/etc/bind should be read-only for bind
and I'm clearly violating that assumption :(
Rather than fix my bind config I fixed the apparmor config. If you go
that way remember to do
/etc/init.d/apparmor restart
to have the new apparmor rules take effect.
Regards,
Lee
--
Visit https://list
work for me
... which was probably my mis-configuration, but still.
file to be modified: /etc/apparmor.d/usr.sbin.named
Regards
Lee
But if I try:
> root@ns1:/etc/bind/zones# ps auxw|grep named
> bind 57446 0.1 1.2 147948 48140 ?Ssl 17:12 0:01
> /usr/sbin/named -f -4 -u bind
&g
On Fri, Jan 24, 2025 at 3:27 PM Greg Choules wrote:
>
>
> > On 24 Jan 2025, at 19:07, Lee wrote:
> >
> > On Mon, Jan 20, 2025 at 4:55 AM Petr Špaček wrote:
> >>
> >> On 15. 01. 25 19:55, Lee wrote:
> >>> On Wed, Jan 15, 2025 at 11:55 AM O
On Mon, Jan 20, 2025 at 4:55 AM Petr Špaček wrote:
>
> On 15. 01. 25 19:55, Lee wrote:
> > On Wed, Jan 15, 2025 at 11:55 AM Ondřej Surý wrote:
> >> On 14. 1. 2025, at 16:56, Lee wrote:
> >>
> >> In other words, should I submit a bug report to
On Wed, Jan 15, 2025 at 11:55 AM Ondřej Surý wrote:
>
> On 14. 1. 2025, at 16:56, Lee wrote:
>
> In other words, should I submit a bug report to the Debian bind
> maintainers or ISC?
>
>
> With both my ISC and Debian hats on, I am going to be very frank
> and say this
On Tue, Jan 14, 2025 at 3:31 PM Nick Tait via bind-users wrote:
>
> On 15/01/2025 6:09 am, Lee wrote:
you snipped a bit much. What I was responding to was
>> You'd be better off starting with how name
>> resolution is configured on the clients.
>
> I don't have
seems you disagree about following all of the SHOULDs in RFC 6761 -
but are there any reasons other than personal bias for not following
the recommendation?
Obviously you're free to do whatever you like on your network, but my
question is about which behavior is more correct wrt RFC 6761.
On Mon, Jan 13, 2025 at 2:54 AM Nick Tait via bind-users wrote:
>
> On 13/01/2025 12:44, Lee wrote:
> > As long as I'm asking ignorant questions.. is there some reason why
> > bind (at least as it came configured on my Debian machine) looks up
> > .local names
A 127.0.0.1
IN ::1
--- cut here ---
to answer for any .localhost name?
In other words, should I submit a bug report to the Debian bind
maintainers or ISC?
Thanks
Lee
>
> Hope it helps.
>
> --
> Petr Špaček
> Internet Systems Consortium
> -
case. I first had to install
= systemd-resolved and point DNS to 127.0.0.53 instead of using the
= locally installed bind on 127.0.0.1.
Thanks
Lee
>
> From: bind-users on behalf of Eric
>
> Sent: Sunday, January 12, 2025 9:39 PM
> To: Lee
> Cc
oot
name servers and with all those automatic empty zones they don't.
The way I read rfc6761, foo.localhost should resolve to 127.0.0.1 (or
::1 for an lookup). Am I wrong?
If I'm not wrong, why isn't *.localhost included as one of the zones
that's configured by default
oes a normal dns lookup followed by a
# link-local multicast name resolution to 224.0.0.252
# adding local to null.zone at least stops the normal dns lookup
TIA,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development o
le them as described above for caching DNS
servers.
So OK.. SHOULD isn't the same as MUST so bind as configured isn't
violating that RFC. But is there a _good_ reason to not follow the
SHOULD recommendation?
Thanks,
Lee
>
> Jan 12, 2025 4:38:09 PM Lee:
>
> > Excuse my i
IN ::1
to make localhost and curl.localhost work.
Is this wrong? and if so, why?
TIA,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
windows AD or any other server uses your bind server
to resolve app.hubspot.com?
It might be worth a quick packet capture test on some other server to
see where it sends the name lookup request for app.hubspot.com
Regards,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscri
t; > after the closing }
Which would be
response-policy {
zone "custom.block";
...
