Re: success resolving xxx after disabling EDNS

-- Mark Andrews > On 9 May 2022, at 22:32, Veronique Lefebure > wrote: > > Second thought on this topic: > > are the BIND EDNS messages rather related to > > gr/DNSKEY (alg 8, id 13987): No response was received until the UDP payload > size was decreased, indicating that the server might

Re: DNS traffic tracking

On Mon, 9 May 2022, Alex K wrote: [...] The problem now is that I see sometime 700MB of DNS traffic for 2GB of Internet browsing within one month. That's an eyebrow raiser. Tunneling, antivirus (or some other database using DNS as a key+value store), CDN? IoT fleet? Then comes the inevitable

Re: DNS traffic tracking

Alex K wrote: >On Mon, May 9, 2022 at 2:46 PM Bjørn Mork wrote: >> >> FWIW I agree with the rate-limit recommendation. It solves both this >> and your original problem without any complicated and messy tracking. >> Just make DNS "free" up to some reasonable query rate. If there are >> clients w

"Length"-output in DNSSEC-Policy state-files vs. "Key Length"-output on dnsviz.net

Hi list Using BIND-9.16.27: I'm wondering about the value of the "Length"-field in the dnssec-policy state-file output, which results in "Length: 256" for domains, which are signed with algorithm 13 (ECDSAP256SHA256) and the "Key length"-output for the domain on "dnsviz.net" (ZSK or KSK), whic

Re: DNS traffic tracking

On Mon, May 9, 2022 at 2:46 PM Bjørn Mork wrote: > Alex K writes: > > On Mon, May 9, 2022 at 1:51 PM Matus UHLAR - fantomas > > > wrote: > > > >> maybe someone uses VPN over DNS... > >> in such case, rate limiting of client comes to mind... > >> > > That would mean that the clients have access

Re: success resolving xxx after disabling EDNS

Second thought on this topic: are the BIND EDNS messages rather related to gr/DNSKEY (alg 8, id 13987): No response was received until the UDP payload size was decreased, indicating that the server might be attempting to send a payload that exceeds the path maximum transmission unit (PMTU) size

Re: success resolving xxx after disabling EDNS

> On 9. 5. 2022, at 13:19, Veronique Lefebure > wrote: > > If the problem is simply ipv6, is it correct to say that the BIND messages > above are misleading ? > Or is there really a EDNS-related issue ? named has no way why the remote server didn’t reply and assumes it was EDNS Can **you** t

RE: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

Thank you. That makes sense, I appreciate the feedback. V/R Jim DeCaro DISA Systems Administrator Windows and Unix/Linux Server Operations FE222/DoDNet Service Section Defense Enclave Services Directorate Defense Information Systems Agency ☎ 301-225-8180 ☎ 301-375-8180 james.j.decaro3@mail.

Re: [URL Verdict: Neutral][Non-DoD Source] Re: Attempting to configure an ISC BIND repository on Red Hat Linux 7.9

> Hello--sorry it took so long to respond. And I apologize for the length of > this email. > > Yes, the curl command returns an xml file. I included an excerpt from the > output: > > "About to connect() to download.copr.fedorainfracloud.org port 443 (#0) > * Trying 13.32.153.64... > * Connec

Re: DNS traffic tracking

Alex K writes: > On Mon, May 9, 2022 at 1:51 PM Matus UHLAR - fantomas > wrote: > >> maybe someone uses VPN over DNS... >> in such case, rate limiting of client comes to mind... >> > That would mean that the clients have access to their own dns servers, > which the firewall does not allow. No, y

Re: DNS traffic tracking

On Mon, May 9, 2022 at 1:51 PM Matus UHLAR - fantomas wrote: > >On 09. 05. 22 10:34, Alex K wrote: > >>The initial and current approach is to provide DNS free of charge, > >>which simplified things for me. Though the traffic in question is > >>satellite traffic with monthly allowances of roughly

