Hi Ray,
I'm not quite sure why you would have your caching servers forward to other DNS
servers (Google, OpenDNS, etc). I would enable recursion on them and would
not forward anything. I would also consider making these caching servers at
each location slave your *internal* authoritative zon
Hi,
In the past, when I have had a requirement to bring a slave zone into our
environment; I created a slave zone on my master(s) (defining the external
nameserver as a master) and then created slave zones on my slaves using *my*
master as a master (not the master outside of my environment). T
Any thoughts on a service like Cloudfare's 'CNAME Flattening' [1]?
[1]
https://blog.cloudflare.com/introducing-cname-flattening-rfc-compliant-cnames-at-a-domains-root/
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Steph
Hi,
Does anyone see anything strange about the two hosts?
www.ca.greattextbookgiveaway.com
www.sorteodelibrospucmm.com.do
My BIND 9.9.4 servers are unable to resolve these hosts, but I have older
servers that can. I noticed that I am unable to resolve the two authoritative
servers (ns1.500buc
Enable query logging or run tcpdump on port 53. A quick Google search should
explain exactly how to do either of these very easily.
Josh
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry S. Finkel
Sent: Friday, June 2
Hi,
I have historically hosted authoritative slave zones on my internal
caching/recursive servers to override recursion for internal zones. These
servers are not directly reachable from the internet. Generally speaking, I
realize that it is considered a bad practice for any authoritative serv
Cricket's "DNS & BIND" seems rather dated at this point with the last edition
over 8 years old.
Josh
-Original Message-
From: Warren Kumari [mailto:war...@kumari.net]
Sent: Tuesday, May 27, 2014 7:24 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Book
Hi,
Can someone recommend a modern/new-ish book on DNS (specifically BIND)? I know
there have been several O'Reily books throughout the years, but haven't kept up
on anything in the past few years. I'm looking for architecture design, best
practices in designing enterprise and service provide
Hi,
For those of you who operate at multiple sites or datacenters, are you doing
any HA for your BIND masters? Ideally, we would have a master in each
datacenter; maybe not an active one, but one that is standing by in case your
primary master becomes unavailable.
Do you have multiple "acti
st *have* to have that OS-level control down to the
kernel, filesystems, devices, etc. it might make sense to stick with an agent-
or wrapper-based solution like you already have (M&M). I think IPControl (by
British Telecom) is also a strong player in that space.
rious
platforms is appreciated!
(apologies for the top-post)
Thanks,
Josh
-Original Message-
From: Ray Van Dolson [mailto:rvandol...@esri.com]
Sent: Monday, April 28, 2014 12:35 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Enterprise IPAM/DNS Solutions
On Mon, Apr 28, 2014
Hi,
We currently use the Men & Mice DNS/IPAM/DHCP suite which is essentially a
front-end "wrapper" for BIND. We deploy our own BIND boxes and simply install
the Men & Mice agent on them which allows us to centrally manage the zones from
a GUI (or CLI) based interface.
I'm curious about the ot
Is it acceptable to have a wildcard CNAME? Example:
* IN CNAMEsomewhere.com.
Or, would it be advised to only use wildcard 'A' records?
Thanks.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
Nope, no firewall in front or behind these particular boxes.
Josh
-Original Message-
From: Faehl, Chris [mailto:cfa...@rightnow.com]
Sent: Thursday, January 19, 2012 3:34 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh - are you using Cisco
Ugly fix, but it does work. I already had that in place as a "band-aid"
anyways.
Josh
-Original Message-
From: wbr...@e1b.org [mailto:wbr...@e1b.org]
Sent: Thursday, January 19, 2012 2:36 PM
To: Baird, Josh
Cc: bind-users@lists.isc.org
Subject: Re: Problem with ed.gov
Josh w
Hi,
My resolvers seem to be having problems resolving ed.gov hosts. Others
have reported similar problems, but I am having trouble figuring out
where the problem lies. Some other resolvers seem to be resolving
ed.gov correctly. I am able to query their authoritative servers
directly from the sa
Hi,
I'm looking at the output from 9.7's "rndc stats," and I see both
incoming and outgoing statistics. I'm trying to get a true queries per
second stat from these numbers. Wouldn't this be both incoming+outgoing
queries? Or, from a performance standpoint should I only be concerned
about incomi
ces+jbaird=follett@lists.isc.org] On Behalf
Of Alan Clegg
Sent: Wednesday, September 07, 2011 1:16 PM
To: bind-users@lists.isc.org
Subject: Re: Stats ouput 9.3 vs 9.7
On 9/7/2011 11:13 AM, Baird, Josh wrote:
> Is there a way to revert back to the old stats format? Is there an
> easier way to reveal
All,
Just upgraded some authoritative boxes to RHEL6, thus upgrading to BIND
9.7.3. On RHEL5 (BIND 9.3.x), I had scripts that parsed the output of
the named.stats file, and piped them through net-snmpd so my NMS could
monitor query statistics. On 9.3.x, the named.stats looked like:
+++ Statisti
I'm having trouble with the resolution of www.pncactivepay.com. It
appears that most nameservers will resolve this host to 208.86.144.222.
Resolution for this host only works about half of the time, as shown by
my logs below. When my resolvers are not able to get the real IP
(208.86.144.22), th
We typically override malware-ish domains's by creating a zone on our
caching servers for them and create a wildcard similar to:
* IN A 127.0.0.1
That way, when clients try to resolve xyz.com, our caching/resolvers
return 127.0.0.1, not the real IP address.