..
}
break-dnssec yes
recursive-only no
qname-wait-recurse no;
Regards,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development
R: 2, AUTHORITY: 0, ADDITIONAL: 2
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1432
; COOKIE: 06ad2d9bbff3719e010067371d9e67f1acf5b18ff038 (good)
;; QUESTION SECTION:
;app.hubspot.com. IN A
;; ANSWER SECTION:
app.hubspot.com.5 IN CNAME wg.custom.block.cus
On Wed, Sep 11, 2024 at 3:15 AM Mark Andrews wrote:
>
> > On 11 Sep 2024, at 16:06, Lee wrote:
> >
> > On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote:
> >>
> >>> On 11 Sep 2024, at 12:10, Lee wrote:
> >>>
> >>> On Tue, Sep 10
On Tue, Sep 10, 2024 at 10:52 PM Mark Andrews wrote:
>
> > On 11 Sep 2024, at 12:10, Lee wrote:
> >
> > On Tue, Sep 10, 2024 at 6:17 PM Mark Andrews wrote:
> >>
> >> Comma is legal in a domain name. It isn’t legal in a host name which are
> >&g
eck what I think needs checking so I'll
look elsewhere or write my own.
In any case, thanks for the answer. Now that I know that
named-checkzone is working correctly I don't need to waste any more
time with it.
Best Regards,
Lee
>
> If the current origin is example.com. the
I had a few typos in an RPZ file where I had a comma instead of a dot.
I tried using named-checkzone to find all the typos but it didn't
complain about anything!? Is that expected behavior?
And a related question.. can anyone recommend a vim syntax file
checker for bind files?
$ named-checkzone
31 /usr/sbin/named -f -u bind -n 1
$ ss -lntp | grep 953
LISTEN 0 4096 127.0.0.1:953 0.0.0.0:*
LISTEN 0 4096[::1]:953 [::]:*
Regards,
Lee
> -Oorspronkelijk bericht-
> Van: bind-users Namens Thomas Hungenberg
> via bind
n RFCs to Indicate Requirement Levels)
So if you feel like adding them to your RPZ file go right ahead :)
Regards,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us
On Tue, Apr 30, 2024 at 2:40 AM Mark Andrews wrote:
>
> And it has been fixed.
Yay! No more error messages in the log because of them :-)
Thanks for your help
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development o
On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote:
>
> On 29.04.2024 22:19, Lee wrote:
> > On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users
> > wrote:
> >
> > something that I replied to and got this in response:
> >
> > Error Icon
> > Mess
On Mon, Apr 29, 2024 at 5:13 PM Mark Andrews wrote:
>
> I prefer to only name and shame when I’m 100% sure of the target.
I was only trying to understand why I was getting a SERVFAIL, there
was no intention to name & shame.
Regards,
Lee
"name & shame" was not my inten
and the only results I got
were for F5 support pages - eg.
The fix in BIG-IP DNS 14.1.0 introduces a new setting,
wideip-zone-nameserver, which defaults the WideIP zone nameserver to
this.name.is.invalid.
Wouldn't a badly configured F5 server be a better explanation?
Thanks
Lee
--
Visit ht
On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users
wrote:
something that I replied to and got this in response:
Error Icon
Message blocked
Your message to Walter.H@[..snip..] has been blocked. See technical
details below for more information.
The response from the remote server was:
554
On Sun, Apr 28, 2024 at 2:18 AM Walter H. wrote:
>
> On 27.04.2024 16:54, Lee wrote:
> > On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users
> > wrote:
> >> # host dnssec-analyzer.verisignlabs.com
> >> dnssec-analyzer.verisignlabs.com
wer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid sup
uery failed
(failure) for dnssec-analyzer.verisignlabs.com/IN/ at query.c:7471
Is that because of the insecure delegation shown at
https://dnsviz.net/d/dnssec-analyzer.verisignlabs.com/dnssec/
and me having "dnssec-validation auto;" in named.conf?
Thanks
Lee
(still struggling to u
ps://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Regards,
Lee
>
> I use CentOS7 with BIND9.16.41
>
>
>
> grep antlauncher db.rpz
>
> antlauncher.com CNAME .
>
> *.antlauncher.com CNAME .
>
>
>
> grep exam
ame in the original zone (not the response policy zone).
