RFC say all
read RFC
BIND is a DNS system not an alien so follow RFC
Go and read RFC
From: bind-users on behalf of ip admin via
bind-users
Sent: Friday, October 5, 2018 4:13 PM
To: bind-users@lists.isc.org
Subject: Which timeouts are used by BIND when res
ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION
check
# ls -l /dev/random /dev/urandom
crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random
crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom
From: bind-users on behalf of Howard,
Christop
are your compiler and libs updated ?
From: bind-users on behalf of Howard,
Christopher
Sent: Tuesday, September 18, 2018 1:11 AM
To: bind-users@lists.isc.org
Subject: PRNG not seeded, service won't start
I'm attempting to upgrade from bind 9.10.4-P8 to 9.12.2
sorry for missing letters but my keyboard ia broken
so to say, usually DNS admin low TTL on NS and/or A records that will have a
change
look bind docs to apply it
without specific record TTL , SOA ttl is used
From: bind-users on behalf of King, Harold
Cl
record and stop engine
https://en.wikipedia.org/wiki/SOA_record
Alberto Colosi
From: bind-users on behalf of King, Harold
Clyde (Hal)
Sent: Monday, August 6, 2018 7:37 PM
To: Bind Users
Subject: Need to move an NS server out of service
I have ns2.examp
have you changed zone registration?
there is DNS FQDN reference
if you change dns fqdn you have to update zone on your NIC
as it on NIC it or where you registered the domain
From: bind-users on behalf of Lucio Crusca
Sent: Thursday, April 26, 2018 3:18 P
Hi is a common problem! when you start as user or root
service take shell permission not service permission
check if exist group and user named if directory and file access mask is right
and if owner is right
as last check bind log not systemd for any error
now I don't remember but should eve
radius is only an AAA and transmit Auth OK/KO to VPN terminator and IP
allow/deny rules to VPN terminator (ip filtering like iptable)
So radius only Auth termination of VPN tunnel and transmit per user linked
policy deny and allow rules (like iptable as said).
I think VPN terminator can be co
In the years I had bad issue with ISC bind and Fedora box.
Possible was my box but moving to NIC IP all was fine.
yes inside resolv.conf NIC IP instead of localhost eg 127.0.0.1
in all case IP socket have to open on layer 3 and shouldn't go on layer2 as
socket know that IP as REACHED.
it ha
go to read isc bind view
---
Alberto Colosi
ITC NetWork & Security
From: bind-users on behalf of Lucio Crusca
Sent: Sunday, January 14, 2018 12:27 PM
To: bind-users@lists.isc.org
Subject: "rule based" A records
I'm no
SELinux in passive ? , you can putSETEnforce OFF
in conf
From: bind-users on behalf of Radu Pantiru
Sent: Friday, October 13, 2017 10:49 AM
To: bind-users@lists.isc.org
Subject: Re: bind-pkcs11-9.9.4-51.el7.x86_64 usin
TTL if not record specific on other DNS is defined inside SOA
usually shoulbe be 24H on internet and if an admin as me , put it low , it is
for a specific purpose as a server change.
is strange u have so many low ttl. I think u only can work on cache ttl on ur
dns
if are other way to arrive
SOA is a special record. As already said to read
you update SOA (should be only for email address if not ONLY intranet NS).
In all case if u make n update mean is needed n update. So the question is:
wy to not reflect on slave NSif any
Increasing SN , s
strange as need , see channels inside logging engine
is user query log , create a log channel for queries done
it does not change if done from a client or another dns
really it is a huge volume log (depending on number of queries)
From: bind-users on beha
; way to gain access
to root TLD DNS engines
see you
From: bind-users on behalf of Reindl Harald
Sent: Saturday, September 16, 2017 2:12 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for cerain response ip (result ip )
Am 16.09.2017 um 13:30 s
port 53 is only open directed to forwarders
as I read , you think to use different forwarders so , port 53 should be open
to all IP , right ?
