Re: Deprecation notice for BIND 9.18: Differentiated Services Code Point (DSCP) support
> On 5. 1. 2023, at 14:46, Robert M. Stockmann wrote: > This is like Mercedes Benz announcing they will only sell > the Baby Benz model, which is a Volkswagen EV barebonez with > the VW logo replaced with a plastic Mercedes Benz star On Thu, 5 Jan 2023, [utf-8] OndÅej Surý wrote: I've asked for a strong use-case and all I've got was a snark. Do you actually have a real-world use for DSCP or are you just in bad mood? On 05.01.23 15:21, Robert M. Stockmann via bind-users wrote: From /usr/share/doc/bind-9.9.9P6/FAQ : there's no DSCP mentioned here. Are you aware that only the DSCP flags are deprecated, not all *source and *forwardes etc options themselves? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecation notice for BIND 9.18: (root-)delegation-only option
On 22.03.23 17:36, Ondřej Surý wrote: in line with our deprecation policy, I am notifying the mailing list about our intent to deprecated the delegation-only and root-delegation-only options. This is again adept for expedited deprecation - it will be removed in BIND 9.20 and deprecated in BIND 9.18. what's the reason? Code cleanliness? Or is it problematic to maintain? The (root-)delegation-options were introduced as a countermeasure for the infamous Site Finder by Verisign[1]. With the controversy around this and introduction of DNSSEC, the likelihood of this happening is infinitesimal. If you don't even know what those options does, the TL;DR is that it disables the non-delegation records for configured domains (TLD), this in turns might break legitimate TLDs like .de, .fr, .museum and others [2][3]. If you know a legitimate reason to keep those options, please describe the use case here or in the issue mention below. well, if "just for sure no other AH tries that again" is not a reason for you... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecation notice for BIND 9.18: (root-)delegation-only option
On 22.03.23 17:36, Ondřej Surý wrote: in line with our deprecation policy, I am notifying the mailing list about our intent to deprecated the delegation-only and root-delegation-only options. This is again adept for expedited deprecation - it will be removed in BIND 9.20 and deprecated in BIND 9.18. On 23. 3. 2023, at 17:57, Matus UHLAR - fantomas wrote: what's the reason? Code cleanliness? Or is it problematic to maintain? On 23.03.23 19:11, Ondřej Surý wrote: Those are wrong questions to ask - the right question to ask is whether this bring any value - and the answer is that it doesn't, then it becomes unmaintained and untested cruft. my question was related to the next one. The (root-)delegation-options were introduced as a countermeasure for the infamous Site Finder by Verisign[1]. With the controversy around this and introduction of DNSSEC, the likelihood of this happening is infinitesimal. If you don't even know what those options does, the TL;DR is that it disables the non-delegation records for configured domains (TLD), this in turns might break legitimate TLDs like .de, .fr, .museum and others [2][3]. If you know a legitimate reason to keep those options, please describe the use case here or in the issue mention below. well, if "just for sure no other AH tries that again" is not a reason for you... No, it will not happen again, at least not at the TLD level. The community has learned and ICANN has learned too. this is what I wanted to hear. Unfortunately there are companies that do this for their customers. If this should happen at any level, what are the possibilities to discard such responses? Use RPZ that will rewrite specific A/ records into NODATA/NXDOMAIN? We'd need the specific address(es) to rewrite but we could live with that. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 28.03.23 16:04, Nyamkhand Buluukhuu wrote: No, I have an access list that allows only our ISP zones. zones? access lists are meant to limit clients. how do your access limits look like? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 28.03.23 18:48, Nyamkhand Buluukhuu wrote:
Like below in named.conf:
acl recclients {
43.228.128.2/32;
202.70.32.17/32;
103.29.147.0/29;
103.99.103.0/24; }
allow-recursion { recclients; };
Great, this means that only clients with those IP addresses can query
your server for non-local information.
So, your server should NOT be part of Amplification attack.
(unless you run VERY OLD version of BIND)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can
query your server for non-local information.
On 28.03.23 10:16, Grant Taylor via bind-users wrote:
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and `allow-query-cache {...};`
allow-query-cache defaults to content of allow-recursion if only the latter
is defined.
allow-query is safe to configure if nobody is supposed to query your server
from outside - e.g. your server does not provide authoritative zones for
use from internet.
If your server has authroritative zones for internal use, yes, in such case
allow-query is good idea.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote: If your server has authroritative zones for internal use, yes, in such case allow-query is good idea. On 28.03.23 11:02, Grant Taylor via bind-users wrote: The server that I first set this on had a secondary copy of the root zone for my systems use. I ended up adding additional restrictions to prevent the world from querying it in addition to the public zones that are allowed to be queried by the world. Yes, this is one of the problem "authoritative zones for local use". The default root "hint" zone is only available for those who have recursion available. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind dns amplification attack
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote: Yes, this is one of the problem "authoritative zones for local use". On 28.03.23 12:18, Grant Taylor via bind-users wrote: Authorizing the /zone/ for local use wasn't the problem. The problem was that the world could get some of that zone's data from the query cache even if they couldn't query the zone directly. when was this? querying cache is by default allowed for the same clients as recursion, perhaps unless it was old BIND version. The default root "hint" zone is only available for those who have recursion available. I feel like the "root hint zone" is considerably different than "root zone" proper. The fact that they have different zone types seems to support that. yes. The content of hint zone is abused to generate aplification attack: Mar 26 16:03:53 fantomas named[1654]: client @0xe7379d50 195.88.25.138#59467 (.): query (cache) './ANY/IN' denied If you have local root zone, response is provided by default, it can be huge: % dig +noanswer +noadditional +nocomments +nocmd +noquestion -t any . @fantomas.fantomas.sk ;; Query time: 0 msec ;; SERVER: 195.80.174.185#53(195.80.174.185) ;; WHEN: Wed Mar 29 09:23:27 CEST 2023 ;; MSG SIZE rcvd: 2904 but default "type hint" root is treated as cache and REFUSED is sent. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host restriction
On 15.05.23 20:58, Kereszt Vezeték wrote: Can someone help me with the following problem ? I have a dns server in my private network with a local domain. The dns server forward the public request to the google dns server . why? BIND server can resolve perfectly without fdorwarding anywhere. I wold like separate hosts in the inside network. One group allow only the local host resolve, not forward to the 8.8.8.8 .Other group allow the local hosts resolve, and able to forward to the google dns server. Are there any way to solve this problem with bind9 ? Local subnet 192.168.1.0/24 192.168.1.10 allow forward to 8.8.8.8 192.168.1.11 allow forward to 8.8.8.8 192.168.1.20 disable forward 8.8.8.8 192.168.1.21 disable forward 8.8.8.8 And how should request from these IPs be resolved? If really neede (see my comment above), I recommend using views for this. Mostly because they can have separate cache. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: resolver: DNS format error from
On 17.05.23 11:31, Greg Choules via bind-users wrote: TL;DR 9.18 is stricter than 9.16 at handling junk responses from authoritative servers. I think there were even "DNS flag day"s when operators were supposed to install/configure systems that comply to standards. After next DNS flag say (none announced afaik) we should expect broken servers stop being supported - whoever owns one, will have troubles. Looking at a packet capture for this from my own BIND server (9.18.14) the response from 195.178.56.17 is FORMERR, which tends to mean that it objects to something in the query. The correct response to something you don't like is to ignore it, so this server is not obeying protocol and 9.18 is not going to try and work around broken behaviour. I disabled sending of cookies to this server and now it works. It could be that it doesn't like cookies, or just any EDNS option that it doesn't know what to do with. Either way, it should be fixed. On Tue, 16 May 2023 at 15:53, Alex wrote: I have a bind-9.18.7 system on fedora37 and having some strange errors with some queries. $ host info.apr.gov.rs Host info.apr.gov.rs not found: 2(SERVFAIL) in my bind logs I have the following: 16-May-2023 10:37:49.800 resolver: DNS format error from 195.178.56.17#53 resolving ns1.apr.gov.rs/ for : server sent FORMERR 16-May-2023 10:37:49.800 lame-servers: received FORMERR resolving ' ns1.apr.gov.rs//IN': 195.178.56.17#53 16-May-2023 10:37:49.800 lame-servers: timed out resolving ' info.apr.gov.rs/A/IN': 212.62.49.194#53 16-May-2023 10:37:49.800 query-errors: client @0x7f9d546d5168 127.0.0.1#59712 (info.apr.gov.rs): query failed (failure) for info.apr.gov.rs/IN/A at ../../../lib/ns/query.c:7717 In the limited search results I've found for this, I believe it has something to do with dnssec or EDNS, but I really don't know how to troubleshoot this. Is this a known problem? It also appears to be happening with even hosts like ticketmaster? 16-May-2023 10:21:09.348 lame-servers: FORMERR resolving ' engage.ticketmaster.com/NS/IN': 205.251.194.123#53 The host resolves fine on my bind-9.16.38 system using the exact same configuration, as well as most or all public resolvers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: migration to new isp - now private addresses showing up publicly?
On 23.05.23 12:22, Kaya Saman wrote:
I've got a very strange problem that has emerged somehow after
migrating my isp.
My setup previously used 2x servers in master/slave configuration for
my public "view" and then had 3x servers for the "internal" view. This
was working fine for years and I have been regularly testing using
online dns healthcheck sites such as mxtoolbox etc...
Now when I try to run any type of check from mxtoolbox or other site
eg. https://dnschecker.org/ I am getting my private IP's showing
instead of the public ones?
Initially it started off by my external zone files not transferring
which I managed to see that the information was trying to traverse my
NAT (I know, not the best practice to have all dns servers on the same
network).
As a result external emails from my mail server are not working too
well with a hit and miss type thing going on right now.
Just to go over, my zone files are fine as the 'external' ones only
have public ip addresses in them and do not include any type of
internal addressing whatsoever.
Here's an example of the config in named.conf for the master:
view "external" {
match-clients { !internals; any; };
[...]
view "external" {
match-clients { !internals; any; };
I don't see your definition of "internals".
Also, I don't see your definition of internal view.
if internal IP addresses are visible on the internet, obviously the internet
sources fall into your internal view, not into this one.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Silvester Stallone: Father of the RISC concept.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Controlling which interface named uses
On Sat, 10 Jun 2023 19:24:03 +0200 Ondřej Surý wrote: You are over-complicating things. If unconfigured, named binds the outgoing UDP to 0.0.0.0 (::0), which means the chosen IP address is picked by the kernel. You need to configure priorities on your interfaces in the kernel - ip route is your friend. And for goddess’ sake, don’t do anything wild like proposed round robin across default routes. That would be a living hell to debug. On 11.06.23 10:34, Paul Kosinski via bind-users wrote: If you have some external interfaces you *don't* want named to use, but might want other outgoing traffic to use, you would need some "policy based routing", which can get complicated. In Linux, this is controlled by "ip rule" (not "ip route"). note that query-source settings affects source IP of packet, while "ip rule" affects outgoing interface (unless you also configure SNAT for those packets), so they are not exactly the same. In some cases you may need both. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: latency and response time
On 27.06.23 16:22, sami.ra...@sofrecom.com wrote: Hello In DNS benchmarking which is more important latency or response time? for a DNS server what is the difference between the two values? I don't see any difference between those two. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Possibility of using views to properly return appropriate IP address for hostname based on requestor subnet?
