I would try using RPZ with a combination of views and match-clients.
http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-us
ing-response-policy-zones-rpz/
-Original Message-
From: Emiliano Vazquez
Organization: PcCentro Informatica & CCTV
Date: Tuesday, July 24, 201
In message <500ed56f.1080...@gmail.com>, Daniel Migault writes:
> Actually we detected these ripe.net ANY requests by observing an
> increase in TCP DNS requests due to large DNSSEC responses. IP address
> does not seem spoofed. It seems these (very few) client wait 10 sec
> before closing thei
In article ,
Stayvoid wrote:
> Hi,
>
> dig .in-addr.arpa. AXFR outputs "Transfer failed."
>
> I've already checked "netstat -anp." Looks OK.
> dig works.
> sudo named-checkzone /etc/bind/db. outputs "OK."
> sudo named-checkzone .in-addr.arpa. /etc/bind/db.
> outputs "OK" too.
>
> What shoul
In message
, Paul Reilly writes:
> Hello gurus,
>
> Is it possible using the BIND resolver to filter out record replies to
> end clients?
BIND 9.10 has the following but we are not yet up to alpha release state
yet.
3327. [func] Added 'filter--on-v6' option; this is similar
On 07/24/2012 05:10 PM, Mark Andrews wrote:
No. It was a kernel bug. The kernel wouldn't let you un-bind the
socket. When you sent to 127.0.0.1 the local address was set to
127.0.0.1 then when you sent to some other address 127.0.0.1 was
used as the source address which doesn't work. Modern r
In message <1343137909.13057.yahoomail...@web125605.mail.ne1.yahoo.com>, =?iso-
8859-1?Q?Kov=E1cs_Albert?= writes:
> Hello,
>
> I have bind 9.9.1-P1 as a slave dns. I noticed that it couldn't access some z
> ones from the master server, and it renamed some zone files to "db-"
>
> The fol
In message <500ea815.6050...@brandeis.edu>, John Miller writes:
> Thanks, Kevin. It sounds like if there was a bug in the resolver when
> using 127.0.0.1, it's long since been resolved. For the reason of
> portability alone, 127.0.0.1's a good choice, and what we've been doing.
> I hadn't c
Hi,
dig .in-addr.arpa. AXFR outputs "Transfer failed."
I've already checked "netstat -anp." Looks OK.
dig works.
sudo named-checkzone /etc/bind/db. outputs "OK."
sudo named-checkzone .in-addr.arpa. /etc/bind/db.
outputs "OK" too.
What should I check?
Cheers
___
Hi Michael,
> Since you mention "IPv6 works internally," are the clients actually
>
querying your name server over v6 or v4?
>
Our DNS servers only listen on IPv4.
> It might not meet your exact requirements, but have you checked the ARM
> for filter--on-v4?
>
That option looks like it m
-Original Message-
From: Paul Reilly
Date: Tuesday, July 24, 2012 11:06 AM
To: "bind-users@lists.isc.org"
Subject: Filtering IPv6 records?
>Is it possible using the BIND resolver to filter out record replies
>to end clients?
>
>Since Google added an IPv6 record, I'm havin
Hello gurus,
Is it possible using the BIND resolver to filter out record replies to
end clients?
Since Google added an IPv6 record, I'm having problems with some Macs
trying to connect to Google on IPv6 instead of IPv4.
We have a partial IPv6 network. IPv6 works internally, but outbound
Introduction
BIND 9.9.1-P2 is the latest production release of BIND 9.9.
This document summarizes changes from BIND 9.9.0 to BIND 9.9.1-P2.
Please see the CHANGES file in the source code release for a complete
list of all changes.
Download
The latest versions of BIND 9 software can al
Introduction
BIND 9.8.3-P2 is the latest production release of BIND 9.8.
This document summarizes changes from BIND 9.8.2 to BIND 9.8.3-P2.
Please see the CHANGES file in the source code release for a
complete list of all changes.
Download
The latest versions of BIND 9 software can al
Introduction
BIND 9.6-ESV-R7-P2 is the latest production release of BIND
9.6-ESV.
BIND 9.6-ESV is an Extended Support Version of BIND 9.