I think u should read how DNS works, TLD and so on
simply drop forwarders only use TLD
From: bind-us
on behalf of Reindl Harald
Sent: Saturday, September 16, 2017 12:59 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )
Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
> even on hotel . why not to use a BIND on unix or window on ur
>
even on hotel . why not to use a BIND on unix or window on ur box u r
using ?
it is so easy
From: bind-users on behalf of Reindl Harald
Sent: Saturday, September 16, 2017 12:46 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for cer
T USE
Really better .. and don't use Google DNS ( 1) google know what
you do 2) are really slow 3) I never seen any difference like protecion
or other)
Alberto Colosi
ITC NetWork & Security Architect & Administra
I haven't seen as from a while I have no servers to admin
as I ever say to who I teach ... right source for right content. nist ok
but .. better internic as maintaining DNS
https://www.internic.net/domain/named.root
[cid:2158d269-d79e-445b-8112-c7fce0fbb65f]
as obvious , here is
why to write here on the list ?
simply is a problem rom your script (file overwrite) or nist file could be
dirty.
I hate automatic update special each day specia for roots inside dns (they
change one time every twenty years ... if is a change).
I don't kno nist file, I ever used internic for
simply firewall port TCP and UDP 53 if behind a firewall or use ACL or change
NS records if not propagated in a public domain
if you want to test from clients , see that RFC sap is around 5 minutes if I am
not wrong and use PC firewall or simply firewall it or shutdown master engine
and so on
is like is missing the file referenced in log
SHA-1 RSA signing is obsolete and banned from NIST and ENRISA is a CVE or
should if I remember ell
All CA only use SHA-2 no more version 1 as said before.
SHA-2 and 2048 or greater
yor problem is like file permission or file is missing
_
as just said inside previous mail
ever if you edit some , you should understand
From: bind-users on behalf of Tom Browder
Sent: Friday, July 21, 2017 10:48 PM
To: bind-users@lists.isc.org
Subject: Re: Systemd bind9.service file?
On Fri, Jul 21, 2017 at 3:46
Main needs are
start
stop
and pid file location
ater you change a file in systemd you need to reload config ith a systemd
statement.
read sometutorials like https://wiki.archlinux.org/index.php/systemd
is obvious files need to go where are scripts and linked inside "dierent run
level"
Hi, is hard an ISP give to you a reverse lookup zone
first of all , is needed you to "own" all zone (ipv4 , all C class) for example.
as second thing, is really hard to move definitions on TLD like ripe , arin,
apnic or others
is more possible ISP give to you (if first line is true) cont
If u 've as forwarder the dns master for such zones (meaning that dns know how
to resolve)
>check acl inside conf
>check authoritative (master dns) logs and if not
implemented , put some log channels inside conf to check
y use isc bind RRL
https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html
i use it on my auth dns box
Alberto Colosi
Network & Security Admin & Architect Engineer
From: bind-users on behalf of
ramkishor
8
service.example.net. 3599INAservice_server_wan_ip
Can you spot anything wrong with it?
Thanks
On 19 April 2017 at 09:37, Tony Finch wrote:
> Alberto Rinaudo wrote:
>
> > I have a bind installation on a aws server and I'm trying to set up views
> > to giv
Hello,
I have a bind installation on a aws server and I'm trying to set up views
to give different responses based on the source location.
It works fine when this dns server is the first dns used by a client, I
guess because the source address used to discriminate between views is the
last hop.
If
sorry, let me only to add a comment to previous mail
if who make the query use a DNS Forwarding System (like use ISP DNS as
forwarders or direct resolver) you'll only have ISP DNS on last forward action
From: bind-users on behalf of Job
Sent: Tuesday, Febru
ut is so a large log file (as network accounting,
can't be live for "too much".
Alberto Colosi
IT NetWork & Security Architect Engineer
From: bind-users on behalf of Job
Sent: Tuesday, February 28, 2017 2:35 PM
To: bind-users@lists.isc.org
S
s@lists.isc.org"
Subject: bind 9 goes rogue and revert zone information
Date: Tue, Feb 7, 2017 23:38
Am 07.02.2017 um 23:31 schrieb Alberto Colosi:
> lucky you say
>
> zombie host and hijacked resourced poisoned DNS are not an hack
>
> In years as Security Desk Seat I had at leat on
a zombie host is a valuable item for them.
