allow-recursion { internaldns; externaldns; };
blackhole { blackhats; };
Works for me.
The acls internaldns and externaldns are specific networks/IPs we allow
to do recursion. (Everyone can do lookups for domains for which we are
authoritative but not recursion.) The acl blackhats is I
You create a zone file that only has the entries for accounting.com. You add
that to named.conf.
Your other zone files are still in place so you shouldn't need to forward
anything else because you're saying this is internal to your network. If a
user is sitting at his desk and types:
Inter
I can't quite agree with that.
While public information is indeed public it is intended to be so for specific
lookups not for zone transfers. Someone external to you asking get a zone
transfer may be looking for what he can exploit. Maybe he can find that
information anyway with enough diggi
Curious - We have name servers in our primary domain so those are the
FQDN names we put at Registrar and at network provider.
Is there any reason we can't also have separate external IPs and names
pointing to the same DNS servers for our separate domains (NATted in of
course)? That is to say
If this was an existing installation and the CPU load suddenly increased
you might want to check where the queries are coming from. Not so long
ago I found what appeared to be a brute force attack on DNS server by
sending the same queries over and over from the same range of IPs in
Romania. Blac
You really need to think about upgrading. RedHat Linux 7.1 is ancient.
There seems little point in trying to build a new BIND if you're going
to allow your underlying OS to stagnate like that. The security holes
it likely has mean that all the security fixes you're trying to get in
updating BIND
You want to keep the costs low but are using a paid OS (Windows) over a
free one (CentOS/Linux)?
If the PC runs Windows chances are it will run CentOS or some other
Linux distro. There is no cost as you simply reload the system with the
new OS.
BIND is ported to Windows if you must go that
What I did for our reverse zones due to the AT&T way of delegating was
create two entries like this:
# Special notation required for internet delegation (e.g. dig -x ...)
#
zone "49-62.65.210.63.IN-ADDR.ARPA" {
type master;
file "arpa.63.210.65";
allow-query { any; };
};
#
For those of you using the canned RHEL BIND packages they sent out
errata information for RHEL3, RHEL4 and RHEL5 overnight. They've
backported the fix into the BIND 9 versions used.
As noted in Q&A here the dynamic update issue affects all BIND 9 but
only 9.4 on were patched by ISC so if you'
I don't get this at all. Rather than ask "WHO" is saying it why not
post reasonable counter arguments to "WHAT" they said.
Much of what one finds on the internet is anonymous at best but doesn't
mean it has no value. Also for all I know they are well respected in
certain areas. When I first
Or moreover not to bother with SPF at all as suggested in these
documents?:
Why you shouldn't jump on the SPF bandwagon:
http://www.advogato.org/article/816.html
How spammers get around SPF:
http://www.circleid.com/posts/782012_spammer_get_around_spf/
-Original Message-
From: bind-users
cause it wasn't high
priority.
-Original Message-
From: Joseph S D Yao [mailto:j...@tux.org]
Sent: Thursday, June 18, 2009 12:43 PM
To: Jeff Lightner
Cc: bind-users@lists.isc.org
Subject: Re: SPF/TXT records
On Thu, Jun 18, 2009 at 12:22:26PM -0400, Jeff Lightner wrote:
> We don&#
We don't allow "all servers" to send email at all. They have to
specifically be configured to send and relay to the Exchange server
which itself must be configured to allow them.
The domain, waterinvoice.com is not in general use but is used by one
server (and a test server on occasion) to send a
org
Subject: Re: SPF/TXT records
On 17.06.09 10:46, Jeff Lightner wrote:
> When one sets SPF/TXT record is it for the relay server/IP that sent
the
> email to the internet or the originating one?
maybe even both. If the outgoing mail relay checks for SPF, and you
don't
use SMTP authentica
Question:
When one sets SPF/TXT record is it for the relay server/IP that sent the
email to the internet or the originating one?
For example we have a server (atuprd01.water.com) that can not be
reached via the internet. Email originating there is relayed through
our MS-Exchange server (if sent
What OS?
On RHEL5 I have to set options in /etc/sysconfig/syslog (separate from
/etc/syslog.conf) like this:
SYSLOGD_OPTIONS="-m 0 -a /var/named/chroot/dev/log"
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sen
It seems the mydomain.com isn't in the view but presumably in one of the
includes.