# This default can be changed for all response policy zones in a view with a
# break-dnssec yes clause. In that case, RPZ actions are applied regardless
# of DNSSEC.
Regards,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-us
"/var/named/data/named_mem_stats.txt";
> allow-query { localhost; };
seems wrong, shouldn't that be
allow-query{ httnets; };
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this softwa
t the underline in hostname
# where the consensus is to not do this check on resolvers
Regards,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid
sthru.
twoa.net-snmp.org CNAME rpz-passthru.
localhost CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3
All my ot
(which I'm not sure is
even possible)
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
weird. Exactly how did you do the packet capture - as in, is
it possible you didn't capture everything to/from the server?
Lee
>
> From: Ondrej Surý
> Sent: Friday, January 17, 2020 3:27 PM
> To: Steve Farr
> Cc: bind-users@lists.isc.org
> Subject: Re: Slow recursive qu
doesn't say what it wrote. I
> would expect the log file to say something like:
>
> Nov 27 07:36:28 DNA-DNS1 named[20035]: dumpdb output to: /var/lib/bind/
> cache_dump.db
>
> It doesn't. Could we get that added to the logging information?
Yes, it would be nice
On 8/27/19, Tony Finch wrote:
> Lee wrote:
>>
>> Can someone please explain why using this as my rpz zone does NOT
>> block everything for *.2o7.net?
>>
>> 2o7.net CNAME .
>> *.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME .
>
> I sus
10 with 9.11.9 (from
ftp://ftp.isc.org/isc/bind9/9.11.9/BIND9.11.9.x64.zip)
TIA
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ZE rcvd: 308
%
That said you can set "tcp-only yes”; in an appropriate server clause.
Mark
> On 8 Apr 2019, at 2:26 pm, Sukmoon Lee wrote:
>
> Hello.
>
> My Test DNS is not response for "*.tk".
> I looked around then my server not work connect using udp for tk'
IND ARM.
Thanks in Advance.
Regards,
Sukmoon Lee
-
$ dig @194.0.38.1 sukmoonlee.tk
; <<>> DiG 9.11.2-P1 <<>> @194.0.38.1 sukmoonlee.tk
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
$ di
in
I'd go with
mg.gov.br IN CNAME rpz-passthru.
-- it's your domain so hopefully you can trust whatever answers it gives
18.0.0.198.200.rpz-nsip IN CNAME .
-- nobody else gets to answer with your address space
Regards,
Lee
> and its NS Servers are zeus.prodemg
a can't possibly be a fingerprint. It seems
to me there's a requirement to reject the user supplied data since it
can't possibly be a fingerprint.
Regards,
Lee
>
> --
>The RDATA of the presentation format of the SSHFP resource record
>consists of two numbers (al
On 11/16/18, Evan Hunt wrote:
> On Fri, Nov 16, 2018 at 11:44:11AM -0500, Lee wrote:
>> > It's an interaction between RPZ and aggressive negative caching (i.e.
>> > "synth-from-dnssec"). It's fixed in the upcoming release.
>>
>> I should have a
On 9/29/18, Evan Hunt wrote:
> On Sat, Sep 29, 2018 at 05:48:55PM -0400, Lee wrote:
>> Can someone tell me what can cause
>> stop on unrecognized qresult in rpz_rewrite()failed:
>> or how to fix whatever it was?
>
> It's an interaction between RPZ and aggressive
quent A-Record (ex. mail.othercompany.com) that we are able to send
> mail to othercompany.com?
mail.othercompany.com CNAME rpz-passthru.
*.othercompany.com CNAME .
in your rpz zone file doesn't do what you want?
Lee
>
>
>
>
> On 09.11.18 14:39, Lightner, Jeffrey wrot
On 10/25/18, Grant Taylor via bind-users wrote:
> On 10/25/2018 03:25 PM, Lee wrote:
>
>> I'm missing what filtering out things like benchmarking & documentation
>> network addrs gets you beyond maybe saving some bandwidth?
>
> I do use all sorts of IP ranges
On 10/24/18, Grant Taylor via bind-users wrote:
> On 08/09/2018 01:01 AM, Lee wrote:
>> it does, so you have to flag your local zones as rpz-passthru.