From: bind-users on behalf of Alan Clegg
Sent: Tuesday, February 7, 2017 10:48 PM
To: bind-users@lists.isc.org
Subject: Re: bind 9 goes rogue and revert zone information
On 2/7/17 8:42 AM, Alberto Colosi wrote:
>
disable it
From: Raul Dias
Sent: Tuesday, February 7, 2017 3:34 PM
To: Alberto Colosi; bind-users@lists.isc.org
Subject: Re: bind 9 goes rogue and revert zone information
Sorry,
Static files.
It is the master server.
No dynamic updates.
Host under lxc with only
hi is unclear named structure if is a slave a master if dynamic updates are
enabled and if the unix box has been hacked
as last , zones are static files on fs ?
From: bind-users on behalf of Raul Dias
Sent: Tuesday, February 7, 2017 3:03 PM
To: bind-users@lis
don't own a full C subnet or ISP don't want to delegate (if your DNS
server will be unreachable could arm something on ISP) you only can try to ask
the ISP to map names on their DNS , ISP DNS and even this not all ISP do or is
done with default IN-ADDR-ARPA naming.
Alberto Colosi
never heared was possible even becouse is a populating on the fly from
forwarders and TLD
cache is populated from answers and is not a physical zone
expiration is regulated from TTL ever send on answer and admin can change and
specify different TTL per each record and different from SOA
for
yes , so simple , as origin or @ after NS declarations put
@INAip.ip.ip.ip
If I correctly understood the question
From: bind-users on behalf of lbutlr
Sent: Wednesday, November 2, 2016 10:09 AM
To: bind-users@lists.isc.org
Subject: base
big security problem if you have an uncontrolled and not authorized web server
on that ip and that is not firewalled
to find it out check arp tables on switches to follow switch port where it
isphisical linked
[cid:bdc2d58d-9e89-4c5a-8ac8-8232cd9e10a8]
https://www.linkedin.com/in/alberto
hmmm if they manage firewalls , they should be aware of TCP/IP
foundamentals and HTTP working and much more
the browser perform a GET on 146.142.7.113 with RFC HTTP protocol then
146.142.7.113 say item moved / redirect to http://us.watcheezy.com/
you have to check web server configura
A security scan is only a probe and does not change in any way a web server
content or configuration.
performing a http://x1.x2.x3.x4 statement where x... are the 4 IP octect does
not involve DNS in any way
IP is loaded inside IEEE MAC "train" but work with dottet IPv4 /v6 addresses
and not
/16 20:34, Barry S. Finkel wrote:
On Mon, 9 May 2016 17:54:22 -0500, Jorge Alberto Mart?nez Melo
wrote:
Hello bind users,
I am preparing some scripts to maintain some cache dns servers and I am
thinking about the most appropriate frequency of these tasks:
- to generate the root hints file (root
Hello bind users,
I am preparing some scripts to maintain some cache dns servers and I am
thinking about the most appropriate frequency of these tasks:
- to generate the root hints file (root cache).
- to clear the cache with rndc flush
- to generate the stats file with rndc stat
Thank you in ad
Thank you for all your replies!
I'll try to implement your suggestions using a subdomain.
Best regards.
Alberto Zanon
- Messaggio originale -
Da: "Ben Croswell"
A: "Alberto Zanon"
Cc: bind-users@lists.isc.org
Inviato: Giovedì, 17 gennaio 2013 16:2
NS dns.edistar.com.
TXT "vpn servers"
vpn_host_1. external_partner.com . IN A xxx.xxx.xxx.xxx
vpn_host_2. external_partner.com . IN A xxx.xxx.xxx.xxx
I read about "forward first" option but is the opposite of my goal, correct?
Thanks in advance for your responses.