On 28.06.23 15:45, Ubence Quevedo wrote: My question is, is there any way to "properly" return a hostname/IP based on what network the request is coming from? bind has "sortlist" statement that could do what you want. It will provide all IPs but sorted differently. Otherwise, you can set up multiple views with different versions of the same zone, configured to provide different verision according to source IP. This is much harder to set up. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind to Bind DNS Lookup - Returns wildcard value for defined A record
On 16.07.23 02:08, OwN-3m-All wrote: I've got a bind recursion DNS server setup that is returning the wrong value for an outside domain that I also maintain and host on another server running a bind DNS server. Yet Google's DNS and other major DNS providers respond with the correct IP address A record when querying. I can't figure out why my recursion enabled instance is not returning the correct IP address for a specific host. Rather, it returns the wildcard value from the zonefile rather than the specifically specified A record entry created for that host. It appears bind to bind is returning the wildcard value for a specifically defined host in the zonefile from the server it's hosted on. Is this a recent bug in bind? More information about my setup and issue can be found here: https://serverfault.com/questions/1136914/bind-recursion-dns-server-returning-wildcard-address-for-host-despite-exact-entr From what I found online, if there's a specific host A record entry defined, it should always return that IP. Wildcard is only for those not defined. Yet, when I remove the wildcard from the zonefile, my bind recursion instance returns the correct value, but not when the wildcard entry is there. But Google and other major DNS providers return the non-wildcard value as expected. Please provide concrete example, I can't query fun.test.test.me. nor test.test.me. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic updates to multiple masters
On 02.08.23 11:53, Shailendra Gautam wrote: I have four authoritative dns servers, all running in master mode for my zone for high availability, currently they all pull a static zonefile. I'm trying to implement dynamic updates but I am wondering if there is any way to avoid sending an update to each of them, and send the update only once and it should sync to all 4. Would like to know if anyone has faced this problem before. Microsoft's AD supports something like this, the domains are kind of synchronized between servers. As a downside, when using AD server as primary for zones in AD, you can't use multiple servers as the zones are often not in sync. I would either create hidden primary that would process dynamic updates. For DNSSEC and inline signing, hidden primary looks as best option to me. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarders working differently on bind9.8 & bind9.11
On Tue, Sep 19, 2023 at 7:28 AM Prashasti Arora
wrote:
I have configured a new zone to forward certain queries to my application
on 2 VMs (One local and the other in my network) through a specific port. I
have 2 similar setups - they are identical, except that one uses bind9.8
and the other uses bind9.11. Configuration is also identical for both.
On the first setup (using bind9.8): the traffic I send gets distributed
uniformly.
On the second setup (using bind9.11): the traffic gets distributed barely.
99% of the traffic is sent to one VM.
BIND wants to get responses as soon as possible, thus it queries servers who
respond fastest.
BIND keeps track of how fast servers are responding, and which server
responds faster, will get queries more often.
Time to time, BIND re-checks other servers to see if they perform better,
because that can change over time.
What is the problem?
I have verified that forwarding is working correctly on both, the issue is
not with the application because both VMs on each setup can handle traffic
individually, the firewall is not blocking the queries, and the
configuration is correct.
This is the zone:
zone "example.com" IN {
type forward;
forwarders { 127.0.0.1 port xxx; a.b.c.d port xxx; };
forward only;
};
Please share any other possible solutions.
On 19.09.23 08:25, Bob Harold wrote:
Note that the 'forwarders' line, from the BIND 9.11 manual: "There may be
one or more forwarders, and they are queried in turn until the list is
exhausted
or an answer is found." So the first one will get all the traffic, the
second is just a backup to be used if the first fails.
If you expect that to do load balancing, it will not. Try a real load
balancer, or 'dnsdist'.
I think this behaviour changed to the one I described above a long time ago.
Perhaps after BIND 9.8
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Question on ISC BIND DNS Server
On 22.11.23 23:44, Turritopsis Dohrnii Teo En Ming wrote: I have Virtualmin / Webmin web hosting server control panel. I have 2 Virtual Private Servers in Germany and 1 Virtual Private Server in Japan. Can I upgrade BIND DNS Server manually? Will it cause problems with Virtualmin / Webmin? I think this is question for webmin/virtualmin, but from what I know about webmin it tends to edit local configuration, so I guess it will edit primary zone file. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: error: 'allow-update' is not allowed in 'slave' zone
On 14.02.24 17:06, trgapp16 via bind-users wrote:
I configured Bind 9.18.12 as slave DDNS with dynamic updates from DHCP (ISC
DHCP 4.4)
running on the same server (Ubuntu 22.04 server)
When I run "named-checkconf named.conf", I get the following error
"named.conf:2018: option 'allow-update' is not allowed in 'slave' zone
'zonename.com'"
Following is the named.conf file (part)
zone "zonename.com" {
type slave;
file "com/zonename/sec.zonename.com";
masters {
IP address;
};
allow-update {
key rndc-key;
};
allow-transfer {
IP address;
};
};
I am clueless what is going wrong. Any help is greatly appreciated
your nameserver does not update secondary(slave) zones, therefore
allow-update does not make sense.
you should remove it or replace with allow-update-forwarding so all received
updates are forwarded to primary(master) server.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Deprecation notice force BIND 9.20+: "rrset-order fixed" and "sortlist"
On 01.03.24 08:24, Ondřej Surý wrote: The "sortlist" option allows to define a complicated rules when and how to reorder the resource records in the responses. The same caveats as with the "rrset-order" apply - relying on any specific order of resource records in the DNS responses is wrong. We are not aware of any other (major) DNS server that would have similar behaviour as this was never specified in the DNS protocol. If you know of any software or hardware relying on any specific order of the resource records in the DNS messages, it needs to be reported as a bug to the respective vendor. I don't know about _requirement_, but I have used this option as poor man's way to implement geographically local IP addresses - to anyone return topologically closer IP addresses first, others next. I found it especially nice because it doesn't matter which service are we using - if there are multiple IP's for _anything_, return topologically closer first. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: occasional SERVFAIL error
On 29.02.24 15:20, Ludovit Koren wrote: occasionally I get the following SERVFAIL error: dig www.jiscd.sk ; <<>> DiG 9.18.24 <<>> www.jiscd.sk ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 12207 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 35fe56eb9b5f3f22010065df34b4c313eedf839eac9d (good) ;; QUESTION SECTION: ;www.jiscd.sk. IN A ;; Query time: 17 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP) ;; WHEN: Wed Feb 28 14:27:16 CET 2024 ;; MSG SIZE rcvd: 69 I can get rid of it only after issuing: rndc flush Afterwards it works for uncertain time. Could it be I have a configuration problem of my server (I have prefetch 0 set in options section of my server)? Is it a problem of the authorized domain server? I have looked onto it manually, so far found nothing. rndc dumpdb could generate named output where you should be able to find out the culprit. the difference between current version of zone between ns1.gov.sk and ns2.gov.sk could affectg this problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: transfert master slave
On 25.03.24 11:34, sami.ra...@sofrecom.com wrote:
I'm trying to configure a DNS slave server (192.168.56.157) . I want to
allow notifications only from the master (192.168.56.154). I added the
directive "allow-notify {192.168.56.154;};" and it works. However, when I
try to test the prohibition of notification by adding "allow-notify
{none;};" at the slave, it still receives updates from the master. The
transfer on the master is as follows:
allow-notify will not stop the master to send notifies. They will just
be ignored.
allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV on multiple subdomains
On 14.05.24 13:08, DEMBLANS Mathieu wrote: I have a question about configuration simplification for SRV configuration (maybe it can be applyed for other entries). We manage multiple subdomain of a main one (server1.example.com, server2.example.com,...). For A and MX entries, we use a general domain definitions with wildcard but is there a way to do so for SRV without having to define all subdomains (we have several dizains of it) ? We have to define some SRV entries with the same target like : _imap._tcp.server1.example.com IN SRV main.exemple.com _imap._tcp.server2.example.com IN SRV main.exemple.com I assume that _imap._tcp should be configurable per domain, so there should not be needed any need for things like _imap._tcp.server1.example.com - you should use _imap._tcp.example.com For example something like _imap._tcp.*.example.com IN SRV main.example.com. I read in a doc that the < * > can only be the leftmost label in the name. correct. Is there an other way to simplify or does I have to add each entry individually? no, but the question is if you really need this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV on multiple subdomains
On 14.05.24 14:20, DEMBLANS Mathieu wrote: A part of the subdomains are managed by us, others subdomains by an other entity. If you really have multiple subdomains for exanmle.com managed by different entities, then yes, wildcard is not good idea. This applies to A and MX records as well. So we can't configure a generic target for all subdomains as each entity has its own target for SRV entries. You can't even setup wildcard for *.example.com to provide server1.example.com A/MX record, because the _imap._tcp.server1.example.com would make the wildcard invalid for server1.example.com. Simply, wildcarding is not for case like this. -Message d'origine- De : bind-users De la part de Matus UHLAR - fantomas Envoyé : mardi 14 mai 2024 15:58 À : bind-users@lists.isc.org Objet : Re: SRV on multiple subdomains On 14.05.24 13:08, DEMBLANS Mathieu wrote: I have a question about configuration simplification for SRV configuration (maybe it can be applyed for other entries). We manage multiple subdomain of a main one (server1.example.com, server2.example.com,...). For A and MX entries, we use a general domain definitions with wildcard but is there a way to do so for SRV without having to define all subdomains (we have several dizains of it) ? We have to define some SRV entries with the same target like : _imap._tcp.server1.example.com IN SRV main.exemple.com _imap._tcp.server2.example.com IN SRV main.exemple.com I assume that _imap._tcp should be configurable per domain, so there should not be needed any need for things like _imap._tcp.server1.example.com - you should use _imap._tcp.example.com For example something like _imap._tcp.*.example.com IN SRV main.example.com. I read in a doc that the < * > can only be the leftmost label in the name. correct. Is there an other way to simplify or does I have to add each entry individually? no, but the question is if you really need this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I'm not interested in your website anymore. If you need cookies, bake them yourself. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
queries for "_.domain"
Hello, I have noticed that BIND sends strange (for me) queries. 5 0.198221 192.168.0.1 → 193.108.88.128 DNS 105 Standard query 0x15a4 A _.net.akadns.net OPT 8 0.204738 193.108.88.128 → 192.168.0.1 DNS 159 Standard query response 0x15a4 No such name A _.net.akadns.net SOA internal.akadns.net OPT 9 0.205400 192.168.0.1 → 193.108.88.128 DNS 112 Standard query 0x3413 A _.office.net.akadns.net OPT 10 0.211944 193.108.88.128 → 192.168.0.1 DNS 166 Standard query response 0x3413 No such name A _.office.net.akadns.net SOA internal.akadns.net OPT 11 0.212646 192.168.0.1 → 193.108.88.128 DNS 128 Standard query 0x70df A _.omexexternallfb.office.net.akadns.net OPT 12 0.218782 193.108.88.128 → 192.168.0.1 DNS 182 Standard query response 0x70df No such name A _.omexexternallfb.office.net.akadns.net SOA internal.akadns.net OPT Is this a known feature I have missed? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The early bird may get the worm, but the second mouse gets the cheese. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: queries for "_.domain"
On 18.05.24 07:10, Mark Andrews wrote: Correct. Later versions use NS queries as that allows named to cache the non-existence of the NS RRset. I see this happened since 9.18.17 Luckily Debian 11/backports and Debian 12 have incorporated this version. Using _.domain doesn’t allow that to happen. Which I guess caused my problem. Looking at the docs, I can only turn it off in previous versions. (QNAME minimization was added in 9.13.2) NS queries do however expose broken delegations. Make sure you have working NS records at the zone apex and at the delegation point. This is especially important when the server serves multiple levels in the zone hierarchy as intermediate delegations are often not seen without QNAME minimisation but are with QNAME minimisation. Luckily this is resolving-only server. We have had bug reports due to all delegating NS records referring to non-existing servers. We have had bug reports due to garbage records at the zone apex. I encountered problems like this in the past. And then people wonder they DNS work properly. The "google (8.8.8.8) works" argument is problematic because google violates DNS in cases like this. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CNAME and IPv6
On Tue, May 28, 2024 at 09:09:20PM +0200, Marco Moock wrote: rinetd manages 2 separate connections and should work with PMTUD. On 28.05.24 22:17, Peter wrote: I'm wondering how it would. The connections are TCP, the PMTU works via ICMP6. No, Path MTU discovery works with TCPv4 using ICMPv4 as well. (although it was/is quite common to block ICMP packets which can make it not work properly) So I would assume, the ICMP "packet too big" message reaches the host where rinetd runs, is swallowed by the kernel, and the kernel sets the MTU in it's hostcache. Or something along that line. The TCP traffic however gets forwarded by rinetd to the internal appserver(s) - which never get the message that they should reduce their MTU. The data from one TCP connection are sent through another TCP connection, where both connections are separate with separate MTU and PMTUD. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with a certain domain
On 03.06.24 18:46, Thomas Barth via bind-users wrote: I cannot send them an email to inform about a dns problem. The mail gets stuck in the queue. postqueue -p (Host or domain name not found. Name service error for name=mx.renr.es type=A: Host not found, try again) r...@mallorcazeitung.es Bind reports a communication error. dig mx.renr.es ;; communications error to 127.0.0.1#53: timed out I could enable the bind logging: 03-Jun-2024 18:34:22.681 client @0x7f014c88ed68 127.0.0.1#54496 (mallorcazeitung.es): query: mallorcazeitung.es IN MX +E(0)K (127.0.0.1) 03-Jun-2024 18:34:36.098 client @0x7f014ef48168 127.0.0.1#59706 (mx.renr.es): query: mx.renr.es IN A +E(0)K (127.0.0.1) 03-Jun-2024 18:34:41.106 client @0x7f014dd71768 127.0.0.1#56423 (mx.renr.es): query: mx.renr.es IN A +E(0)K (127.0.0.1) Should I perhaps ask the mail user to unsubscribe from this website due to troubles of bad configuration? yeah I guess you should, their DNS servers are pretty much messed up: % dig ns epi.es @213.4.119.2 ; <<>> DiG 9.18.24-1-Debian <<>> ns epi.es @213.4.119.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42145 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;epi.es.IN NS ;; ANSWER SECTION: epi.es. 259200 IN NS ns3.epi.es. epi.es. 180 IN NS ns1.epi.es. epi.es. 300 IN NS ns1.epi.es. epi.es. 300 IN NS ns2.epi.es. epi.es. 3600IN NS ns2.epi.es. % dig ns1.epi.es @213.4.119.2 ; <<>> DiG 9.18.24-1-Debian <<>> ns1.epi.es @213.4.119.2 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57889 ;; flags: qr aa rd; QUERY: 1, ANSWER: 8, AUTHORITY: 5, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;ns1.epi.es.IN A ;; ANSWER SECTION: ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ns1.epi.es. 300 IN A 213.0.95.2 ;; AUTHORITY SECTION: epi.es. 259200 IN NS ns3.epi.es. epi.es. 180 IN NS ns1.epi.es. epi.es. 300 IN NS ns1.epi.es. epi.es. 300 IN NS ns2.epi.es. epi.es. 3600IN NS ns2.epi.es. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with a certain domain
Am 2024-06-04 15:28, schrieb Greg Choules: Firstly, I doubt you actually need to kill and restart `named`. Flushing the cache would probably work, either all of it or just selected names. Secondly, take a packet capture of this happening and analyse what BIND is really doing, in Wireshark. - If it shows up that certain NS are causing the problem you can avoid them, in config. - If it's a DNSSEC issue, you can get around that on a per-domain basis, if needed. - If it turns out that qname minimization is the issue, you can play with settings for that, too. In short, there are plenty of tools in the kit bag. But understand what the problem is first and to do that, gather data (pcaps and logs) that can be used to paint a picture of what's really happening. On 04.06.24 19:17, Thomas Barth via bind-users wrote: The newsletter is only sent out once a day, so I would have to wait until tomorrow. I'll record it then. I have already experimented with tshark and recorded port 53. What I noticed as a network layman is that a certain response takes much longer on server 1 with the problems than on server 2. if the problem happens again, you can call 'rndc dumpdb' to dump named's cache and see all records your named remembers about mallorcazeitung.es and epi.es perhaps they can help to explain why named can't resolve anything. It's the message: No such name NS _domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es Here is a part of the recording of server 1 with the problem, almost a delay of 2 seconds! (tshark -w dns-mx1-l5.pcap -i eth0 -f "src port 53") [...] 6 18:35:38,719369034 216.239.32.106 213.136.83.xxx DNS 141 Standard query response 0x69ac A ns3.prensaiberica.net A 34.175.122.60 OPT 7 18:35:40,333128992 34.175.122.60 213.136.83.xxx DNS 162 Standard query response 0xf393 No such name NS _domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es 8 18:35:40,370838540 194.69.254.1 213.136.83.xxx DNS 1219 Standard query response 0xaadc DS mallorcazeitung.es NSEC3 RRSIG SOA ns1.nic.es RRSIG NSEC3 RRSIG OPT 9 18:35:40,402465454 34.175.171.102 213.136.83.xxx DNS 165 Standard query response 0x7bfa A s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es Here is the part of the recording of server 2 (tshark -w dns-mx2-l5.pcap -i eth0 -f "src port 53") 5 18:32:03,019743724 213.4.119.2 167.86.126.xxx DNS 139 Standard query response 0x36bf A ns4.prensaiberica.net A 34.175.171.102 NS ns1.epi.es NS ns2.epi.es 6 18:32:03,052680383 194.69.254.1 167.86.126.xxx DNS 1219 Standard query response 0x5643 DS mallorcazeitung.es NSEC3 RRSIG SOA ns1.nic.es RRSIG NSEC3 RRSIG OPT 7 18:32:03,087003657 34.175.122.60 167.86.126.xxx DNS 162 Standard query response 0x3d78 No such name NS _domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es 8 18:32:03,120746561 34.175.171.102 167.86.126.xxx DNS 165 Standard query response 0x3a41 A s1._domainkey.mg-esp-prod-eu-eu.mallorcazeitung.es SOA ns1.epi.es I therefore suspect that the delay will be even greater tomorrow again when the newsletter arrives, so that the "communication error" will occur again. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
qname minimisation per domain
Hello, I have noticed that especially DNS blocklist cause errors like: Jul 14 01:41:28 fantomas named[1854]: success resolving 'D.C.B.A.zen.spamhaus.org/A' after disabling qname minimization due to 'ncache nxdomain' and blocklists like spamhaus are sensitive to too many queries. is it possible to disable query minimisation for particular domains? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: qname minimisation per domain
On 15 Jul 2024, at 23:27, Matus UHLAR - fantomas wrote: I have noticed that especially DNS blocklist cause errors like: Jul 14 01:41:28 fantomas named[1854]: success resolving 'D.C.B.A.zen.spamhaus.org/A' after disabling qname minimization due to 'ncache nxdomain' and blocklists like spamhaus are sensitive to too many queries. is it possible to disable query minimisation for particular domains? On 16.07.24 09:23, Mark Andrews wrote: Is it really too much effort for the servers to return NOERROR instead of an incorrect NXDOMAIN for the intermediate names? That would get rid of the log message. These seem to run rbldnsd which is optimised for memory usage and speed of response, and returning different replies would I guess affect speed. It’s changing 1 bit (0 vs 4 for the rcode) in the DNS header. They don’t even have to lookup if there are names below the query. The server can just assume that there are records there and return NOERROR for [0..255].zen.spamhaus.org, [0..255].[0..255].zen.spamhaus.org and [0..255].[0..255].[0..255].zen.spamhaus.org. Really we would like to be able to move to strict QNAME minimisation so we don’t need to make all the other queries after the first NXDOMAIN response but broken implementations like this are making that difficult. It’s not like this is a new requirement. A NOERROR response goes back the RFC 1034. I see there's issue and merge containing exactly this change: https://github.com/spamhaus/rbldnsd/issues/17 The discussion also mentions things like There is also quite a lot of consensus in the SMTP World that qname minimization shouldn't be used on the resolvers used by mail servers and For the IP(v4 and v6) datasets, all of them, we could implement a hackish solution so that when a query for a "partial" ip address is received, rbldnsd doesn't reply NXDOMAIN but NOERROR instead. Additionally Spamhaus controls how often resolvers re-query. 10 seconds is a very short negative response TTL. If they don’t like the query rate they can control it by returning longer negative cache responses. Named does check in the cache for negative cache entries to determine whether or not to make the intermediate QNAME minimisation queries. Lower negative TTLs allow for faster listing detection. I also believe that it is in Spamhaus interest to have more paying clients (although this may not be the primary reason for short negative TTLs). I guess for now, since the qname minimization increases number of queries sent and resolving time, I should disable qname-minimization on all named instances used by mail server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarding ".local" subdomains when "local" exist
Hello,
our customer has private .local zone "example.local"
(I know this should be used for multicast...)
so I have configured forwarding queries for this domain to his servers:
zone "example.local" {
type forward;
forward only;
forwarders {
192.168.0.1;
};
};
zone "168.192.in-addr.arpa" {
type forward;
forward only;
forwarders {
192.168.0.1;
};
};
Since some queries for ".local" zone were leaking out of their network,
I have long ago locally configured empty zone "local":
zone "local" {
type master;
file "/etc/bind/db.empty";
};
Now, the resolution od "example.local" does not work, named returns
"nxdomain", doesn't forward the query.
when I commented out the "local" zone, named started working,
I just needed to add
validate-except { "local"; };
guess I understand why.
