would probably be a better way. On Fri, Mar 6, 2015 at 3:52 PM, Arthur Ramsey wrote: > I had to disable DNS ALG on Juniper SRX series firewall. > > Thanks for the help, > Arthur > > > On 03/06/2015 04:51 PM, Jeff Sadowski wrote: >> >> I remember a network engineer that rewrote some DNS entries with a >> cisco router replacing w.x.y.z with a.b.c.d >> >> On Fri, Mar 6, 2015 at 3:46 PM, Arthur Ramsey >> wrote: >>> >>> I don't think it is views. The same thing happens against Google's >>> public >>> DNS. The two hosts route to the Internet differently and that seems to >>> at >>> the root of the issue somehow. >>> >>> [root@dc01 ~]# dig +short ns1.mediture.com >>> 74.113.249.135 >>> [root@dc01 ~]# dig +short ns2.mediture.com >>> 107.23.33.118 >>> >>> [root@dc01 ~]# dig @8.8.8.8 +trace great.truchart.com >>> >>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1 <<>> @8.8.8.8 +trace >>> great.truchart.com >>> ; (1 server found) >>> ;; global options: +cmd >>> . 18851 IN NS h.root-servers.net. >>> . 18851 IN NS c.root-servers.net. >>> . 18851 IN NS f.root-servers.net. >>> . 18851 IN NS k.root-servers.net. >>> . 18851 IN NS j.root-servers.net. >>> . 18851 IN NS m.root-servers.net. >>> . 18851 IN NS l.root-servers.net. >>> . 18851 IN NS a.root-servers.net. >>> . 18851 IN NS g.root-servers.net. >>> . 18851 IN NS e.root-servers.net. >>> . 18851 IN NS b.root-servers.net. >>> . 18851 IN NS i.root-servers.net. >>> . 18851 IN NS d.root-servers.net. >>> ;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 144 ms >>> >>> com.172800 IN NS j.gtld-servers.net. >>> com.172800 IN NS d.gtld-servers.net. >>> com.172800 IN NS k.gtld-servers.net. >>> com.172800 IN NS m.gtld-servers.net. >>> com.172800 IN NS f.gtld-servers.net. >>> com.172800 IN NS c.gtld-servers.net. >>> com.172800 IN NS e.gtld-servers.net. >>> com.172800 IN NS g.gtld-servers.net. >>> com.172800 IN NS a.gtld-servers.net. >>> com.172800 IN NS l.gtld-servers.net. >>> com.172800 IN NS h.gtld-servers.net. >>> com.172800 IN NS i.gtld-servers.net. >>> com.172800 IN NS b.gtld-servers.net. >>> ;; Received 496 bytes from 192.228.79.201#53(192.228.79.201) in 146 ms >>> >>> truchart.com. 172800 IN NS ns1.mediture.com. >>> truchart.com. 172800 IN NS ns2.mediture.com. >>> ;; Received 113 bytes from 192.52.178.30#53(192.52.178.30) in 129 ms >>> >>> great.truchart.com. 3600IN A 192.168.168.225 >>> truchart.com. 86400 IN NS ns1.mediture.com. >>> truchart.com. 86400 IN NS ns2.mediture.com. >>> ;; Received 129 bytes from 107.23.33.118#53(107.23.33.118) in 31 ms >>> >>> [root@www02 ~]# dig @8.8.8.8 +trace great.truchart.com >>> >>> ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1 <<>> @8.8.8.8 +trace >>> great.truchart.com >>> ; (1 server found) >>> ;; global options: +cmd >>> . 18813 IN NS h.root-servers.net. >>> . 18813 IN NS c.root-servers.net. >>> . 18813 IN NS f.root-servers.net. >>> . 18813 IN NS k.root-servers.net. >>> . 18813 IN NS j.root-servers.net. >>> . 18813 IN NS m.root-servers.net. >>> . 18813 I
subdomain with domain
The other day I found that my secondary name servers running bind
where not dishing out
_msdcs. SRV records
This was causing join issues. It turned out that the Domain controller
had 2 different scopes one for
_msdcs.
and one for
so I shared the second _msdcs. scope with all my bind secondary servers.