>
> Thank you again Lee. You gave me exactly what I needed and wanted to know.
you're welcome :)
> I finally got aroun
nd my release and downloaded the BIND-xxx.tar.gz source code file.
It'd be nice if ISC made no response to a query a separate error vs.
lumping it in with all the other "Something has gone wrong."
possibilities.
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
"rpz.zone" log yes; } break-dnssec yes
recursive-only no qname-wait-recurse no;
Can someone tell me what can cause
stop on unrecognized qresult in rpz_rewrite()failed:
or how to fix whatever it was?
Thanks
Lee
___
Please visit https://lists.
On 9/28/18, Alex wrote:
> Hi,
>
> On Fri, Sep 28, 2018 at 12:18 AM Lee wrote:
>>
>> On 9/27/18, Alex wrote:
>> > Hi,
>> >
>> >> Just a wild thought:
>> >> It works with a lower speed line (at least I read it that way) but has
>&g
ean? Can
no response to a query result in SERVFAIL? Is there a way to tell the
difference between no response & getting a response indicating a
failure?
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
n error.
So CNAME chaining seems to be more of a "you're being inefficient"
than violating a standard - right?
> Now, I don't really have a fundamental problem with Akamai, as a company;
Just as I don't have a fundamental problem with newegg :) But they're
the firs
ames and mail domains are derived from
RFC 952 and RFC 821 as modified by RFC 1123.
which seems to be why I can't resolve www.newegg.com but 1.1.1.1 and 8.8.8.8 can
C:\Users\Lee>dig www.newegg.com.
; <<>> DiG 9.11.4 <<>> www.newegg.com.
;; global options: +cmd
;
set nosearch' is
supposed to do the same thing.
'set debug' and 'set d2' displays lots, but I never checked to see if
it was the entire response or no
So... it seems like the bottom line is that dig is better but nslookup
ain't all that bad
Thanks
Lee
>> On 20
On 8/19/18, Doug Barton wrote:
> On 08/19/2018 12:11 PM, Lee wrote:
>> On 8/18/18, Doug Barton wrote:
>
>>> nslookup uses the local resolver stub. That's fine, if that's what you
>>> want/need to test. If you want to test specific servers, or what is
&g
visible from the Internet, etc. dig is the right tool, as the answers
> you get from nslookup cannot be guaranteed to be directly related to the
> question you asked.
Could you expand on that a bit please? I thought
nslookup
was pretty much equivalent to
dig @
the exception being that nslookup looks for a & records and dig
just looks for a records
Thanks,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
0.rpz-ip CNAME . ; 10.0.0.0/8
12.0.0.16.172.rpz-ipCNAME . ; 172.16.0.0/12
16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16
Regards,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
bls.gov server gets a different answer than a
server outside the bls.gov (or .gov?) domain.
> sso.gslb.dol.gov. 15 IN A 10.49.1.80
you can't get there from here if >>here<< is on the internet
Regards,
Lee
> Both dig commands below are run from the
&g
Just realized I forgot to include a link:
https://www.nospaceships.com/products/dns-logger.html
Mick
On Wed, Apr 11, 2018 at 10:37 PM, Mick Lee wrote:
> Hi All,
>
> Sometime ago I posted about capturing DNS activity (queries and responses)
> for both BIND and Windows DNS, and my c
z-ip CNAME .
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3
; 7f01.c7f11de3.rbndr.us
; should alternate between 199.241.29.227 (allowed) and
127.0.0.1 (NXDOMAIN)
; ref:
https://bugs.chro
since I
am finding it quite useful.
Hopefully someone will find this useful.
Mick
On Tue, Aug 15, 2017 at 5:29 PM, Mick Lee wrote:
> Forgot to CC the list.
>
> -- Forwarded message --
> From: Mick Lee
> Date: Sat, Aug 12, 2017 at 6:55 PM
> Subject: Re: BI
ytrax.com/books/dns/ch7/rpz.html
& I just added this bit to ZONES/rpz.zone:
; kill the whole domain
*.cmCNAME .
; except for
*.cnn.cmCNAME rpz-passthru.
C:\Users\Lee>nslookup
> www.aol.cm.
Server: 127.0.0.1
Address:127.0.0.1#53
** server can
On 1/27/18, PGNet Dev wrote:
> On 1/27/18 11:33 AM, Lee wrote:
>> On 1/27/18, PGNet Dev wrote:
>>> I've a local bind 9.12.0 server. Works for virtually all domains.