From the history I remember that defining zone (example.local) with no
delegation in the parent zone (local) does not cause issues (locally).
Is "type forward" special in this case?
Debian 12, BIND 1:9.18.28-1~deb12u2
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Honk if you love peace and quiet.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding ".local" subdomains when "local" exist
On 16.08.24 19:55, Tim Maestas wrote:
You need to have the delegation in the parent in order for the forwarding
to kick in. It can be bogus, but it has to be there. You'll find the same
behavior when you're authoritative for the root zone; any type forwarded
zones will need to also have NS in the root ( or closest enclosing
authoritative zone).
Thanks, this worked.
I created ".local" zone (copied from db.empty) with dummy NS for
"example.local" and forwarding works, just as ".local" is resolved locally.
On Fri, Aug 16, 2024, 7:13 AM Matus UHLAR - fantomas
wrote:
our customer has private .local zone "example.local"
(I know this should be used for multicast...)
so I have configured forwarding queries for this domain to his servers:
zone "example.local" {
type forward;
forward only;
forwarders {
192.168.0.1;
};
};
zone "168.192.in-addr.arpa" {
type forward;
forward only;
forwarders {
192.168.0.1;
};
};
Since some queries for ".local" zone were leaking out of their network,
I have long ago locally configured empty zone "local":
zone "local" {
type master;
file "/etc/bind/db.empty";
};
Now, the resolution od "example.local" does not work, named returns
"nxdomain", doesn't forward the query.
when I commented out the "local" zone, named started working,
I just needed to add
validate-except { "local"; };
guess I understand why.
From the history I remember that defining zone (example.local) with no
delegation in the parent zone (local) does not cause issues (locally).
Is "type forward" special in this case?
Debian 12, BIND 1:9.18.28-1~deb12u2
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
One OS to rule them all, One OS to find them,
One OS to bring them all and into darkness bind them
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: bind crash with max-refresh-time 0;
>Does this also stop a slave from checking when it receives a >notify? The documentation isn't clear on that. configure master not to send notifies then. Alternatively, you can deny notifies from master. But the first Mark's question is still important: What are you trying to achieve? On 03.02.12 11:05, Miek Gieben wrote: We were (are?) seeing a bug when using multiple masters. If during a zone transfer a notify is sent, it looks like BIND aborts the transfer and tries the second master. This second master is a spare standby and it normally turned off. When BIND hits this second master it sees it cannot do an axfr. BIND then (this is the bug) does not return to the first master to finish (or restart) the transfer. It just sits until the retry timer expires, which in this case is 15 minutes. We notified ISC of this, but replicating this bug was hard and we needed to go in production. (Sadly bind bugs aren't searchable on the internet). So to work around this I thought: kill the SOA timers (messing with the zone is not an option) and only use notifies. But then bind crashes :) Are you sure that only xferring when NOTIFY is received will prevent from crashing when another NOTIFY is received during transfer triggered by one NOTIFY? I doubt so. In such case, better aproach should be disabling NOTIFY and only transferring when timers expire. However, the best approach should be upgrading to 9.8 and/or trying to replicate the problem (using unstripped BIND with debug informations and inspecting core file). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
On 06.02.12 23:09, sasa sasa wrote: I got a server with 16GB memory, want to install 2 BIND on CentOS, one cache only and another authoritative. Is it better to install 2 OS virtually and run BIND in them or run 2 instances of BIND on the same OS? According to what I've heard, virtualization has quite high overhead in such situations. I mean what is the best practice to take advantage of the hardware resources without risking having single DNS with cache and authoritative? You still have one server, virtualization would not change much about this. You can even run a single BIND instance with two separate views and that should not affect functionality. I suppose you are running 64bit OS, so you can have really huge cache (>4GB) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
On 2/7/2012 11:17 AM, Matus UHLAR - fantomas wrote: You can even run a single BIND instance with two separate views and that should not affect functionality. On 07.02.12 04:02, sasa sasa wrote: Wouldn't this have mixed (one) caches? No, unless you use attach-cache directive. However, the cache won't be big for authoritative-only part. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. You have the right to remain silent. Anything you say will be misquoted, then used against you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple BIND instances
On 07.02.12 14:10, Lightner, Jeff wrote: Virtualization doesn't reduce use of resources but DOES separate into what are perceived to be multiple "servers" so I'm not sure what you mean by "you still have one server". one machine, one piece of hardware. There's not much to separate there, unless if gives you some kind of safety or other advantage, but I don't know about any that would help in such case. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Honk if you love peace and quiet. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the MX and NS values
On 09.02.12 15:13, Jeff Peng wrote: I was thinking why RFC requires the values of MX and NS must be hostname not IP. because it IS the hostname, not an IP. A points to IP(v4) points to IP(v6) NS, MX, PTR, CNAME... all others point to hostname. otherwise, someone would need to decide what is an IP and what is not. for example, 1.2.3.4 can be an IP, but also a domain name of 1.2.3.4.in-addr.arpa. The only way you can decide which one it is, it the RR type. those "common mistaked" of putting IP address into NS or MX reault either into IN MX 1.2.3.4.. IN NS 1.2.3.4.. or into IN MX 1.2.3.4. IN NS 1.2.3.4. where 4. is not a valid TLD and thus they point nowhere. Any glue? Thanks. you probably mean a clue ;-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CVE-2012-1033 (Ghost domain names) mitigation
> Questions: > (1) It looks to me like if the ghost name is in our >DNS RPZ zone, then that 'fixes' the problem for >that name. Is this correct? Ghost domain could be redelegated to a new owner and become absolutely legal. On 09.02.12 07:36, John Hascall wrote: Caveat Emptor -- if you buy a former TDSS (or someother evil) domain, that's just too bad. unfortunately, RPZ or DNSSEC - solving this problem depends on while world using them, so with this flaw in DNS protocol we're screwed still. When you buy a domain, just check if it's blacklisted anywhere if you want to avoid this > (2) It also looks like restarting bind flushes the cache >and that prevents the repopulation of the local cache >with names which are ghosts (new different ghost names >could, of course, be created).Is this correct? AFAIK 'rndc flush' will do the same. Thanks - we're doing a nightly restart for other reasons. what? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CVE-2012-1033 (Ghost domain names) mitigation
On 09.02.12 11:43, Lyle Giese wrote: This is just my opinion, but this is not a bug. It's the side effect of a desirable feature called caching. It's a design flaw - you cache something forever, even if case you should not do it. The cache time is given and we should not expand it, for valid reasons. Yea, we can brainstorm how to mitigate the effect, but in order to mitigate a problem, we have to know that there is a problem(revoked or bad domain). I think that the described draft seems to solve the problem. http://tools.ietf.org/html/draft-vixie-dnsext-resimprove-00 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it ! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.0 is now available
On 29.02.12 17:53, Michael McNally wrote: NXDOMAIN redirection is now possible. This enables a resolver to respond to a client with locally-configured information when a query would otherwise have gotten an answer of "no such domain". This allows a recursive nameserver to provide alternate suggestions for misspelled domain names. Note that names that are in DNSSEC-signed domains are exempted from this when validation is in use. [RT #23146] just by signing? so I can spare all our domains from being misused by such shit just by signing them? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9.9.0 Inline-Signing Out of Control
On 05.03.12 07:46, David Kreindler wrote: We thought of two other differences between this zone and the others: 1. this zone has NS records with servers that are in the zone itself, and 2. our global "also-notify" option contain IP addresses that resolve to host names in this zone. Could the problem be the result of the servers notifying each other? This should not cause a problem, unless they would change the SOA each time. As far as I understand your loks and Mark's reply, it's the same version of a zone, but the server is incrementally signing the zone, and after signong a bunch of names, it gets IXFRed to slaves. On 2 Mar 2012, at 5:13 PM, David Kreindler wrote: Mar 2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (signed): loaded serial 2012030200 Mar 2 14:33:15 ns0 daemon:err|error named[806928]: zone pesky.zone/IN (signed): receive_secure_serial: unchanged Mar 2 14:33:15 ns0 named[806928]: zone pesky.zone/IN (signed): reconfiguring zone keys Mar 2 14:33:16 ns0 named[806928]: zone pesky.zone/IN (signed): next key event: 02-Mar-2012 15:33:15.740 Mar 2 14:33:16 ns0 named[806928]: client [ns3]#42941/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns3 Mar 2 14:33:17 ns0 named[806928]: client [ns4]#48695/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns4 Mar 2 14:33:17 ns0 named[806928]: client [ns2]#52228/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns2 Mar 2 14:33:17 ns0 named[806928]: client [ns3]#42941/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended Mar 2 14:33:17 ns0 named[806928]: client [ns1]#51606/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR started: TSIG ns0-ns1 Mar 2 14:33:18 ns0 named[806928]: client [ns4]#48695/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended Mar 2 14:33:18 ns0 named[806928]: client [ns2]#52228/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended Mar 2 14:33:18 ns0 named[806928]: client [ns1]#51606/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': AXFR-style IXFR ended Mar 2 14:33:21 ns0 named[806928]: client [ns3]#42944/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns3 Mar 2 14:33:21 ns0 named[806928]: client [ns3]#42944/key ns0-ns3 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended Mar 2 14:33:21 ns0 named[806928]: client [ns2]#52229/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns2 Mar 2 14:33:21 ns0 named[806928]: client [ns4]#48700/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns4 Mar 2 14:33:21 ns0 named[806928]: client [ns1]#51607/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR started: TSIG ns0-ns1 Mar 2 14:33:22 ns0 named[806928]: client [ns2]#52229/key ns0-ns2 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended Mar 2 14:33:22 ns0 named[806928]: client [ns4]#48700/key ns0-ns4 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended Mar 2 14:33:22 ns0 named[806928]: client [ns1]#51607/key ns0-ns1 (pesky.zone): transfer of 'pesky.zone/IN': IXFR ended -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it ! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns for IPV6 ranges
On 05.03.12 22:19, hugo hugoo wrote: But if only some IP have e reverse..what about the other server who have received an IP in the range? Ip that can be changed every x hours. IF no reverse, it can be blacklisted for some reasons or having some problems with services asking a reverse dns resolution. Working with reverse DNS and blacklist records in the IPv6 is something very different from IPv4. Each end user will get mote IPs than whole IPv4 internet has, and it's easy to while you _can_ set up IPv6 reverse DNS records, you should not think of them same way as you did in IPv4. SpamHaus has some recommendations related to IPv6 in order to avoid overhauling DNS when abusive client changes IPs to abuse servers. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nslookup fails if missing PTR record for IPv6 DNS server.