All servers are running Fedora 21 with
bind.i686 32:9.9.6-8.P1.fc21
I had
zone "" {
type slave;
# the ip address of my dc
masters {192.168.1.2;};
file "data/db.192.168.1.2.slave";
};
entry in all my secondary name servers. Now I have
zone "_msdcs." {
type slave;
# the ip address of my dc
masters {192.168.1.2;};
file "data/db.192.168.1.2.slave";
};
zone "" {
type slave;
# the ip address of my dc
masters {192.168.1.2;};
file "data/db.192.168.1.2.slave";
};
entries on all my secondary name servers. I restarted named on all my
secondary name servers and half of my secondary servers are
working(explained below) half are not. I am certain that I allowed
zone transfers to all of my secondary name servers and that I am
pushing changes to my secondary servers.
Working being that they dish out the _msdcs entries.
examples:
nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.1.254
Server: 192.168.1.254
Address:192.168.1.254#53
_ldap._tcp.dc._msdcs. service = 0 100 389 pdc..
nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.2.254
Server: 192.168.2.254
Address:192.168.2.254#53
** server can't find _ldap._tcp.dc._msdcs.: SERVFAIL
nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.3.254
Server: 192.168.3.254
Address:192.168.3.254#53
_ldap._tcp.dc._msdcs. service = 0 100 389 pdc..
nslookup -type=SRV _ldap._tcp.dc._msdcs. 192.168.4.254
Server: 192.168.4.254
Address:192.168.4.254#53
** server can't find _ldap._tcp.dc._msdcs.: SERVFAIL
All servers still dish out records in the old scope. I have more
secondaries and there doesn't seem to be rime or reason to why half
work and half do not.
I made certain that 192.168.1.254 and 192.168.2.254 both had all the
same packages and double checked all named config files where
Identical.
If anyone could give me a clue on what to check next it would be
greatly appreciated.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Variable in name of file for named.conf
I have a number of slave domains that I would like a naming scheme and
not have to go to each and change the filename.
I have the following zones
zone "1.168.192.in-addr.arpa" {
include "named.slave";
};
zone "2.168.192.in-addr.arpa" {
include "named.slave";
};
zone "3.168.192.in-addr.arpa" {
include "named.slave";
};
zone "4.168.192.in-addr.arpa" {
include "named.slave";
};
zone "5.168.192.in-addr.arpa" {
include "named.slave";
};
zone "6.168.192.in-addr.arpa" {
include "named.slave";
};
zone "7.168.192.in-addr.arpa" {
include "named.slave";
};
zone "8.168.192.in-addr.arpa" {
include "named.slave";
};
zone "9.168.192.in-addr.arpa" {
include "named.slave";
};
zone "10.168.192.in-addr.arpa" {
include "named.slave";
};
named.slave looks as follows
type slave;
masters {192.168.1.2;};
file "data/db.@.slave";
It appears to work on my queries.
nslookup 192.168.1.2
2.1.168.192.in-addr.arpa name = pdc.
nslookup 192.168.1.1
1.1.168.192.in-addr.arpa name = gw1.
nslookup 192.168.2.1
1.2.168.192.in-addr.arpa name = gw2.
the only file created in my data directory seems to be db.@.slave
with the at sign.
Do I really need to have each zone with its own file?
Is there a special syntax to get what I expect?
expected files:
data/db.1.168.192.in-addr.arpa.slave
data/db.2.168.192.in-addr.arpa.slave
data/db.3.168.192.in-addr.arpa.slave
...
data/db.10.168.192.in-addr.arpa.slave
if not I can have Make do it and build some scripts to do what I want
but if there is syntax to do what I want it would be nice.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Variable in name of file for named.conf
On Wed, Apr 1, 2015 at 8:09 PM, Barry Margolin wrote:
> In article ,
> Jeff Sadowski wrote:
>
>> I have a number of slave domains that I would like a naming scheme and
>> not have to go to each and change the filename.
>>
>> I have the following zones
>>
>> zone "1.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "2.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "3.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "4.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "5.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "6.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "7.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "8.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "9.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>> zone "10.168.192.in-addr.arpa" {
>> include "named.slave";
>> };
>>
>> named.slave looks as follows
>>
>> type slave;
>> masters {192.168.1.2;};
>> file "data/db.@.slave";
>>
>> It appears to work on my queries.
>>
>> nslookup 192.168.1.2
>>
>> 2.1.168.192.in-addr.arpa name = pdc.
>>
>> nslookup 192.168.1.1
>>
>> 1.1.168.192.in-addr.arpa name = gw1.