This document summarizes changes from BIND 9.6-ESV-R6 to BIND
9.6-ESV-R7-P2. Please see the CHANGES file in the source code
release for a complete
Introduction
BIND 9.7.6-P2 is the latest production release of BIND 9.7.
This document summarizes changes from BIND 9.7.5 to BIND 9.7.6-P2.
Please see the CHANGES file in the source code release for a
complete list of all changes.
Download
The latest versions of BIND 9 software can al
Note: This email advisory is provided for your information. The most up
to date advisory information will always be at:
https://kb.isc.org/article/AA-00729
please use this URL for the most up to date advisory information.
Title: Heavy DNSSEC Validation Load Can Cause a "Bad Cache" Assertion
Failur
ISC Security Advisory:
Note: This email advisory is provided for your information. The most up
to date advisory information will always be at:
https://kb.isc.org/article/AA-00730
please use this URL for the most up to date advisory information.
Title: High TCP Query Load Can Trigger a Memory Leak
Hi to everyone!
I'm stuck with this!
I need to do the following but i did not find the real solution.
My problem:
I need to block some IPs from the LAN to specific places, like
"Facebook.com"
I do this with Squid but https transport is encripted and never goes to
Squid. There are some news
Actually we detected these ripe.net ANY requests by observing an
increase in TCP DNS requests due to large DNSSEC responses. IP address
does not seem spoofed. It seems these (very few) client wait 10 sec
before closing their TCP connection, which increases the platform load.
We think it is a mal
masterfile-format text;
bind9.0.x default format at slave is raw...
2012. 7. 25. 1:23 Doug Barton 작성:
> On 7/24/2012 6:51 AM, Kovács Albert wrote:
>> Hello,
>>
>> I have bind 9.9.1-P1 as a slave dns. I noticed that it couldn't access some
>> zones from the master server, and it renamed some z
On 7/24/2012 6:51 AM, Kovács Albert wrote:
> Hello,
>
> I have bind 9.9.1-P1 as a slave dns. I noticed that it couldn't access some
> zones from the master server, and it renamed some zone files to "db-"
>
> The following message was logged:
>
> "zone foo.bar/IN: unable to load from 'fo
On Mon, Jul 23, 2012 at 04:49:24PM +0200,
Stephane Bortzmeyer wrote
a message of 15 lines which said:
> Buggy. It parses the DNS packet from the end and therefore fails
> with EDNS packets (which have the OPT resource record at the end).
After checking, I stand corrected. This is not the orig
Hello,
I have bind 9.9.1-P1 as a slave dns. I noticed that it couldn't access some
zones from the master server, and it renamed some zone files to "db-"
The following message was logged:
"zone foo.bar/IN: unable to load from 'foo.bar.zone'; renaming file to
'db-L3yXPcbQ' for failure an
Thanks, Kevin. It sounds like if there was a bug in the resolver when
using 127.0.0.1, it's long since been resolved. For the reason of
portability alone, 127.0.0.1's a good choice, and what we've been doing.
I hadn't considered the NIC offloading issue, but I suppose it _could_
happen.
Th
On 12-07-24 07:53 AM, Phil Mayers wrote:
> On 24/07/12 12:05, Brian J. Murrell wrote:
>
> Change ISP?
A. You must be one of those people who live in that part of the
world where internet service providing is not a monopoly, duopoly or at
best a price-fixing oligopoly. :-) Unfortunately tha
On 24/07/12 12:05, Brian J. Murrell wrote:
Is this just broken NS software or are they (Nintendo, FWIW) doing
Looks broken to me.
I note that IP doesn't have a reverse. This suggests to me it's not any
kind of nameserver, but rather part of their general pool - perhaps a
random desktop.
On 12-07-24 07:05 AM, Brian J. Murrell wrote:
> I've come across something interesting in my named logs:
>
> 00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache)
> '5.37.58.216.in-addr.arpa/PTR/IN' denied
> 00:14:37 named client 205.166.76.12#60486: view greatunwashed: que
I've come across something interesting in my named logs:
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache)
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:14:37 named client 205.166.76.12#60486: view greatunwashed: query (cache)
'5.37.58.216.in-addr.arpa/PTR/IN' denied
00:
28 matches
Mail list logo