On 16.03.12 14:57, Ashok Agarwal wrote: I am trying to nslookup nameserver through IPv6 address. but nslookup is failing to resolv nameserver when nameserver's PTR record is missing. Kindly let me know if anybody has any fix for this problem. the main problem is nslookup itself, and this is just one of reasons nslookup is not recommended for use. you can create PTR record for your nameserver and configure the nameserver to know the PTR, to work around this problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: "rndc reconfig" vs. "rndc reload"
On 3/16/2012 4:10 AM, Mark Pettit wrote: We have an antiquated push process that copies files into the zonefile directory and then tells BIND "rndc reload". For various reasons, "rndc reload" takes about 120 seconds to complete. BIND is not answering queries for a very large part of that time. I recently started experimenting with a different process: instead of "rndc reload" after updaing some of the zone files, I loop through the list of updated zone files and run "rndc reload" for each one. could the push process be changed to reload each individual zone after it's changed? This is a vast improvement, because BIND doesn't appear to ever stop answering queries. However, I'm curious what I should do when an update contains both a new config file and new zone files. as others have already mentioned, 'rndc reconfig' will rescan config file and load new zones. You must still reload those updated. Normally a "rndc reload" would rescan the config and then scan all zone files (including the new ones), loading the new ones into memory and starting to serve them. But obviously we want to avoid "rndc reload" at all costs. iiuc, reload forcifullly reloads all zones from disk, without checking for files' timestamps (just for cases where timestamp didn't change but files did). That would explain the delays. loading zones is very slow, BIND 9.9 should make it faster. I was considering doing "rndc reconfig", followed by a "rndc reload" for each of the new zones. Would this work? yes, this should work. On 16.03.12 05:49, Jonathan Vomacka wrote: an rndc reload is usually for an individual zone file. If you update a zone (and change the serial number) a reload will implement the new changes. Well, iirc the OP's problem is that when "rndc reload" is NOT for individual zone file, it takes very long. The question is, if/how can it be made to run faster. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nslookup fails if missing PTR record for IPv6 DNS server.
On Fri, Mar 16, 2012 at 5:03 PM, G.W. Haywood wrote: You didn't tell the OP what to use instead of nslookup! sorry :-) On 16.03.12 19:33, Ashok Agarwal wrote: If PTR is present then it works pretty well. My concern is without PTR record. Ya I can use "dig" instead to nslookup you can also use "host", as it simpler and usually gives you what you need, unless you need to debug DNS itself. On Fri, 16 Mar 2012, Matus UHLAR - fantomas wrote: the main problem is nslookup itself, and this is just one of reasons nslookup is not recommended for use. [...] but I need to fix it in nslookup as well. If anybody has any clue or can tell how it be fixed then it will really help me and it be highly appreciated. I have it already explained: It's a problem of nslookup. Either you will have the PTR, or you will have the error. No other way. There are too many different versions of "nslookup" program within different systems, made by different perogrammers. It's just useless to "fix" nslookup, because that is how nslookup works and that's why we advise you to use "host" or "dig". -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Loadbalance caching dns server
On 20.03.12 14:41, trm asn wrote: Is there any mechanism to load balance Caching-DNS server. For example.. Cache-DNS1 : 192.168.1.98 Cache-DNS2: 192.168.1.99 Client : 192.168.1.199 When 192.168.1.199 send 10 request to query cache-dns then this 10 request will be send to each Cache-DNS server with a load balance method. Each server will get 5 requests. there are network appliances that allow to do such thing. For example, nortel alteon, cisco ACE, or linux ipvs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name Resolution issue with one domain
On 21.03.12 09:23, Mark Andrews wrote: Stupid firewall rules in front of the nameservers. They block traffic sent from port 53 which is the port lots of nameservers used to send query traffic. When will firewall administrators learn that the source ports can be anything, that they are not significant, and that blocking traffic based on the source port is stupid. maybe the admin set that up to force local servers using random ports, instead of 53, for outgoing requests. Nobody should use port 53 for _ougtoing_ requests. bsdi# dig -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com 09:13:17.909493 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) 09:13:22.918018 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) 09:13:27.928099 211.30.172.21.53 > 213.42.52.75.53: 18071+$ [1au] A? www.dubaiairport.com. ar: OPT UDPsize=4096 (49) ; <<>> DiG 9.9.0rc2 <<>> -b 0.0.0.0#53 www.dubaiairport.com @svr-b003.dubaiairport.com ;; global options: +cmd ;; connection timed out; no servers could be reached bsdi# -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Quantum mechanics: The dreams stuff is made of. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name Resolution issue with one domain
On 21/03/2012 09:41, Matus UHLAR - fantomas wrote: maybe the admin set that up to force local servers using random ports, instead of 53, for outgoing requests. Nobody should use port 53 for _ougtoing_ requests. On 21.03.12 23:41, Anand Buddhdev wrote: You're wrong. A name server can use any source port from 1 up to 65535 for an outgoing query, as long as that port is not in use by any other process on the system. well, it _can_ but because ports < 1024 are undesrtood as privileged, it should not use them. In fact, up until Kaminsky's revelation, many BIND servers used a fixed source port of 53. yes, but because of Kaminsky's revelation, servers should not use that port anymore. While it's of up to the the admin of resolving server, it's possible that FW admin at dubai airport had reason to block ports>1024. Maybe they got attack from enabled chargen or echo UDP services from somewhere. We do not knot that. But we surely know that OP's nameservers use port 53 which they should not use... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A large number of "ANY" query type queries
On 28.03.12 16:08, ShanyiWan wrote: On the DNS server, a large number of "ANY" type queries occur,why? The same IP address, produced a large number of requests within a very short period of time. Can I block these IPs? yes you can. I would also wonder who sends such queries, maybe they ask... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding based on Client IPs
On 04.04.12 11:54, Siju George wrote: Currently I am using Bind9 for DNS. I wish to do the following forward. 1. Forward to domain Name Servers based on client IPS. a. Forward one set of LAN users to OpenDNS DNS servers soo that I can restrict them b. Forward a second set of LAN users to google DNS server c. Forward a third set of LAN users by default through OpenDNS but for some domains through google DNS. why forward those queries? Is there any reason why you can't resolve them with your bind? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Forwarding based on Client IPs
On 04.04.12 11:54, Siju George wrote: Currently I am using Bind9 for DNS. I wish to do the following forward. 1. Forward to domain Name Servers based on client IPS. a. Forward one set of LAN users to OpenDNS DNS servers soo that I can restrict them b. Forward a second set of LAN users to google DNS server c. Forward a third set of LAN users by default through OpenDNS but for some domains through google DNS. On 04.04.12 12:33, Siju George wrote: The only reason I need to forward then to OpenDNS ( http://www.opendns.com/ ) is because I use their filtering. I guess I can avoid forwarding to google dns and resolve them with bind itself? I guess you could even do the opendns filtering yourself, if opendns will provide you required data (and they are available for BIND as RPZ zones). I don't know if opendns provide such feature. However, who needs to use such filtering, should access opendns services directly, not through other server - I guess opendns filters depending on source IP, which will be the same for all clients using your dns server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #9: Out of error messages. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Apple OS and DNS resolution (._dns-sd.udp. requests)
Hello, our customer (an ISP) reported that his clients have problems resolving sites like facebook, youtube, aplestores and that the problems only affect apple computers. I notice many requests for dns service discovery: Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#32844: query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#49019: query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#35647: query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied these requests are denied, because we use private IPS from those ranges and I don't want to make them available for users. Can these requests cause resolving problems on Apple computers? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Apple OS and DNS resolution (._dns-sd.udp. requests)
In message <20120405090858.ga29...@fantomas.sk>, Matus UHLAR - fantomas writes: our customer (an ISP) reported that his clients have problems resolving sites like facebook, youtube, aplestores and that the problems only affect apple computers. I notice many requests for dns service discovery: Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#32844: query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#49019: query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied Apr 5 09:47:20 t03 named[8324]: security: info: client 195.168.157.82#35647: query 'cf._dns-sd._udp.132.110.254.10.in-addr.arpa/TXT/IN' denied these requests are denied, because we use private IPS from those ranges and I don't want to make them available for users. Can these requests cause resolving problems on Apple computers? On 06.04.12 08:09, Mark Andrews wrote: Well you are leaking RFC 1918 answers. I would close off the leak by using views or different nameservers for your machines. I am leaking? :) I am not. client is sending requests and I am denying them. I have in plan to move those zones to different servers to avoid this problem, and clients will get empty results. I was curious if these can't cause the problem reported by user, however it appears not to be the source of it. I'll have to dig further. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Saving Private Ryan... Private Ryan exists. Overwrite? (Y/N) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: troubleshooting bind
On 09.04.12 16:55, Marseglia, Michael wrote: I'm troubleshooting a DNS issue we recently experienced where records were unresolveable, response NXDOMAIN, from the caching DNS server. I flushed the cache using rndc flush and I received the host's ip. There were no errors in the system log so I'm enabling debug logging should it occur again. I'm still not sure what caused the NXDOMAIN response it so I'm reviewing my BIND config and taking a look at the default values. the NXDOMAIN answer was apparently returned by one of servers that are authoritative for the domain or domains abovec. Check all servers in the resolution path for the answer. It's a quite common problem with master/slave synchronization, multiple masters, or a missing delegation to a subdomain, where this can happen. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "They say when you play that M$ CD backward you can hear satanic messages." "That's nothing. If you play it forward it will install Windows." ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TC Flag
On 10.04.12 19:24, rams wrote: When I get TC flag for UDP query? when the answer is too big to fit into the UDP packet of sice 512 (default) or client-provided (when your client advises bigger buffer size) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Don't understand why I get a FORMERR (quad-A - ipv6 related)
In message , Nicolas Michel writes: I have BIND 9.6-ESV-R5-P1 on SLES 11 SP1 installed and it is working fine. I only have a situation where I don't understand what's happening and why : I try to do a quad-A query to www.ryanair.com (which is doesn't exists, only single A). When trying this with "dig" on my BIND server, I get a SERVFAIL return code. When doing the same query on the google DNS (8.8.8.8) I only get no answer but a return code of NOERROR. On 25.04.12 23:53, Mark Andrews wrote: The root cause is that the name servers for www.ryanair.com are misconfigured. They are returning answers as if they are configured for ryanair.com (see the SOA record) instead of www.ryanair.com as can be seen below. Hmm, I've been solving their problem years ago. Haven't they still fix that? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Max Client per Query
On 30.04.12 13:54, Rafael Molina wrote: I need information about how works max client per query and client per query ? if multiple clients send the same query, bind won't try to resolve multiple times, but wait until the answer comes. It needs to know which clients asked for that. I want to limit number query done by a client. The usage of resources in my equipments is very high specially in my firewall. either you have misconfigured or misbehaving client, or you need to upgrade your dns server. By limiting queries you may cause troubles to your clients. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zone delegation for 172.16.16.0/20 - HOW TO?