>>
>> nslookup 192.168.2.1
>>
>> 1.2.168.192.in-addr.arpa name = gw2.
>>
>> the only file created in my data directory seems to be db.@.slave
>> with the at sign.
>
> Why would you expect anything different? @ only has special meaning
> inside zone files, it's not special in named.conf.
>
>>
>> Do I really need to have each zone with its own file?
>
> Yes, you do. What's happening is that every time one of the reverse
> zones is transferred, it's overwriting that file. But the files are only
> used when initializing the zones when named starts up; you get the
> correct answers because the in-memory versions of the zones are
> distinct. But try restarting named and then see what happens when you do
> those nslookups. You'll see that 192.168.1.1 and 192.168.2.1 both return
> the same name.
>
>>
>> Is there a special syntax to get what I expect?
>> expected files:
>> data/db.1.168.192.in-addr.arpa.slave
>> data/db.2.168.192.in-addr.arpa.slave
>> data/db.3.168.192.in-addr.arpa.slave
>> ...
>> data/db.10.168.192.in-addr.arpa.slave
>>
>> if not I can have Make do it and build some scripts to do what I want
>> but if there is syntax to do what I want it would be nice.
>
> No, there's no built-in syntax to create the filename based on the zone
> name.
>
I wrote a php script to build my file for me
'slave'
,'masters'=>array('192.168.1.2')
,'autofile'=>'data/db.@.slave');
$arpa192='.168.192.in-addr.arpa';
$domain='';
$zone['_msdcs.'.$domain]=$myslave;
$zone[$domain]=$myslave;
$slavedsubnets=range('1','10');
build_subnets($slavedsubnets
,$arpa192
,$myslave);
build_zones();
function build_subnets($subnets
,$net
,$info)
{global $zone;
foreach($subnets as $subnet)
{$zone[$subnet.$net]=$info;
}}
function build_zones()
{global $zone,$argv;
$pounds=str_repeat('#',30);
$warning=$pounds.' WARNING '.$pounds."\n";
echo $warning. '# Do not edit this file. '.
'It was generated using "php '.
$argv[0]."\"\n".$warning;
foreach($zone as $z=>$infos)
{echo 'zone "'.$z.'" {'."\n";
foreach($infos as $item=>$value)
{echo "\t".$item.' ';
if(is_array($value))
{echo '{';
foreach($value as $v){echo $v.';';}
echo '}';
}
else
{switch($item)
{case 'file': echo '"'.$value.'"'; break;
case 'autofile': echo '"'.
str_replace('@',$z,$value).'"';
break;
default: echo $value; break;
}}
echo ";\n";
}
echo "};\n";
}}
?>
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Variable in name of file for named.conf
On Thu, Apr 2, 2015 at 11:09 AM, Jeff Sadowski wrote:
> On Wed, Apr 1, 2015 at 8:09 PM, Barry Margolin wrote:
>> In article ,
>> Jeff Sadowski wrote:
>>
>>> I have a number of slave domains that I would like a naming scheme and
>>> not have to go to each and change the filename.
>>>
>>> I have the following zones
>>>
>>> zone "1.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "2.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "3.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "4.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "5.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "6.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "7.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "8.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "9.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>> zone "10.168.192.in-addr.arpa" {
>>> include "named.slave";
>>> };
>>>
>>> named.slave looks as follows
>>>
>>> type slave;
>>> masters {192.168.1.2;};
>>> file "data/db.@.slave";
>>>
>>> It appears to work on my queries.
>>>
>>> nslookup 192.168.1.2
>>>
>>> 2.1.168.192.in-addr.arpa name = pdc.
>>>
>>> nslookup 192.168.1.1
>>>
>>> 1.1.168.192.in-addr.arpa name = gw1.
>>>
>>> nslookup 192.168.2.1
>>>
>>> 1.2.168.192.in-addr.arpa name = gw2.
>>>
>>> the only file created in my data directory seems to be db.@.slave
>>> with the at sign.
>>
>> Why would you expect anything different? @ only has special meaning
>> inside zone files, it's not special in named.conf.
>>
>>>
>>> Do I really need to have each zone with its own file?
>>
>> Yes, you do. What's happening is that every time one of the reverse
>> zones is transferred, it's overwriting that file. But the files are only
>> used when initializing the zones when named starts up; you get the
>> correct answers because the in-memory versions of the zones are
>> distinct. But try restarting named and then see what happens when you do
>> those nslookups. You'll see that 192.168.1.1 and 192.168.2.1 both return
>> the same name.
