Problem with zone delegation with private gTLD
Hello,
I am trying to set up a private gTLD with BIND9 and underneath that gTLD
a subdomain. The subdomain runs on another BIND9 server.
The problem I'am facing is that the BIND9 server of the gTLD gives a
NXDOMAIN
for the ns record of the subdomain. If have no clue what is wrong.
Can somebody point me out what is wrong in my configuration.
named.conf snippet
view "phishing" {
match-clients { phishing_net; };
recursion yes;
zone "lab" {
type master;
file "/etc/bind/gTLD/lab";
};
};
gTLD lab zone:
$TTL 60 ; TTL 60 seconds
$ORIGIN lab.
@ IN SOA vdns01.lab. hostmaster.vdns01.mgmt.lab. (
2019040801
10800
3600
604800
38400 )
IN NS vdns01.lab.
IN MX mail.lab.
vdns01 IN A 192.168.111.200
mail IN A 192.168.10.103
$ORIGIN acme.lab.
@ IN NS ns1.acme.lab.
IN NS vdns01.lab.
ns1.acme.lab. IN A 192.168.10.42
Greetz,
Karl
signature.asc
Description: OpenPGP digital signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with zone delegation with private gTLD
I cannot use a registered domain name because I’am building a phishing demo environment and I do not want to use an internet connection. Met vriendelijke groet, Karl On 8 Apr 2019, at 13:06, Matus UHLAR - fantomas wrote: >> Karl Lovink via bind-users wrote: >>> I am trying to set up a private gTLD with BIND9 and underneath that gTLD >>> a subdomain. > > On 08.04.19 12:00, Tony Finch wrote: >> Why a TLD? >> >> You will have fewer problems if you get a properly registered domain and >> set up a subdomain of that for private use. > > many users/organizations use private TLDsm, just like they often use private > IP ranges instead of public. > > I believe there should be reserved gTLD for such usage. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > I wonder how much deeper the ocean would be without sponges. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Regarding named related issue observed with bind 9.11.5-P4 version
Alan,
Are you running bind on a Linux box with apparmor. Check your apparmor
configuration: /etc/apparmor.d/usr.sbin.named.
Cheers,
Karl
> On 10 Apr 2019, at 16:31, Alan Clegg wrote:
>
>> On 4/10/19 10:19 AM, Alan Clegg wrote:
>>> On 4/3/19 5:26 AM, Chandra Rao wrote:
>>> While launching the named service coming from the latest bind as
>>> mentioned below, We have observed that it's is not able to create
>>> "/var/run/named" directory with the named user in the cluster. Due to
>>> this we are not able to store the files "named.pid" and "session.key".
>>
>> named does not create the directory structure. You will need to do that
>> yourself.
>
> Correcting myself before others do (sigh):
>
> You've not shown how much of the /var/run directory structure exists.
> Does /var/run exist? What are the permissions on it?
>
> I've just now looked at the only instance of the "couldn't mkdir"
> message in the BIND source code:
>
>if (mkdir(filename, mode) == -1) {
>strerror_r(errno, strbuf, sizeof(strbuf));
>(*report)("couldn't mkdir '%s': %s", filename,
> strbuf);
>goto error;
>}
>
> (my original comment was based on logging directory structure, not that
> used by session information).
>
> AlanC
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: EDITED: Proper Way to Configure a Domain which never sends emails
Hi, We (Arnold Holzel and I) gave a talk about SPF (with macros), DKIM, DMARC and MTA-STS during Black Hat USA two weeks ago. The slides contains example DNS records you can use. Also a kink to a Splunk app for get insight whether Your domain are abused. Link: https://i.blackhat.com/USA-19/Thursday/us-19-Hoelzel-How-To-Detect-That-Your-Domains-Are-Being-Abused-For-Phishing-By-Using-DNS.pdf Sincerely yours, Karl > On 19 Aug 2019, at 18:56, Dean Eckstrom wrote: > > > You might also want to set a DMARC Policy record with appropriate 'rua' and > 'ruf' email reporting addresses. > > rua and ruf depend on remote mail centers being willing to send you this > information (which is not always consistently done). Yet the reports might > provideoccasional feedback if you are actually being spoofed. It's additional > information that normally you wouldn't be able to > get.(https://tools.ietf.org/html/rfc7489). > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Proper Way to Configure a Domain which never sends emails
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 The reject will only work when DKIM AND SPF are failing. So you have to setup SPF too. -all does the magic. cheers, Karl On 20/08/2019 20:12, John Levine wrote: > In article > you write: >> El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió: >>> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be >>> useful. > >> Wouldn't that imply having DKIM set up for the domain? > > No, of course not. > > It says that if mail isn't authenticated, reject it. An excellent > way to be sure you never get DKIM authentication is not to set up > DKIM in the first place. > > ___ Please visit > https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -BEGIN PGP SIGNATURE- iQEzBAEBCAAdFiEEdAEe0RRL+gREs9oxGJor1wjGePMFAl1cOzMACgkQGJor1wjG ePP0iwf/WgLuA+W+9mJfy4Z89cG10lfS7ZnNIZlUfjMmQI1jBMFqKhOnLFG08rzX fpZ8vx8J52ipvprdvTclaNcv3qha0EGfW+FJwO3bQYv2UC1ufkYHY8AGNNkCUU7o d42iMmwe9K0faZlJFp6uX0zd0jetafbK6CGkc21fcEMdpi4dRjKVq+pummkuJONl vQaaxuJ7UYSL9IwdALOUifSxc4zjKHQaIeUTXy9j5cW6gJiYcvP9RVVZkv8/2pIZ mc2acf4F4tc98idkuPr72sH8e/WEaO8EXbxwgpVjYZfYNT/aiPJakLusXlvuvkqz EmgCfa/F0xvC1fxJeGHIdx8ysMettw== =I0/a -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