On 21.05.12 10:20, Ellad G. Yatsko wrote: I tried to delegate 172.16.16.0/ doing the following on the central site: $ORIGIN 16.172.in-addr.arpa. $GENREATE 16-31 $ NS srvgate.sokol.msk.united-networks.ru. It works! :-) You are right! :-) It works but better don't do that. But I don't understand what do I need do on "sokol.msk"-server? Do I need create 16 independent files for 16.16.172.in-addr.arpa...31.16.172.in-addr.arpa or is there a way which allow me to aggregate all of those in a one file? the much easier way is create configs and zone files for 16 zones 16.16.172.in-addr.arpa ... 31.16.172.in-addr.arpa and use it as 16 separate /16 zones. Better do not try to make this easiee, you will end in making that more complicated and error-prone. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zone delegation for 172.16.16.0/20 - HOW TO?
On 21.05.12 10:36, Ellad G. Yatsko wrote: The below article doesn't answer on question how to formalize /20 delegation. Instead it shows how to make < /24 delegation. http://dougbarton.us/DNS/2317.html delegation of /20 can be simply made like the However it's better not to do things this weay and better split the /16 block to 256 od /24 blocks and simply delegate each other as you need. Doing it simple is both nice and resistant to errors. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Checking for zone expiration?
On May 21 2012, Alan Batie wrote: We had a rather key zone mysteriously expire on a slave this morning - the log files show a transfer a couple weeks ago, but it hadn't been updated so there was no reason for one since and there were no log entries about failed connection attempts. On 21.05.12 22:27, Chris Thompson wrote: Do you have "try-tcp-refresh no" in your named.conf options? If so, and the slave had lost connectivity with the master, the SOA lookups failing would not have triggered a transfer attempt and so you would not see any "xfer-in" errors. Isn't there anything other that will trigger transfer attempt, or is it useless in such case? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. If Barbie is so popular, why do you have to buy her friends? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind configuration and log error
On 23.05.12 12:56, Amira Othman wrote: I have in my messages log file many lines as follows but with different domains unreachable what does this mean: named[15490]: network unreachable resolving 'platinum.cs.umanitoba.ca/A/IN' also I can't dig or nslookup or ping my DNS server remotely what should I do to enable that? your server has apparently problems with internet conectivity. Is it behind firewall? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: logging to syslog on another host?
On 30.05.12 12:16, Sten Carlsen wrote: I was considering to use the syslog on a different host for logging from bind. The purpose was to collect logs from various places into one repository. [...] Can bind send its logging output to an external syslog? Not directly. However, that is what syslog daemon is for, simply configure it to forward logs to another machine. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Partial forwarding.
On 30.05.12 04:03, Stephen James wrote: We have a lab setup where we are testing a customer configuration but do not have all of the same equipment. Is it possible to have a bind server that resolves certain FQDNs in a zone, while forwarding the remaining to another DNS? not with BIND. Bind either forwards, or resolves. If it resolves, it is authoritative - if it does not have the answer, then the answer does not exist. You can use lightweight DNS servers like dnsmasq that can locally resolve some hosts and forward all the rest. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recommended value for max-cache-size for cache-only shared hosts..
On 31.05.12 22:26, blr maani wrote: hmmm.. 75%-85% seems too large because the host runs email application in addition to cache-and-forward-only BIND (for better local caching). So, I was wondering if there are any best/proven practice/recommendations for such shared application hosts ? The default value is 32MB. We have 8GB RAM. I don't know if its better to start with 1GB (1/8th of RAM)? I was thinking of this when the default was changed to 32M. I changed it intentionally to 0 to see how much will memory usage grow. I can tell you that on one of our servers where named uses most memory, it currently uses 1359868 VSZ and 732852 RSS after 38 days with ~432 queries per second. I have even increased max-ttl and max-negative-ttl to see if it affects memory usage. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zones best practices
On 26.06.12 11:07, Brad Bendily wrote: Personally, I'd rather edit 1 file, than hundreds of different files. and when you make a mistake in one file, you will f*ck up everything instead of one /24 subnet I can add the DNS entry and IP address and reload the service. No trying to figure out which file it goes in. I try to keep the file in alphabetical order which makes finding and adding entries easier. alphabetical? If you want to make finding easier, you should use numeric order for reverse zones. Unless you want to search for RDATA, but don't care about duplicates... (the best is to have records in the database, so you can sort according to anything you need) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. One OS to rule them all, One OS to find them, One OS to bring them all and into darkness bind them ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse zones best practices
On 28.06.12 08:21, Mark Andrews wrote: I would set up 10.in-addr.arpa which is slaved on all internal nameservers and delegate the /24's as required. 10.in-addr.arpa won't change much and will be cheaper in the long run than using a stub zone. Just to add that you may need delegation NS records for subzones. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What can cause excessive amount of _dns-sd queries?
On 23.08.12 13:43, Eivind Olsen wrote: I haven't seen this before.. I'm currently seeing someone (1 ip address) do about 2.1 million queries / hour where a majority of the queries seem to be: b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + talk.l.google.com IN A + gmail-pop.l.google.com IN A + gmail-imap.l.google.com IN A + ...and similar variations of these. Have any of you seen something like this before? I have... a customer was complaining about its clients not able to get to sites like facebook, youtube, apple store etc. I don't work for the company anymore so I have no idea if they have fixed it (the only way I could think of it was to change the company's DNS architecture https://lists.isc.org/pipermail/bind-users/2012-April/087314.html -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving from "type forward" to "type static-stub"
On 20.09.12 19:49, Oscar Ricardo Silva wrote: The current servers are configured to forward any queries for our domain straight to our authoritative servers: I've been reading about the new zone type: static-stub and believe this may work better for us. If I'm correct, it will send non-recursive queries to the listed servers and will honor delegations. I've tested this configuration in our lab and it all appears to be working. With our configuration, are there any downsides to changing from forward zones to static-stub? Any gotchas I should know about? At this time we don't have dnssec validation turned on. We tried it and had too many problems with misconfigured domains not resolving properly so backed out. typo forward supports "forward first" which is good if you have e.g. local versions of blacklists but want to use standard resolution when your local servers are unreachable. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Bind in Active Directory
On 22.10.12 13:39, Nicholas F Miller wrote: We use Bind for all DNS including DDNS for our AD. We use GSS-TSIG to control what record types and machines can make dynamic updates to our AD zone. We use ISC's DHCP but don't allow it to do DNS updates since we use GSS-TSIG at the client level instead. For me to understand: do your clients use GSS-TSIG to update temselves instead of DHCP server doing the same? On Oct 22, 2012, at 11:36 AM, Aaron Thompson wrote: Are you using AD or Bind for DNS/DHCP? I'm assuming your using AD for authentication. On Oct 19, 2012, at 10:46 AM, Nicholas F Miller wrote: DDNS record scavenging is the only feature I'm aware of that MS DNS has that Bind doesn't . On the flip side, ISC Bind can ACL who can add certain record types to a dynamic zone using GSS-TSIG as well as supports views and ACLs for recursion. Everything else should be standard DNS. isn't the client self-registration the reason why scavenging is needed? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "The box said 'Requires Windows 95 or better', so I bought a Macintosh". ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dns master-slave transfer
于 2012-10-29 9:58, kavin 写道: Now,I want transfer the zone data from the master dns serverto slave dns server ,the master dns use bind-dlz+mysql and the slave dns server use bind+file. On 29.10.12 10:45, Feng He wrote: AFAIK, BIND DLZ doesn't send a notify message to slave, so both your master and slave should be able to use the DLZ backend and run a mysql replication for data sync. NOTIFY is not required to implement DNS, it just makes propagation faster. AXFR should work without it, however the refresh/retry in SOA should be small enough (depends on how often you change the data). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Lots of "RSA_verify failed" after upgrade to 9.7.7
In message <20121105092813.ge34...@pol-server.leissner.se>, Peter Olsson writes Yesterday I upgraded our slave DNS (running FreeBSD 7.4) from bind 9.7.6.4 to 9.7.7. The server uses bind97 from ports. After that upgrade I get lots of these in syslog: RSA_verify failed error:04077068:rsa routines:RSA_verify:bad signature:/usr/s rc/secure/lib/libcrypto/../../../crypto/openssl/crypto/rsa/rsa_sign.c:263: I have never seen these before. I tried Google but got no recent results. Anyone know what this means and how to get rid of these errors? On 05.11.12 21:21, Mark Andrews wrote: Ignore them. They will be addressed in the next maintenance release. But not for 9.7, since 9.7 is EOL since november 2012. Correct? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
truncated responses vs. minimal-responses?
Hello, last few weeks I have seen many discussions over UDP truncating and using "minimal-responses yes;" to prevent BIDN from doing that. I've read article stating that nameserver should avoid truncating packets even by skipping additional and authority sections in its responses, which should mean that using minimal-responses would not help. However, I've seen a few mails mentioning that a query can get truncated when the authority section is too big and advices to turn minimal-responses on. Reading the 9.9.2 docs and even looking at the sources (I am not a C coder) did not help me with this. Can anyone enlight me in this? Thank you. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Holmes, what kind of school did you study to be a detective? - Elementary, Watson. -- Daffy Duck & Porky Pig ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: truncated responses vs. minimal-responses?
last few weeks I have seen many discussions over UDP truncating and using "minimal-responses yes;" to prevent BIDN from doing that. I've read article stating that nameserver should avoid truncating packets even by skipping additional and authority sections in its responses, which should mean that using minimal-responses would not help. However, I've seen a few mails mentioning that a query can get truncated when the authority section is too big and advices to turn minimal-responses on. Reading the 9.9.2 docs and even looking at the sources (I am not a C coder) did not help me with this. On 27.11.12 17:41, Mike Hoskins (michoski) wrote: It seems it should help... less bits in the packet relating to additional and authority should leave room for other data. OTOH, some of the data may be needed (later), and adding them into response may avoid need for another request. That said, I think the better way (when possible) is to adjust RRs not to return "too much data" (e.g. NS, A, etc. not returning more than ~8 hosts -- which in turn could be multicast, load balanced, etc to get the desired scale). Akamai, for example, defaults to limiting up to 8 "RDATAs" per RR (or however you'd describe that). If you add 20 As for a name you'll rotate through 8 at a time. You can request more at your own risk...they assume you'll ensure the larger answer will fit in a UDP packet and not cause TCP responses which cripple performance. I know. But there are cases you just have much of data in the DNS and what I am asking is, if BIND really does skip authority section, if it helps to avoid sending truncated packets. If it does, the minimal-responses does NOT affect packet truncation. if it does not, I ask why... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it ! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upstart job for BIND9
On 29.11.12 14:03, Alexander Gurvitz wrote: It will run bind on runlevels 2345, stop bind on other runlevels, but the most important - respawn it once it stops with one it's famous assertion failures :). famous assertion failures? What system do you run the BIND on? Shouldn't you better upgrade to version that has no famous assertion failures? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: truncated responses vs. minimal-responses?