>>
>>>
>>> Is there a special syntax to get what I expect?
>>> expected files:
>>> data/db.1.168.192.in-addr.arpa.slave
>>> data/db.2.168.192.in-addr.arpa.slave
>>> data/db.3.168.192.in-addr.arpa.slave
>>> ...
>>> data/db.10.168.192.in-addr.arpa.slave
>>>
>>> if not I can have Make do it and build some scripts to do what I want
>>> but if there is syntax to do what I want it would be nice.
>>
>> No, there's no built-in syntax to create the filename based on the zone
>> name.
>>
> I wrote a php script to build my file for me
>
> $myslave=array('type'=>'slave'
> ,'masters'=>array('192.168.1.2')
> ,'autofile'=>'data/db.@.slave');
>
> $arpa192='.168.192.in-addr.arpa';
> $domain='';
> $zone['_msdcs.'.$domain]=$myslave;
> $zone[$domain]=$myslave;
> $slavedsubnets=range('1','10');
>
> build_subnets($slavedsubnets
> ,$arpa192
> ,$myslave);
>
> build_zones();
>
> function build_subnets($subnets
> ,$net
> ,$info)
> {global $zone;
> foreach($subnets as $subnet)
> {$zone[$subnet.$net]=$info;
> }}
>
> function build_zones()
> {global $zone,$argv;
> $pounds=str_repeat('#',30);
> $warning=$pounds.' WARNING '.$pounds."\n";
> echo $warning. '# Do not edit this file. '.
> 'It was generated using "php '.
> $argv[0]."\"\n".$warning;
> foreach($zone as $z=>$infos)
> {echo 'zone "'.$z.'" {'."\n";
> foreach($infos as $item=>$value)
> {echo "\t".$item.' ';
>
Multiple AD domains
On the samba mailing list they described setting up the DC as the NS and
forward to another machine for more rules.
This will work fine for one domain. Now lets say I have 2 domains.
If I setup forwarders like so on 192.168.1.1
zone "domainA" IN { type forward; forward only; forwarders { 192.168.2.1;
}; };
zone "domainB" IN { type forward; forward only; forwarders { 192.168.3.1;
}; };
It will cache entries for each domain and if a computer gets a different
address for dhcp it will update on the domain's DNS but the dns on
192.168.1.1 will have a cached entry untill it expires.
192.168.2.1 and 192.168.3.1 are setup to forward all other zones than their
domain names to 192.168.1.1
if I have DNS server set for all machines in domainA to 192.168.2.1 all
machines on domainA see any DNS changes to domainA imediately machines on
domainB are cached and can take time to clear out.
And
if I have DNS server set for all machines in domainB to 192.168.3.1 all
machines on domainB see any DNS changes to domainB imediately machines on
domainA are cached and can take time to clear out.
What is the best way to resolve this issue?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple AD domains
should I setup 192.168.1.1 as slaves to these two domains would that fix it?
On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski
wrote:
> On the samba mailing list they described setting up the DC as the NS and
> forward to another machine for more rules.
> This will work fine for one domain. Now lets say I have 2 domains.
>
> If I setup forwarders like so on 192.168.1.1
>
> zone "domainA" IN { type forward; forward only; forwarders { 192.168.2.1;
> }; };
> zone "domainB" IN { type forward; forward only; forwarders { 192.168.3.1;
> }; };
>
> It will cache entries for each domain and if a computer gets a different
> address for dhcp it will update on the domain's DNS but the dns on
> 192.168.1.1 will have a cached entry untill it expires.
>
> 192.168.2.1 and 192.168.3.1 are setup to forward all other zones than
> their domain names to 192.168.1.1
>
> if I have DNS server set for all machines in domainA to 192.168.2.1 all
> machines on domainA see any DNS changes to domainA imediately machines on
> domainB are cached and can take time to clear out.
> And
> if I have DNS server set for all machines in domainB to 192.168.3.1 all
> machines on domainB see any DNS changes to domainB imediately machines on
> domainA are cached and can take time to clear out.
>
> What is the best way to resolve this issue?