So the most likely issues seem to be:
1) You have defined mydomain.com in more than one of the includes
which we can't tell since you didn't provide them.
-OR-
2) The client actually has an unex
BIND versions on RHEL (e.g. 9.3.4-6.0.3.P1.el5_2) have backported
patches from later BIND versions so it isn't exactly the same animal as
the EOL 9.3 which is why it isn't listed simply as 9.3
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.or
utions.net
Cc: Jeff Lightner; bind-users@lists.isc.org
Subject: Re: Bind is hanging on CentOS 4.4
Bind and threading don't get along, I have always had to force bind to
compile without thread support entirely.
Jesse Cabral wrote:
> So I can understand the original goal, let me re-cla
boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.
org] On Behalf Of Jesse Cabral
Sent: Friday, May 29, 2009 12:58 PM
To: 'Jeff Lightner'
Cc: bind-users@lists.isc.org
Subject: RE: Bind is hanging on CentOS 4.4
Importance: High
I can't seem to get bind reconfigured to run wit
3:55 PM
To: Jeff Lightner
Cc: bind-users@lists.isc.org
Subject: RE: Bind is hanging on CentOS 4.4
Importance: High
Here is the output from ps -eLf
ps -eLf | grep named
named32231 1 32231 07 May26 ?00:00:00 /usr/sbin/named
-u named -t /var/named/chroot
named32231 1 322
You might want to try "man nmap". It specifically states -sS is for
checking TCP. There is a -sU for checking UDP.
However simpler than using nmap from within a server is using "lsof" to
check activity on a given port:
lsof -i :53
From: bind-users-boun..
ng
or maybe all 3) is evil and causes cancer. :)
-Original Message-
From: Bradley Giesbrecht [mailto:b...@pixilla.com]
Sent: Wednesday, May 13, 2009 1:17 PM
To: Bradley Giesbrecht
Cc: Jeff Lightner; bind-users@lists.isc.org
Subject: Re: two NS servers on a single host
Jeff, my apologies. I
It is network redundancy only in so far the DOS attack doesn't cause
your CPU and memory to get slammed.
If you're doing redundancy you really ought to do the whole thing by
getting another server and putting IT on the other network. Then you
don't have a single point of failure (unless they'
Short answer: No
Longer answer: Only FQDN can be aliased with CNAME. That's not
technically a redirect. (e.g. mike.mydomain.com being CNAME to
Ralph.mydomain.com is OK - however you can not make
mike.mydomain.com/landingpage do anything because "/landingpage" is not
part of the FQDN so ha
Good point.
The serial number should be updated since the zone file is being
updated. The sed command could be used to do that as well.
for zonefile in `ls *.com`
do sed -e s/604800/709600/ -e
s/200[0-9][0-1][0-9][0-9][0-9][0-9][0-9]/2009032401/ $zonefile
>${zonefile}.new
mv $zonefile ${zon
I guess "[done]" was a key point of your subject. Oh - well at least
its there for the archives.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jeff Lightner
Sent: Tuesday, March 24, 2009 3:42 PM
To: j...@ea
If all your zones have same value (e.g. 604800) for expire and nothing
else matches that value in the files you could do it fairly easily with
a for loop and sed:
For example if all your zone files were named with a .com at end of
name:
for zonefile in `ls *.com`
do sed -e s/604800/709600/ $zone
We had need to continue to have the MX record a domain we acquired point
to an external location. The MX record was modified and the email
continued to work. I did see odd lookups in the logs but disregarded
them as they were failures - it looked like the target mail server was
the one trying to
rnal users can't do recursion because I'd
explicitly turned that off in the global options last year.)
Thanks Robert and Justin for taking the time to respond.
From: Jeff Lightner
Sent: Friday, March 13, 2009 4:15 PM
To: bind-users@lists.isc.org
Subj
We recently decided to create internal and external views for some
zones. This worked fine on the master server.
However, initiating zone transfer on slave from master it loaded all the
zone names I'd created but put exactly the same information into both
sets. This information was for the
Well not a perfect solution but what we have done for records that need
to be seen inside and outside is simply create the zone in both Windows
DNS and BIND.