>>>
>>> For "irs.gov", it fails,
>>
>> works for me on a
i1EhZdVZrn7BhLZeztbg/YetYOYG8OXWS6FBrcdYaQ6trnmhL9hm
1e5ik3hYWTBo0TSDN7UgdHpGQEvDF5A/f8fHg+MRvZp9RzmXs9/toIm8
TVGm8mcFZPY04AhKU6YE+uzAn4Bfc716qiBebB1XTwrz5XKpvNYEY3i1 2BaXvw==
;; Received 2955 bytes from 152.216.7.164#53(ns1.irs.gov) in 15 ms
$
Regards,
Lee
>
> dig A irs.gov
On 12/24/17, Grant Taylor via bind-users wrote:
> On 12/24/2017 01:25 PM, Lee wrote:
>> So it looks like I'm upgrading to 9.11 before giving RPZ a try.
>
> If the version of BIND that you're running supports what you want out of
> RPZ, you can try it now. It will
On 12/24/17, Reindl Harald wrote:
>
> Am 24.12.2017 um 20:59 schrieb Grant Taylor via bind-users:
>> On 12/24/2017 12:42 PM, Lee wrote:
>>> Is there a minimum version of bind one should be running before trying
>>> to use RPZ?
>>> in other words, v9.9.lat
ort to black hole them.
>
> I would strongly advise you look at Response Policy Zones as I suspect
> this is a better way to accomplish this goal.
Is there a minimum version of bind one should be running before trying
to use RPZ?
in other words, v9.9.latest i
I want.
dns64 64:ff9b::/96 {
...
mapped { !127/8; any; };
}
Thanks.
>
> > On 29 Nov 2017, at 7:32 pm, Sukmoon Lee wrote:
> >
> > Hello.
> >
> > I testing DNS64 using 64:ff9b::/96(prefix).
> > Some domain(IN
Hello.
I testing DNS64 using 64:ff9b::/96(prefix).
Some domain(IN/A) is responses to 127.0.0.1/IN/A.
Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1.
I want to response ::1 under DNS64.
Is there any way?
Thanks.
___
Please visit https://li
On 9/1/17, Mark Andrews wrote:
>
> Use server clauses. Most specific wins.
>
> server ::/0 { bogus yes; }; // all of IPv6
Cool - that did it. Thank you!
Lee
<.. snip ..>
> In message
>
> , Lee writes:
>> I have Verizon FIOS - which doesn&
ll those 'error (network unreachable)
resolving [ipv6 address]' messages while still logging everything
else?
Thanks,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Forgot to CC the list.
-- Forwarded message --
From: Mick Lee
Date: Sat, Aug 12, 2017 at 6:55 PM
Subject: Re: BIND and Windows DNS logging and archiving
To: Phil Mayers
Thanks,
I checked and it doesn't look like dnscap would work with little change :(
Anyway, my coll
th a limit. It also logs
responses for certain record types which is nice.
I'll give that a try, sounds like it will give me query logging formatted
logs, which I can push into pretty much anything :)
Many thanks
Mick
On 23 Jul 2017 3:06 p.m., "Phil Mayers" wrote:
On 22/07/201
Hi Guys,
Can anyone offer any advice based on their experience?
Thanks
Mick
On 19 Jul 2017 2:16 p.m., "Mick Lee" wrote:
Hi All,
I wonder if I could get some advice and guidance based on everyones
experience.
I have a mix of pre-compiled versions of BIND on Linux (can'
Hi All,
I wonder if I could get some advice and guidance based on everyones
experience.
I have a mix of pre-compiled versions of BIND on Linux (can't change or
re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS
queries from about 100 or so of these types of servers, to identify
Hello.
I found the slow response query at dns server. This query is server fail
response.
In reality, this query gets to response a server fail for foreign dns server.
For example, maincastad.com’s glue record has 3 name server, 5 ip address.
All glue record dns is not response. So, this query r
Hello.
Our DNS Server has services on IPv6 network.
Clients queries on ipv6 network. But recursive client query is only to use on
ipv4 network.
(DNS Server has not ipv6 network for foreign network.)
So DNS server performs unnecessary a recursive client query for ipv6.