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple AD domains
I'm going to try slaves like so
If I setup slave zones like so on 192.168.1.1
zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
"db.domainA"; };
zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
"db.domainB"; };
and in 192.168.2.1 and 192.168.3.1
in options
notify yes;
also-notify { 192.168.1.252; };
allow-transfer { 192.168.1.252; };
On Wed, Jul 27, 2016 at 1:11 PM, wrote:
> > From: Jeff Sadowski
>
> > On the samba mailing list they described setting up the DC as the NS
> > and forward to another machine for more rules.
> > This will work fine for one domain. Now lets say I have 2 domains.
> >
> > If I setup forwarders like so on 192.168.1.1
> >
> > zone "domainA" IN { type forward; forward only; forwarders { 192.
> > 168.2.1; }; };
> > zone "domainB" IN { type forward; forward only; forwarders { 192.
> > 168.3.1; }; };
> >
> > It will cache entries for each domain and if a computer gets a
> > different address for dhcp it will update on the domain's DNS but
> > the dns on 192.168.1.1 will have a cached entry untill it expires.
> >
> > 192.168.2.1 and 192.168.3.1 are setup to forward all other zones
> > than their domain names to 192.168.1.1
>
> Your Domain Controllers should be the DNS servers for any computer in that
> domain. Forward any other queries to a recursive server (192.169.1.1?)
> which may or may not be authoritative for other domains.
>
> > if I have DNS server set for all machines in domainA to 192.168.2.1
> > all machines on domainA see any DNS changes to domainA imediately
> > machines on domainB are cached and can take time to clear out.
> > And
> > if I have DNS server set for all machines in domainB to 192.168.3.1
> > all machines on domainB see any DNS changes to domainB imediately
> > machines on domainA are cached and can take time to clear out.
>
> Yep, thats how it works.
>
> > What is the best way to resolve this issue?
>
> Short TTLs in your domain controller DNS.
>
> --
>
>
> * Confidentiality Notice: This electronic message and any attachments may
> contain confidential or privileged information, and is intended only for
> the individual or entity identified above as the addressee. If you are not
> the addressee (or the employee or agent responsible to deliver it to the
> addressee), or if this message has been addressed to you in error, you are
> hereby notified that you may not copy, forward, disclose or use any part of
> this message or any attachments. Please notify the sender immediately by
> return e-mail or telephone and delete this message from your system.*
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple AD domains
I'm going to try slaves like so
If I setup slave zones like so on 192.168.1.1
zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
"db.domainA"; };
zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
"db.domainB"; };
and in 192.168.2.1 and 192.168.3.1
in options
notify yes;
also-notify { 192.168.1.1; };
allow-transfer { 192.168.1.1; };
On Wed, Jul 27, 2016 at 1:20 PM, Jeff Sadowski
wrote:
> I'm going to try slaves like so
>
> If I setup slave zones like so on 192.168.1.1
>
> zone "domainA" IN { type slave; masters { 192.168.2.1; }; file
> "db.domainA"; };
> zone "domainB" IN { type slave; masters { 192.168.3.1; }; file
> "db.domainB"; };
>
> and in 192.168.2.1 and 192.168.3.1
> in options
>
> notify yes;
> also-notify { 192.168.1.252; };
> allow-transfer { 192.168.1.252; };
>
>
> On Wed, Jul 27, 2016 at 1:11 PM, wrote:
>
>> > From: Jeff Sadowski
>>
>> > On the samba mailing list they described setting up the DC as the NS
>> > and forward to another machine for more rules.
>> > This will work fine for one domain. Now lets say I have 2 domains.
>> >
>> > If I setup forwarders like so on 192.168.1.1
>> >
>> > zone "domainA" IN { type forward; forward only; forwarders { 192.
>> > 168.2.1; }; };
>> > zone "domainB" IN { type forward; forward only; forwarders { 192.
>> > 168.3.1; }; };
>> >
>> > It will cache entries for each domain and if a computer gets a
>> > different address for dhcp it will update on the domain's DNS but
>> > the dns on 192.168.1.1 will have a cached entry untill it expires.
>> >
>> > 192.168.2.1 and 192.168.3.1 are setup to forward all other zones
>> > than their domain names to 192.168.1.1
>>
>> Your Domain Controllers should be the DNS servers for any computer in
>> that domain. Forward any other queries to a recursive server
>> (192.169.1.1?) which may or may not be authoritative for other domains.