Matus UHLAR - fantomas wrote: I know. But there are cases you just have much of data in the DNS and what I am asking is, if BIND really does skip authority section, if it helps to avoid sending truncated packets. On 28.11.12 18:38, Tony Finch wrote: Yes it does. For example, have a look at responses to queries for dotat.at in mx for various buffer sizes and observe that RRsets are dropped but the TC bit is not set. Nice to see. I'm seeing recommendations to set minimal-responses to avoid truncation problem anywhere and I'd like to have documented somewhere that it just won't help... I still can advise to test it, but official info from ISC would be the best. I feel some people try to do that to avoid proper EDNS0 implementation... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux is like a teepee: no Windows, no Gates and an apache inside... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Upstart job for BIND9
On Thu, Nov 29, 2012 at 7:25 PM, Matus UHLAR - fantomas wrote: famous assertion failures? What system do you run the BIND on? Shouldn't you better upgrade to version that has no famous assertion failures? On 29.11.12 20:50, Alexander Gurvitz wrote: Well, of course it's extremely exaggerated, sorry if I offended someone. But crashes may happen, actually I started to play with upstart after named stopped once on our production system (it's not an outdated version). I think it's a good idea to make it respawn. I don't think it's wise to respawn named without knowing why it crashed. This could lead to repeated crashed and system overload. You'd need to configure at least number of restarts allowed in specified time... if it's production system, it should have backupe, shouldn't it? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
On 29.11.12 18:34, Jose Manuel Delgado G. wrote: about the other question, as to reduce the response time of my server when the domain does not exist? it is not the "domain does not exist" problem. This is the "the only nameserver for a domain times out" problem, which can be only avoided either by fixing the server or making it answer. Since there is just no workaround, the only thing bind can do is to query (and timeout). > # dig @8.8.8.8 videolinedvd.com 2012/11/29 Chuck Swiger You've got two nameservers for the domain per WHOIS as: Domain servers in listed order: NS1.VIDEOLINEDVD.COM NS2.VIDEOLINEDVD.COM ...but they don't have A records setup. Your nameservers must have A records: actually, they have glue A record in .com zone: ;; AUTHORITY SECTION: videolinedvd.com. 172800 IN NS ns1.videolinedvd.com. videolinedvd.com. 172800 IN NS ns2.videolinedvd.com. ;; ADDITIONAL SECTION: ns1.videolinedvd.com. 172800 IN A 72.167.164.36 ns2.videolinedvd.com. 172800 IN A 72.167.164.36 -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
2012/11/29 Chuck Swiger You've got two nameservers for the domain per WHOIS as: Domain servers in listed order: NS1.VIDEOLINEDVD.COM NS2.VIDEOLINEDVD.COM ...but they don't have A records setup. Your nameservers must have A records: On Nov 30, 2012, at 4:53 AM, Matus UHLAR - fantomas wrote: actually, they have glue A record in .com zone: ;; AUTHORITY SECTION: videolinedvd.com. 172800 IN NS ns1.videolinedvd.com. videolinedvd.com. 172800 IN NS ns2.videolinedvd.com. ;; ADDITIONAL SECTION: ns1.videolinedvd.com. 172800 IN A 72.167.164.36 ns2.videolinedvd.com. 172800 IN A 72.167.164.36 On 30.11.12 09:46, Chris Buxton wrote: Glue records without matching authoritative records are pretty useless. If there isn't a matching A record in the videolinedvd.com zone as served by those two servers, it just won't work. at the time I have checked, the server ad given were not responding. So I can not say if there are any records... did you get any? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: truncated responses vs. minimal-responses?
On 28.11.12 18:38, Tony Finch wrote: Yes it does. For example, have a look at responses to queries for dotat.at in mx for various buffer sizes and observe that RRsets are dropped but the TC bit is not set. On 11/30/2012 01:30 PM, Matus UHLAR - fantomas wrote: Nice to see. I'm seeing recommendations to set minimal-responses to avoid truncation problem anywhere and I'd like to have documented somewhere that it just won't help... On 03.12.12 09:41, Gilles Massen wrote: Truncation happens only if the ANSWER section is too large, and as minimal-responses only affects AUTHORITY and ADDITIONAL the effect on truncation should be null. I'm curious if there's any case where the AUTHORITY section is needed to proper function of DNS. I think I've seen reports about truncaetd responses with AUTHORITY section added ... maybe intermediate firewall or loadbalancer truncating them... For UPD fragmentation it is an entirely different matter, of course. But should default settings really be optimized to accomodate broken firewalls? default or non-default, if weare behind firewall or loadbalancer, we should know when they cause troubles. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Expiration TTLs
On 02.12.12 18:10, Paul Romano wrote: Thanks for the correction on the term TTL instead of timer. The engineer I inherited this environment from has the refresh set to 40 minutes and the zone expiration set to 2 hours. The explanation I got was that since we are authoritative for AD we want ensure that some kind of scavenging is in place. ... and if your primary server(s) fill fail for 2 hours, your zone will stop working. Your explanation suggests that the refresh time is strictly survivability and will not force an update if the serial numbers do not increment enough to implement the refresh. that is how DNS works. The problem with microsoft DNS servers and AD is that they do not follow this standard. Am I stating this correctly? Any suggestions? according to what I know, use 2-3 AD servers and keep DNS on them. Just make sure they will not fail at the same time... If anyone has better info on how do microsoft AD sevrers work with DNS, just let us know... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows found: (R)emove, (E)rase, (D)elete ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
On 03.12.12 21:32, Daniele Imbrogino wrote: I edited the working directory to /etc/bind because this is the directory where I have all the zone data files. If I use the default /var/cache/bind do I have to move also the zone data files no, you will just have to provide full path in zones' filename statements (or, at least, create an alias)? you can make symlinks from /vat/cache/bind pointing to /etc/bind if you need I'm saying this because even if the default configuration has /var/cache/bind as default working directory, all the files are in /etc/bind by default. it's done this way just to have dumps and core files in /var/cache/bind where named usually can write, instead of /etc where it usually can't (and shouldn't). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT - Dns test Q/A
On 29.11.12 11:44, Chiesa Stefano wrote: I created an application to delegate zone management to collegues that are used to ask changes to that zones. I would set up a small "zone administration test" to verify a minimal dns knowledge (right use of main RR such A-CNAME-MX.) Can you suggest me a document from which I can extract few questions? Sorry for the OT and thanks in advance. Sorry for not responding sooner, but I have not idea where you could find such informations. I can only recommend you to search the net for already existing dns knowledge tests... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 2B|!2B, that's a question! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Querying directly a nameserver works, while forwarding not
On Wed, 2012-12-05 at 10:23 +0100, Daniele Imbrogino wrote:
/etc/bind/named.conf.option
On 05.12.12 21:47, Noel Butler wrote:
WTF is that file? it certainly is not an ISC named file.
It's file containing the options section, installed by default in debian.
From the changelog:
* Do options definitions in /etc/bind/named.conf.options, makes life
easier in the face of named.conf changes from upstream.
if you are using some butchered to buggery distros file, please ask on
your distros mailing list
we are not to know what that file contains, or expects
it should only contain the options { }; directive with included options.
The bad part is when someone maintains multiple servers with similar
settings, only the differing options should be included in external file,
with common options in main config file.
debian uses:
- named.conf
// no host-specific options
include "named.conf.options"
- named.conf.options
options {
listen-on "...";
};
I used instead:
- named.conf:
options {
// common.options
...
include "named.conf.options";
};
- named.conf.options:
// host-specific options
listen-on "...";
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't find named_dump.db
On 05.12.12 15:07, Daniele Imbrogino wrote: Finally I solved it! The problem was in the write permission of /etc, while in /var/cache/bind it works perfectly! Thank you for the assistance! I hope you did not allow BIND writing to /etc... (/etc should be writable by admins, not daemons, that's why we use /var) On 03.12.12 21:32, Daniele Imbrogino wrote: I edited the working directory to /etc/bind because this is the directory where I have all the zone data files. If I use the default /var/cache/bind do I have to move also the zone data files 2012/12/5 Matus UHLAR - fantomas no, you will just have to provide full path in zones' filename statements I'm saying this because even if the default configuration has /var/cache/bind as default working directory, all the files are in /etc/bind by default. it's done this way just to have dumps and core files in /var/cache/bind where named usually can write, instead of /etc where it usually can't (and shouldn't). -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. WinError #98652: Operation completed successfully. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Preference of Master Name Servers
On 05.12.12 17:28, David Hall wrote:
Question 1:
In our secondary / slave name servers we specify the master name servers in
the normal manner:
zone mysample.me.uk { type slave; file "m/y/db.mysample.me.uk"; masters {
10.10.100.12; 10.10.101.12; 10.10.102.5; }; };
What I have found is that the order of the master name servers does not
matter and one is used at random. That name server is tried for all AXFR /
IXFR attempts until it is unreachable.
Is there a way to set a dedicated preference of which name servers to use
first?
No. all masters are treated equally. Do you know a reason why they should
not? However, if slave received notify from a master, it prefers fetching
from that master, afaik.
Question 2:
I am also seeing many entries in our logs that look like:
Dec 4 10:28:49 mysys named[28103]: zone mysample.me.uk/IN: refresh: retry
limit for master 10.10.101.12#53 exceeded (source 10.10.100.25#0)
Does this mean that the master name server is unreachable? I have confirmed
that it is reachable by UDP and TCP.
Or does it mean that we are hitting one of our limits? Our current values
are:
serial-query-rate 500;
transfers-out 300;
transfers-in 300;
transfers-per-ns 100;
I would try increasing limits, starting with transfer-in.
you can check in logs or via netstat (or packet dump), how many transfers
were executed in parallel (to know which parameter to increase)
Question 3:
We have over 100,000 domains on the name servers. What we see is that once
we start seeing many of these "exceeded" messages in the logs then our "soa
queries in progress" will go up significantly and never goes back down.
We have to shut down the name server and restart it, and then the "soa
queries in progress" goes down to 0 or 1 and he "exceeded" messages go away.