Re: success resolving xxx after disabling EDNS

Hello, Now we are investigating another case: On our internal DNS server we see : 08-May-2022 20:48:14.248 edns-disabled: info: success resolving 'grid31.physics.uoi.gr/A' (in '.'?) after reducing the advertised EDNS UDP packet size to 512 octets 08-May-2022 20:48:14.249 edns-disabled: info: s

Re: DNS traffic tracking

On 09. 05. 22 10:34, Alex K wrote: The initial and current approach is to provide DNS free of charge, which simplified things for me. Though the traffic in question is satellite traffic with monthly allowances of roughly 4 to 8GB, thus every MB counts. The problem now is that I see sometime 700

Re: DNS traffic tracking

On 09. 05. 22 12:06, Alex K wrote: Hi Greg, On Mon, May 9, 2022 at 11:17 AM Greg Choules > wrote: Hi Alex. Your use case may be very different to the one I faced in my previous job. But there we did not and could not charge for DNS. I

Re: DNS traffic tracking

Hi Greg, On Mon, May 9, 2022 at 11:17 AM Greg Choules < gregchoules+bindus...@googlemail.com> wrote: > Hi Alex. > Your use case may be very different to the one I faced in my previous job. > But there we did not and could not charge for DNS. It was seen as a > necessary but free resource. > If yo

Re: DNS traffic tracking

On Mon, May 9, 2022 at 11:48 AM Petr Špaček wrote: > On 09. 05. 22 10:34, Alex K wrote: > > Hi Petr, > > > > On Mon, May 9, 2022 at 10:26 AM Petr Špaček > > wrote: > > > > On 06. 05. 22 17:02, Alex K wrote: > > > Hi all, > > > > > > I have the following

Re: understanding keymgr handling of KSK

Hi, On 09-05-2022 10:16, Bjørn Mork wrote: Michael Richardson via bind-users writes: 4) I don't understand the difference between "auto-dnssec maintain;" and "dnssec-policy default" (given that I haven't overridden anything). I believe the only difference is that the latter will track

Re: DNS traffic tracking

On 09. 05. 22 10:34, Alex K wrote: Hi Petr, On Mon, May 9, 2022 at 10:26 AM Petr Špaček > wrote: On 06. 05. 22 17:02, Alex K wrote: > Hi all, > > I have the following problem: I run a caching dns server using bind9 > v9.10.3 in a gateway device w

Re: DNS traffic tracking

Hi Petr, On Mon, May 9, 2022 at 10:26 AM Petr Špaček wrote: > On 06. 05. 22 17:02, Alex K wrote: > > Hi all, > > > > I have the following problem: I run a caching dns server using bind9 > > v9.10.3 in a gateway device which it serves several internal LAN IP > > addresses (clients). I am doing so

Re: DNS traffic tracking

Hi Alex. Your use case may be very different to the one I faced in my previous job. But there we did not and could not charge for DNS. It was seen as a necessary but free resource. If you *really* want to account for how many queries clients are making, a quick and dirty solution is enabling queryl

Re: understanding keymgr handling of KSK

Michael Richardson via bind-users writes: > I have moved from dnssec-tools to having bind9 do all the management itself. > There are a couple of things that I don't understand, and I find that the > FAQs and howtos I've read are rather too introductory for me. > I have been signing my zones since

Re: Supporting LOC RR's

> On 2022-05-02 18:01, Timothe Litt wrote: >> Still, overall DNS seems to generate more problems than fun, so if LOC >> provides amusement, it's a good thing. > > I know one of my users found them quite amusing. I can't recall what > location they picked or why, but it had some sort of personal > s

Re: Determining Which Authoritative Sever to Use (Bob McDonald)

I have to warn you: Authoritative server selection in DNS is not standardized, and thus it is not guaranteed to be stable even between BIND releases. If you need to make static and/or optimal routing then you need to reach into IP routing layer for that. Petr Špaček On 08. 05. 22 18:57, B

Re: DNS traffic tracking

On 06. 05. 22 17:02, Alex K wrote: Hi all, I have the following problem: I run a caching dns server using bind9 v9.10.3 in a gateway device which it serves several internal LAN IP addresses (clients). I am doing some traffic accounting in the gateway device using Linux conntrack so as to calc