>>
>> > if I have DNS server set for all machines in domainA to 192.168.2.1
>> > all machines on domainA see any DNS changes to domainA imediately
>> > machines on domainB are cached and can take time to clear out.
>> > And
>> > if I have DNS server set for all machines in domainB to 192.168.3.1
>> > all machines on domainB see any DNS changes to domainB imediately
>> > machines on domainA are cached and can take time to clear out.
>>
>> Yep, thats how it works.
>>
>> > What is the best way to resolve this issue?
>>
>> Short TTLs in your domain controller DNS.
>>
>> --
>>
>>
>> * Confidentiality Notice: This electronic message and any attachments may
>> contain confidential or privileged information, and is intended only for
>> the individual or entity identified above as the addressee. If you are not
>> the addressee (or the employee or agent responsible to deliver it to the
>> addressee), or if this message has been addressed to you in error, you are
>> hereby notified that you may not copy, forward, disclose or use any part of
>> this message or any attachments. Please notify the sender immediately by
>> return e-mail or telephone and delete this message from your system.*
>>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple AD domains
Correct on the gist. All answers where extremely helpful. I am curious on Vinícius Ferrão query I would like it to be more secure. I'll have to read more on using GSS-TSIG with Kerberos. I seem to recall this is setup by the samba install of AD but I'll have to look at it more closely as now I want to setup a slave DNS to the AD's DNS. I too will probably have the same issue as Vinícius Ferrão. Is the only good option for now to leave my server mostly open with accepting from an ip which can be spoofed (I'm just doing this on a computer that is unlikely to get hacked with a spoof) but I would like something that I could take to business security. The only domains I have vulnerable are just a few test ones that I can rebuild in a heartbeat. On Thu, Jul 28, 2016 at 1:40 PM, Darcy Kevin (FCA) wrote: > Yes, I did misread the original post; thanks for clarifying. > > > > But, the gist of the question seemed to be about mitigating the effects of > caching, for dynamically-changing data. At a high level, whether the zones > are AD zones or not, whether the “master” is BIND or Microsoft DNS, doesn’t > have a whole lot of bearing on that challenge. As should be obvious from > what I proposed, I prefer the slaving+NOTIFY approach over setting up > fragile forwarding arrangements. > > > > The other sledgehammer approach, of course, is to set the TTLs really low, > but that can have a disastrous effect on performance/capacity, according to > how frequently the dynamically-changing names are being queried. Of course, > no amount of named.conf tweaking will help to mitigate the effects of > caching that occurs on the clients themselves (e.g. “nscd” on some *nix > platforms, Windows resolver cache for Windows). The only standards-based > solution for that is to lower the TTLs. (Non-standards-based solutions > include ugly stuff like running a script on every client to flush the cache > every minute, ugh). But, as always, lowering TTLs, should be done, if at > all, with one’s eyes open to the performance/capacity impact. > > > > > - Kevin > > > > > > > > [image: FCA_Pantone_email] > > *--* > > Kevin Darcy > NAFTA Information Security Projects > > > > FCA US LLC > > 1075 W Entrance Dr, > > Auburn Hills, MI 48326 > > USA > > > > Telephone: +1 (248) 838-6601 > Mobile: +1 (810) 397-0103 > > Email: kevin.da...@fcagroup.com > > > > *From:* Chris Buxton [mailto:cli...@buxtonfamily.us] > *Sent:* Thursday, July 28, 2016 12:52 PM > *To:* Darcy Kevin (FCA) > *Cc:* bind-users@lists.isc.org > > *Subject:* Re: Multiple AD domains > > > > The OP's question was about setting up BIND, not MS DNS, related to using > Samba, not Windows, as the domain controller. > > > > Regards, > > Chris > > Sent from my iPhone > > > On Jul 27, 2016, at 12:36 PM, Darcy Kevin (FCA) > wrote: > > My preference? Have all your clients use BIND to resolve DNS (this gives > access to more advanced features like sortlisting, good query logging, > blacklisting/redirection through the RPZ mechanism, Anycast, etc.). Set up > the BIND instances as slaves for the AD zones, and have the AD folks add > the BIND instances to the apex NS records so that the DCs will trigger fast > replication to BIND via the NOTIFY extension to the protocol. > > > > I’d never let a regular PC client use Microsoft DNS for resolving DNS. > Perish the thought! > > > > Note that this approach, if implemented simply, doesn’t scale to large > numbers of BIND instances (because you don’t want to add dozens or hundreds > of apex NS records to the zone). Beyond a certain threshold, you’d want to > set up a multi-level slaving/NOTIFY hierarchy on the BIND side… > > > > > - Kevin > > > > > > > > > > *--* > > Kevin Darcy > NAFTA Information Security Projects > > > > FCA US LLC > > 1075 W Entrance Dr, > > Auburn Hills, MI 48326 > > USA > > > > Telephone: +1 (248) 838-6601 > Mobile: +1 (810) 397-0103 > > Email: kevin.da...@fcagroup.com > > > > *From:* bind-users [mailto:bind-users-boun...@lists.isc.org > ] *On Behalf Of *Jeff Sadowski > *Sent:* Wednesday, July 27, 2016 3:00 PM > *To:* bind-users@lists.isc.org > *Subject:* Re: Multiple AD domains > > > > should I setup 192.168.1.1 as slaves to these two domains would that fix > it? > > > > On Wed, Jul 27, 2016 at 12:56 PM, Jeff Sadowski > wrote: > > On the samba mailing list they described setting up the DC as the NS
DNAME usage?