Hi what are recomendations regarding security and DNS service?
Thnks
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo
Thanks everybody! Everything is fine now!
My ISP included my reverse in their DNS.
João K.
Em Dom, 2010-10-17 às 10:25 +0100, Matthew Seaman escreveu:
> On 16/10/2010 21:48, Kevin Oberman wrote:
> > To be completely clear, unless there is special software on the client
> > to deal with PTRs, yo
Thanks Niobos! I already talked with my ISP. I informed them my new
records. In the begining of the next week I think this will finally be
solved.
João K.
Em Sex, 2010-10-15 às 20:02 +0200, Niobos escreveu:
> On 2010-10-15 17:14, João Alberto Kuchnier wrote:
> > Dispite of that, I'
Yes! I have eight domains in the same server using the same IP
distribution.
My rev file, have PTR entries for all of them. Its not necessary?
João K.
Em Sex, 2010-10-15 às 22:44 -0400, Barry Margolin escreveu:
> In article ,
> João Alberto Kuchnier wrote:
>
> > Ari,
> &g
prom.com.
4 IN PTR ns2.dataprom.com.
5 IN PTR mail.dataprom.com.
There are more domains in the same file using the same IPs. Is this a
problem?
João K.
Em Sex, 2010-10-15 às 16:33 +0100, Ari Constancio escreveu:
> 2010/10/15 João Alberto Kuchnier :
> > Hel
Hello Everyone!
I have 6 domains configured in only one server. Is this a problem? Is
bether to create one file for each domain or can I create one file for
all of them?
Dispite of that, I'm having some problems with reverse DNS. MxToolBox,
for example, is saying that my reverse DNS is not config
escreveu:
> On Thu, Oct 14, 2010 at 04:04:20PM -0300,
> João Alberto Kuchnier wrote
> a message of 148 lines which said:
>
> > Oct 14 16:00:42 ns1 named[4602]: error (connection refused) resolving
> > 'guide.opendns.com/A/IN': 200.198.101.4#53
> >
>
I already talked with google. But i will try again.
Thank you for your time! Looks like the new IPs are functional!
João K.
Em Qui, 2010-10-14 às 14:23 -0500, Lyle Giese escreveu:
> João Alberto Kuchnier wrote:
> > Yes! Found it! Thank you!
> >
> > Now, if you could help m
ions, you log into your account there, go to Manage
> Domains, then manage the dataprom.com domain. On the next page that
> comes up from Network Solutions, scroll down and under More Domain
> Options, click on Manage Name Servers. This is where you manage the
> glue records for your
es not put the
> list in as the from address and my reader does not pick that up.
>
> Lyle Giese
> LCR Computer Services, Inc.
>
> João Alberto Kuchnier wrote:
> > Sorry about that. The domain is dataprom.com.
> >
> > ns1.dataprom.com -> 200.198.10
Hi Everyone!
Recently I enabled a new IP range on my firewall. I used this bigger
range to organize my DNS records like mail, www, ns1, ns2, and others. I
did this last weekend.
I find out that some DNS servers updated themselves with my new
registers. However, CheckDNS
(http://www.checkdns.net/q
, you could have a command line session too if used with
SSH instead.
The main difference is a bit of security more ;)
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYO
why not? beter handled by isc and done in a clean way then 1.000.000 of
dirty ways as these ;)
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS
Memb
no, if not I was not writing here.
I compile and run bing from version 4 and I have compiled and runned each
bind version one by one...
till today I can't count how many ;)
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT Ne
print-category yes;
print-severity yes;
severity debug 3;
};
channel "querylog" {
file "/var/named/log/queries.log" versions 2 size 2m;
print-time yes;
print-category ye
the end ISC BIND
9.6.0b1 does not remain as daemon serving user requests?!.
---
Alberto Colosi
IBM Global Business Services
Sistemi Informativi S.P.A.
IT NetWork & Security Department
*-* *-* *-*
SECURITY IS EVERYONE'S BUSINESS
Member of
IBM Information Se
62 matches
Mail list logo