In BIND we only have the stuff the outside world would see.
In Windows we have the stuff the internal users would see. If the
internal u
You'd prefer maybe "Dear Buttheads"?
I recall the story a few years back where an alpha version of a software
product was code named "Carl Sagan Astronomer". He got wind of it
somehow and a letter was sent threatening legal action if they kept the
name. They renamed it "Butthead Astronomer" to c
Jeff Lightner did NOT write that.
Jeff Lightner has worked with RHEL for quite some time and responded to
original author regarding packages available on RHEL 5.2.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Josh
cache your new server.
After you're sure the new server is up and running for a few days you can stop
BIND on the old one (to reduce load on it).
-Original Message-
From: Thomas Manson [mailto:dev.mansontho...@gmail.com]
Sent: Friday, February 27, 2009 10:06 AM
To: Jeff Lightner
Not sure where the trepidation comes in here. Hopefully you ARE running
a slave server as well so if the primary isn't reachable the slave would
resolve lookups until you fixed any problem.
Here we've moved our servers from one network provider to another so had
to change the IPs of the master an
RedHat does have prebuilt packages on RHEL5.x.
On my 5.2 server I have:
bind-chroot-9.3.4-6.0.3.P1.el5_2
system-config-bind-4.0.3-2.el5
bind-libs-9.3.4-6.0.3.P1.el5_2
bind-9.3.4-6.0.3.P1.el5_2
bind-utils-9.3.4-6.0.3.P1.el5_2
You can install the latest packages with "yum"
yum install bind-chroot
The point in the ACL is it allows you to grow the list of servers
without cluttering up the Options section.
-Original Message-
From: Prabhat Rana [mailto:prana9...@yahoo.com]
Sent: Thursday, February 26, 2009 12:43 PM
To: Eric C. Davis; Jeff Lightner
Cc: bind-users@lists.isc.org
Subject
That being said you CAN do what you asked:
Create an ACL in named.conf:
# Blackhats ACL - zones to be used in blackhole statement - will prevent
# them from being allowed to query and will not respond to them.
acl "blackhats" {
xx.xx.xx.xx;
};
(Where you put the specific IP in place of
And of course you can legitimately say it is a "Standard" even if it
isn't enforced by the software. Your argument would be that people
implementing new servers or attempting to access the systems wouldn't be
able to do so because they wouldn't have added the "exception to
Standard" that your PHB
Message-
From: Baird, Josh [mailto:jba...@follett.com]
Sent: Friday, February 06, 2009 10:13 AM
To: wiskbr...@hotmail.com; Jeff Lightner; bind-users@lists.isc.org
Subject: RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices
ForCoexisting
In my case, we let AD/MSDNS do dynamic updates.. no dynamic u
I don't see why it is either/or.
Here we have Windoze DNS servers for internal lookups and Linux/BIND 9
DNS servers for external lookups. The internal servers refer all
queries they aren't authoritative for to the external ones which in turn
refer all queries for domains we don't own to the root
Maybe if you do something like paste the line and pipe it through "cat
-v" you can see what special characters are being embedded by SecureCRT.
This by the way is why we tell our DBAs that use something other than
PuTTY that we won't help them unless it fails in PuTTY also.
-Original Message-
You can allow recursion (and caching)for specific (as opposed to all)
IPs external to your setup but its generally not a good idea unless
these IPs are static and trusted by you. If your "friends" are using
ISPs they're almost certainly getting DHCP provided IPs (meaning
random). You don't want t
What?!
And all this time I just assumed it was the Martian Sand variety that
was being spoken of on all the "save the whales" bumper stickers.
Maybe Al will end up winning the Darwin Award for another one of his
avante garde ideas. He'll decide that the conventional wisdom that
exhausting his
Huh?
sftp uses secure transport as does scp and both use the same keys as
ssh. I can see no way in which ftps would be viewed as superior.
Exactly how are you "losing" RSA keys and if you do aren't you more
concerned that you can no longer ssh into the box?
___
That reminds me of the debate over V chips/parental controls. People
that DON'T want something think it is the responsibility of others not
to send it to them rather than THEIR own responsibility to block it with
the tools they have.
If you don't want HTML just set up a rule in your mail client t
47 matches
Mail list logo