I am a bit confused by DNAME's I had used them before but I may have used them wrong. On windows 2008r2 I have some zone's where I create a DNAME for the root and point it to an A record. IE: zone bla.bla SOA NS DNAME www.bla.com where www.bla.com is an A record. the reason I was doing this is because www.bla.com has a dhcp assigned address and I want bla.bla to always point to it. windows dns does not allow a cname at the root of a zone. as of 2012r2 with updates this no longer works. So I decided to see what bind would do with DNAME If I tried a similar experiment I have a db.self file I used when I want certain outside addresses to point back to my inside addresses. my db.self file looks like so $TTL 3D @ 1D IN SOA ns jeffsadowski.gmail.com. ( 2017081201 ; 3H ; 15 ; 1w ; 3h ; ) @ IN NS ns ns IN A 192.168.1.252 @ IN A 192.168.1.252 And I wand similar for my DNAME so I created db.dname that looks like so $TTL 3D @ 1D IN SOA ns jeffsadowski.gmail.com. ( 2017081201 ; 3H ; 15 ; 1w ; 3h ; ) @ IN NS ns ns IN A 192.168.1.252 @ IN DNAME methanemaker.mooo.com then when I try and start bind I get error messages like so Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal) Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded due to errors. I tried without the NS likes and I get this message Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded due to errors. If anyone has a better idea how to map to a dhcp addressed machine from a zone I'd like to know? I don't want to recreate the entire superdomain for just one record that needs changed IE: the super domain is managed by an outside service. I don't want to keep a second copy inside that has a few with different records. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNAME usage?
Can you give me an example of how to do that? On Fri, Nov 17, 2017 at 12:48 PM, Mark Andrews wrote: > Alternatively use a http server that can update the records for the > interfaces it is listening on. > > This sort of thing is possible. Named gets informed by the OS when addresses > get added and removed. It currently just adds and removes listening sockets > but you could trigger other actions like sending dynamic dns updates. > > Unless you ask for the functionality it won’t be added. > > > -- > Mark Andrews > >> On 18 Nov 2017, at 06:38, Mark Andrews wrote: >> >> Just have the machine hosting the http server do a dynamic update of the A >> ana records when they are assigned to the interface. >> >> It should be possible to get the os to run a program when this happens so it >> can perform a second dynamic update on a the different name. >> >> -- >> Mark Andrews >> >>> On 18 Nov 2017, at 04:19, Jeff Sadowski wrote: >>> >>> I am a bit confused by DNAME's >>> I had used them before but I may have used them wrong. >>> >>> On windows 2008r2 I have some zone's where I create a DNAME for the >>> root and point it to an A record. >>> >>> IE: >>> >>> zone bla.bla >>> SOA >>> NS >>> DNAME www.bla.com >>> >>> where www.bla.com is an A record. >>> >>> the reason I was doing this is because www.bla.com has a dhcp assigned >>> address >>> >>> and I want bla.bla to always point to it. >>> windows dns does not allow a cname at the root of a zone. >>> >>> as of 2012r2 with updates this no longer works. >>> >>> So I decided to see what bind would do with DNAME If I tried a similar >>> experiment >>> I have a db.self file I used when I want certain outside addresses to >>> point back to my inside addresses. >>> >>> my db.self file looks like so >>> >>> >>> $TTL 3D >>> @ 1D IN SOA ns jeffsadowski.gmail.com. ( >>> 2017081201 ; >>> 3H ; >>> 15 ; >>> 1w ; >>> 3h ; >>>) >>> @ IN NS ns >>> ns IN A 192.168.1.252 >>> @ IN A 192.168.1.252 >>> >>> And I wand similar for my DNAME so I created db.dname that looks like so >>> >>> $TTL 3D >>> @ 1D IN SOA ns jeffsadowski.gmail.com. ( >>> 2017081201 ; >>> 3H ; >>> 15 ; >>> 1w ; >>> 3h ; >>>) >>> @ IN NS ns >>> ns IN A 192.168.1.252 >>> @ IN DNAME methanemaker.mooo.com >>> >>> then when I try and start bind I get error