Has anyone had a similar problem? If so, how did you resolve this?
with 100k of zones, you must increase limits. Or, use different technique
for distributing changes, e.g. NOTIFY and increase the refresh (and retry)
times to avoid useless timeouts.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Due to unexpected conditions Windows 2000 will be released
in first quarter of year 1901
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: is there a also-allow-transfer
On 13/12/12 9:46, Feng He wrote:
acl "NAMESVR" { 74.81.81.82; };
On 13.12.12 10:00, Sten Carlsen wrote:
NAMESVR is an acl, it could look like {74.81.0.0/16} or {any}
Essentially it is a kind of bitmask, not a list of IPs.
options {
directory "/var/cache/bind";
recursion no;
version "unknown";
allow-transfer { NAMESVR; };
also-notify { NAMESVR; };
All notifys must have a list of IPs, if the acl was any, you would have
to notify the full internet. The mechanism is designed to accept only a
list of IPs. It can not accept an acl.
you can define master server via masters {} directive, and use it in
also-notify {} clause.
you will just have to define 74.81.81.82 two times - in both acl and masters
directives...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: zone files in bind-9.9
On 06.01.13 21:23, Feng He wrote: I upgraded my BIND from 9.7 to 9.9. For BIND 9.7 all zone files under /var/cache/bind are clear textes. But under BIND 9.9 it seems the zone files are binary format. So how can we check the content of zone files now? "named-compilezone -j -F text " should do -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lame-servers: error (FORMERR) resolving [something]
> Sometimes I can't resolve some addresses and, in the logs, I can find > the message in the title: >lame-servers: error (FORMERR) resolving [something] > (where `something` is the address I'm trying to resolve). > > What does it means? 2013/1/8 Shane Kerr When acting as a recursive resolver, BIND 9 follows the chain of delegation from the root, contacting name servers identified for each domain on the way. In this case, one of those name servers returned a packet that BIND 9 did not like for some reason - a FORMat ERRor. The offending server is marked as "lame" since it cannot answer queries for the domain in question. The message should also include the IP address of the server that it is going to at the end of the line. On 08.01.13 13:05, Daniele wrote: So it's not my responsibility to resolve the problem, right? The point is that, sometimes, I can't resolve an address because of this lame servers, and dig (for example) fails. Is it possible? possible, yes. but I would not be sure, since there are many different reasons for the lookups to fail. and there are few web services that check proper DNS functionality. I advise check with more of them, since there's none I would completely trust. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcard CNAME record?
On 16.01.13 14:57, Baird, Josh wrote: Is it acceptable to have a wildcard CNAME? Example: * IN CNAMEsomewhere.com. Or, would it be advised to only use wildcard 'A' records? while it is technically valid, I don't think it's acceptable to use solutions that require wildcards ;-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety. -- Benjamin Franklin, 1759 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wildcard CNAME record?
Matus UHLAR - fantomas wrote: On 16.01.13 14:57, Baird, Josh wrote: > Is it acceptable to have a wildcard CNAME? Example: > > * IN CNAMEsomewhere.com. > > Or, would it be advised to only use wildcard 'A' records? while it is technically valid, I don't think it's acceptable to use solutions that require wildcards ;-) On 16.01.13 15:16, Tony Finch wrote: RFC 4592 is enlightening in a rather unpleasant manner. yes, very unpleasant. I read that more than once and was repeatedly not able to fully understand it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I don't have lysdexia. The Dog wouldn't allow that. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lame-servers: error (FORMERR) resolving [something]
On 22.01.13 11:18, Daniele wrote: My router doesn't maintain a DNS cache, so it must be my IPS's fault. The last questions, if it's possible: what happens when my 'named' starts an iterative query? Does it arrive to the real root-server (first of all), it should, but it appears that it does not. your ISP seems to beintercepting those messages. Ask your ISP how to turn it off. or is it processed by some other cache-server on the path? And why 'named' doesn't "understand" the responses from these cache-servers? in your case it's getting non-authoritative responses, but with recursion allowed. Both are unexpected so named complains. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. - Have you got anything without Spam in it? - Well, there's Spam egg sausage and Spam, that's not got much Spam in it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse resolution failing
Jim Pazarena wrote: while it can resolve "webmail.acrodex.com" ( 139.142.184.10 ) it cannot reverse resolve 139.142.184.10 On 07.02.13 17:51, Tony Finch wrote: 10.184.142.139.in-addr.arpa. CNAME 10.0-25.184.142.139.in-addr.arpa. 0-25.184.142.139.in-addr.arpa. NS pluto.acrodex.com. 0-25.184.142.139.in-addr.arpa. NS nova.acrodex.com. 0-25.184.142.139.in-addr.arpa. NS saturn.acrodex.com. Nova does not exist. Pluto refuses most questions for 10.0-25.184.142.139.in-addr.arpa except if you ask for a PTR, in which case it replies with a bogus question section containing 139.0.184.142.in-addr.arpa. Saturn works OK for most questions, and returns a PTR record if you ask for ANY, but if you request a PTR directly it ignores you. some kind of lame DNS "load balancers"? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Chernobyl was an Windows 95 beta test site. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about dns query distribution
On 08.02.13 20:01, benjamin fernandis wrote: We have recursive / caching name server for our Broadband internet services. And we have 60-40 traffic ratio. I mean 60 % queries comes on primary and 40% on secondary. Why primary does not getting 100% ? Is there any way to do it ? or what is the reason behind it that both servers' having queries ? there are cases where DNS resolver sorts IP addresses and thus prefersone of them. There are also cases where DNS resolver measures response time and uses the faster DNS server. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Your mouse has moved. Windows NT will now restart for changes to take to take effect. [OK] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Difference between multiple NS and NS having multiple A
In message , Alexander Gurvitz writes: Is there any practical difference between the following two: example.com. NS ns1.example.com. example.com. NS ns2.example.com. ns1.example.com. A 1.1.1.1 ns2.example.com. A 1.1.1.2 example.com. NS ns.example.com. ns.example.com. A 1.1.1.1 ns.example.com. A 1.1.1.2 On 18.02.13 08:43, Mark Andrews wrote: Yes. It makes fault isolation harder. The same applies for servers behind load balancers. But the second case makes adding nameservers easier, and makes more sure that some customers don't decide to overload one of servers by adding any of them. when BIND (or whomever) logs nameserver it should log both name IP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: broken ISP in china
On 19.02.13 10:25, Noel Butler wrote: One thing I need to point out, your SOA timings seem extreme... refresh 86400 drop that to 3h retry 3600, drop to 900 I don't see the reason for doing these, unless NOTIFY does not work, but in such case it's the NOTIFY that should be fixed... expire 604800 change that to 4w not needed but and negative cache value 86400 drop that to no more than 3600, maybe even just use 600. I agree with this one. Value 86400 for negative cache is widely used, but mostly from obsolete understanding of SOA field name "minimum". -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The only substitute for good manners is fast reflexes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND master , Windows 2008 stub zone not transferring
On 20.02.13 17:41, Sowmya Manjanatha wrote: Subject: BIND master , Windows 2008 stub zone not transferring I am having the same issue and saw a couple of questions but didn't see any resolutions. Any one have any luck with this. stub zone is never transferred. It is only queried for NS records for the BIND to know who to ask for records. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam = (S)tupid (P)eople's (A)dvertising (M)ethod ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query and views
On 21.02.13 08:59, Robert Moskowitz wrote:
I am reading: https://www.isc.org/software/bind/faq and 'What has
changed in the behavior of "allow-recursion" and "allow-query-cache"
'.
I am struggling here trying to match up the various access control
features, particularly when we are suppose to have different views
for different clients.
So for my internal view where I:
match-clients{ httnets; };
match-destinations{ httnets; };
recursion yes;
allow-query{ httnets; };
allow-query is useless here, unless you have disabled it somewhere.
the match-clients does enough.
Do I also add
allow-query-cache{ httnets; };
???
you apparently want to turn on recursion for your clients, which means, you
should use "allow-recursion" and let allow-query-cache be teh same by
default.
And for the external view where:
match-clients{ any; };
match-destinations{ any; };
allow-query{ any; };
recursion no;
Do I add:
allow-query-cache{ localhost; };
??? Supposedly localhost will fall into the internal view (along
with httnet)
and does localhost belong to the httnets ACL?
, so nothing should be querying cache?
correct, no external hosts should query your cache.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows. -- Matthew D. Fuller
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Resolver behavior on expired TTLs
On 21.02.13 10:38, John Miller wrote: Here's something I hadn't put much thought into until recently--it's never been a problem--how do resolvers behave when they receive a request for an expired entry in the cache, but cannot contact the authoritative nameserver? I'd imagine they return a SERVFAIL, but I could see NXDOMAIN as well. Does anyone know the answer? they should not sent anything but SERVFAIL if they are unable to do the resolution. SERVFAIL should cause the client ask other server, while NXDOMAIN means that the host does not exist and client can stop searching. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. How does cat play with mouse? cat /dev/mouse ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query and views
On 21.02.13 08:59, Robert Moskowitz wrote:
I am reading: https://www.isc.org/software/bind/faq and 'What has
changed in the behavior of "allow-recursion" and
"allow-query-cache" '.
I am struggling here trying to match up the various access
control features, particularly when we are suppose to have
different views for different clients.
So for my internal view where I:
match-clients{ httnets; };
match-destinations{ httnets; };
recursion yes;
allow-query{ httnets; };
On 02/21/2013 10:40 AM, Matus UHLAR - fantomas wrote:
allow-query is useless here, unless you have disabled it somewhere.
the match-clients does enough.
On 21.02.13 11:08, Robert Moskowitz wrote:
No. allow-query made my internal view available to my local clients.
allow-query defaults to all. match-clients directs your internal clients to
the internal view and unless you have disabled querying elsewhere, allowing
it is not important.
Check my earlier posts here. I was down here with just the
match-clients and without the allow-query; all local hosts were
getting denied access. It was painful for a little while.
Probably they did not have a recursion enabled. allow-recursion defaults to
local networks, if not specified directly or by allow-query-cache.
Do I also add
allow-query-cache{ httnets; };
???
you apparently want to turn on recursion for your clients, which
means, you
should use "allow-recursion" and let allow-query-cache be teh same by
default.
Recursion seems to be working with just "recursion yes" here.
Recursion by itself, yes. But the default for allow-recursion might not be
enough for you.
In fact, you can use "allow-recursion { all; };" and still only internal
clients (in internal view) would have it allowed.
What does allow-recursion add with given all the other restrictive
clauses?
It allows specified clients to use recursion. Both allow-query-cache and
allow-recursion default to the other one, when only one is specified.
However, allow-recursion gives a better idea of what is really allowed.
And for the external view where:
match-clients{ any; };
match-destinations{ any; };
allow-query{ any; };
recursion no;
Do I add:
allow-query-cache{ localhost; };
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