Josh
-Original M
We have used the commercial Men & Mice suite for 3 years now and have
had great success with it. It meets all of your requirements listed
below. It has an intuitive Windows based console as well as a web
application that can be used to manage DNS, IPAM and DHCP. It works
directly on top of BIND
For new deployments, I would likely choose RHEL6 over RHEL5; unless you
have a compelling reason to run RHEL5. RHEL6 includes BIND 9.7.0. You
mention that you would like to keep your DNS boxes "appliance" like. If
this is the case, rolling out source code and compiling on each box may
not be the
Check out the "queryperf" tool.
Thanks,
Josh
From: bind-users-bounces+jbaird=follett@lists.isc.org
[mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf
Of Samad Agha
Sent: Thursday, August 19, 2010 10:13 AM
To: bind-users@lists.isc.org
Subject: How do I stress test m
Hi,
I am having problems with recursion for domains that reside on two
particular nameservers. My BIND9 servers return a SERVFAIL and do not
attempt to recurse to the authoritative nameservers for
ugabookstore.com.
I have verified that my caching servers are not contacting
ugabookstore.com's a
Ok, so I answered my own question. It was indeed our ASA's at the
border.
Thanks,
Josh
-Original Message-
From: bind-users-bounces+jbaird=follett@lists.isc.org
[mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf
Of Baird, Josh
Sent: Tuesday, June 29, 2010 4:
Hi,
We have clients that have started to report that they are not able to
resolve certain hosts from our recursing/caching resolvers (BIND
9.3.6-4/EL5). I am wondering if this has something to do with EDNS or
the DNSSEC rollout to root servers on May 5th.. or perhaps with our
Cisco ASA's at the e
Would there be any benefit in assigning them as additional master's for all of
my zones (in addition to DNS01), or would this just complicate the entire
environment?
Thanks
In article ,
"Baird, Josh" wrote:
> Hi,
>
> I currently have three authoritative ser
Hi,
I currently have three authoritative servers in the RRset for my
internal zones:
NS dns01.blah.com.
NS dns02.blah.com.
NS dns03.blah.com.
DNS01 is the sole master for my internal zones. I have a number of
resolving DNS servers throughout my environment
Load balancing can also be used just to provide high availability for
your caching/resolver servers. Often times, even though a resolver
client will allow you to provide multiple resolving servers, if the
primary resolver goes down the delay until the next resolver is tried
often cripples applicat
You struggled to find anything about SPF?
http://www.zytrax.com/books/dns/ch9/spf.html
Josh
From: bind-users-bounces+jbaird=follett@lists.isc.org
[mailto:bind-users-bounces+jbaird=follett@lists.isc.org] On Behalf
Of Security Admin (NetSec)
Sent: Wednesday, March 24, 2010 1:54 PM
In addition, TCP is used for queries > 512bytes.
Josh
From: bind-users-boun...@lists.isc.org on behalf of Eduardo JĂșnior
Sent: Mon 5/4/2009 8:35 PM
To: Martin McCormick
Cc: bind-us...@isc.org
Subject: Re: tcp versus udp
Hi,
On Mon, May 4, 2009 at 9:28 PM
I can vouch for Men & Mice. I currently have the enterprise version running
in an environment managing 2000+ domains and 15+ DNS servers. Support is
great as well.
Josh
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of da..
Not an appliance, but has a nice offering including a MMC-ish console and
Web GUI.
Josh
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Gainey, Joe (AT -
Atlanta)
Sent: Wednesday, March 25, 2009 10:43 AM
To: j...@eagle.net;
Actually, yes, if you have dynamic DNS registration enabled on the client/host
and server, an 'A' record will automatically be created in the AD zone.
Josh
From: bind-users-boun...@lists.isc.org on behalf of Danny Mayer
Sent: Sat 2/7/2009 2:29 PM
To: wiskbr...@
In my case, we let AD/MSDNS do dynamic updates.. no dynamic updates are
necessary with BIND. Not sure I understand your "split" lookups - but your
external authoritative nameservers should NOT allow recursion.
Josh
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-us
We also run in a mixed MSDNS/BIND environment. All of our AD domain
controllers run MSDNS and are authoritative for the AD domain only. They
forward all non-authoritative requests (all non AD domain queries) to
caching BIND9/Linux servers which also contain slave zones for all of our
internal dom
Good point.. didn't even think to use tcpdump.
Thanks,
Josh
-Original Message-
From: Doug Barton [mailto:do...@dougbarton.us]
Sent: Wednesday, January 21, 2009 3:51 PM
To: Baird, Josh
Cc: bind-us...@isc.org
Subject: Re: BIND9 Logging
Baird, Josh wrote:
> I have one instance
I have one instance of named that is listening on multiple IP's. I am
looking to see how many queries are destined to one of those IP's that named
is listening on. I do have query logging enabled, but I don't see it
revealing the destination interface. Is there a way make it log this as
well?
I am in the process of developing a DR (disaster recovery) plan for my primary
masters. Could someone please confirm (or correct me) that a second server in
the "masters {}" statement of a slave zone will only be used in the event that
the first master cannot be reached? Example:
zone "examp
You could just create an authoritative zone for the domain on your internal
view to override recursion. You can then create a wildcard 'A' record or
such to resolve to 127.0.0.1, etc.
Josh
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Casartello, Thomas
Sent: Thursday, Dec
41 matches
Mail list logo