messages like so >>> >>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS >>> 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal) >>> Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded >>> due to errors. >>> >>> I tried without the NS likes and I get this message >>> >>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records >>> Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded >>> due to errors. >>> >>> If anyone has a better idea how to map to a dhcp addressed machine >>> from a zone I'd like to know? >>> >>> I don't want to recreate the entire superdomain for just one record >>> that needs changed >>> IE: >>> the super domain is managed by an outside service. I don't want to >>> keep a second copy inside that has a few with different records. >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Re: DNAME usage?
o retrieve your public address > from an external source. > > https://help.dyn.com/remote-access-api/perform-update/ defines the dyndns > update protocol - writing a server is straightforward. > > Of course if you have IPv6 - and are getting a dynamic address - you don't > have to deal with NAT. In that case, you can certainly have dhclient or > RTNETLINK (see ip monitor) trigger a script. > > But note that in the problem statement is: > > the super domain is managed by an outside service. > > This probably makes the OP's life more difficult. Those services tend not > to support DNS UPDATE (or even dyndns update). In that case, you're into > using curl/wget to forms to their web gui. And tracking their > "improvements". > > Grief like that is why I ended up running my own DNS master server...and > getting static IP addresses for my central site. > > I guess I should point out that the ISP that is providing the dynamic IP > address may consider running a server as a violation of their Terms of > Service, even if they don't block the port(s) that you want to use. > > > On 18 Nov 2017, at 04:19, Jeff Sadowski wrote: > > I am a bit confused by DNAME's > I had used them before but I may have used them wrong. > > On windows 2008r2 I have some zone's where I create a DNAME for the > root and point it to an A record. > > IE: > > zone bla.bla > SOA > NS > DNAME www.bla.com > > where www.bla.com is an A record. > > the reason I was doing this is because www.bla.com has a dhcp assigned > address > > and I want bla.bla to always point to it. > windows dns does not allow a cname at the root of a zone. > > as of 2012r2 with updates this no longer works. > > So I decided to see what bind would do with DNAME If I tried a similar > experiment > I have a db.self file I used when I want certain outside addresses to > point back to my inside addresses. > > my db.self file looks like so > > > $TTL 3D > @ 1D IN SOA ns jeffsadowski.gmail.com. ( > 2017081201 ; > 3H ; > 15 ; > 1w ; > 3h ; >) > @ IN NS ns > ns IN A 192.168.1.252 > @ IN A 192.168.1.252 > > And I wand similar for my DNAME so I created db.dname that looks like so > > $TTL 3D > @ 1D IN SOA ns jeffsadowski.gmail.com. ( > 2017081201 ; > 3H ; > 15 ; > 1w ; > 3h ; >) > @ IN NS ns > ns IN A 192.168.1.252 > @ IN DNAME methanemaker.mooo.com > > then when I try and start bind I get error messages like so > > Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: NS > 'ns.bla.bla' is below a DNAME 'bla.bla' (illegal) > Nov 17 09:55:53 methanemaker bash[7049]: zone bla.bla/IN: not loaded > due to errors. > > I tried without the NS likes and I get this message > > Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: has no NS records > Nov 17 09:48:36 methanemaker bash[4872]: zone bla.bla/IN: not loaded > due to errors. > > If anyone has a better idea how to map to a dhcp addressed machine > from a zone I'd like to know? > > I don't want to recreate the entire superdomain for just one record > that needs changed > IE: > the super domain is managed by an outside service. I don't want to > keep a second copy inside that has a few with different records. > ___ > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