How can limit recursive qu
> On 17/11/2016 10:20, LEE SUKMOON wrote:
>
> > I want to response NXDOMAIN.
> > Is it a solution this case?
>
> You'd usually get SERVFAIL from the recursor because the domain is
> misconfigured with a lame delegation, and either way the client won't
> g
Hi all.
I am using RPZ zone.
Below line is rpz zone file. But jifr.net is not working.
jifr.netCNAME .
*.jifr.net CNAME .
Unusual, this domain is responding with refused rcode. (from authority name
server)
$ dig @173.245.58.51 jifr.net
;;
a03:2880::/29
> netname:IE-FACEBOOK-201100822
> country:IE
> org:ORG-FIL7-RIPE
> admin-c:RD4299-RIPE
> tech-c: RD4299-RIPE
> status: ALLOCATED-BY-RIR
> mnt-by: RIPE-NCC-HM-MNT
> mnt-lower: fb-neteng
> mnt-routes:
// Facebook
>};
> };
>
> In message <389ab5475d0a441a9cc175f0326e5...@skt-tnetpmx2.skt.ad>, LEE
> SUKMOON
> writes:
> >
> > Thanks for reply.
> >
> > But a client's network is ipv6 network.
> > Client obtains a ipv6 address
.
>
> If you want to force browsers to use IPv4 then send back RST to the
> connection attempts to reach the facebook servers. They should fail over
> to using IPv4. This should only require configuring the firewall on your
> router appropriately.
>
> Mark
>
> In me
Hello, All.
Many clients queries to IPv6(IN/) domain.
But IPv6 network is so far, then slow then IPv4 network.
I want to forced dns64 for special domain.
Example, 'm.facebook.com' IN/ address is
'2a03:2880:f115:83:face:b00c:0:25de'.
But I don't want to use IPv6 address. So I want to use
e down stream caches. Or both.
Thanks for answer.
I think that a prefetch cache is a good idea.
A prefetch cache will be update a cache TTL.
So it is split to a client query.
But I find a prefetch option over BIND 9.10. BIND 9.9 is not found prefetch
option.
Under BIND 9.10, I will test to d
Hello Sirs,
I am Sukmoon Lee, a software developer and network engineer in South Korea.
Recently, most clients(smart phone) have a local DNS cache.
The Cache DNS TTL affects the client cache expiration time domain. So many
clients have caused a burst DNS traffic.
In order to solve this issue
Hi,
This is probably a dummy question.
My understand of bind in handling non-authoritative queries is:
1) forward mode. It just forward the client queries to an upstream DNS
server, which is defined in "forwarders" directive.
2) recursive mode. It actually start asking from root DNS server, then
2n
mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845
iter integrity can be handled by the DLZ code
(i.e. palming it off to a RDBMS to deal with).
Just a thought - but generally I agree that multiple writers to
a file is just asking for trouble…
-
Marty Lee e: ma...@maui-systems.co.uk
Technical Director
on.key
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-
Marty Lee
On 1 Apr 2014, at 09:52, Marty Lee wrote:
>
> Ok, finally managed to get a test rig set up with wireshark and have
> now seen more about what’s going on & can see the pre-requisites going
> over the wire.
>
> Versions: ISC DHCPD 4.2.6, Bind 9.9.5
>
> DHCPD sends
ow I can play with all of this on a test network and it’s 100%
repeatable.
Cheers
marty
On 27 Mar 2014, at 19:13, Evan Hunt wrote:
> On Thu, Mar 27, 2014 at 06:58:35PM +, Marty Lee wrote:
>> BTW, doing a manual Dynamic DNS update using nsupdate works fine - the A
>>
no problems working my way through the code to figure out what is
going on, but obviously if
someone else can give me a head start, then it would be appreciated!
BTW, doing a manual Dynamic DNS update using nsupdate works fine - the A and
TXT records are created
without any problem and the A rec
Hi John,
Perhaps you could try to chown directory /var/named to named
drwxrwx--- 3 named named
Edwin Lee
- Original Message -
From: jo...@primebuchholz.com
To: bind-users@lists.isc.org
Sent: Wednesday, August 28, 2013 2:38:11 AM
Subject: chroot /var/run permissions
Greetings,
I&#
Ah, it's ... a lot worse than I thought; here's the relevant node.js
bug:
https://github.com/joyent/node/issues/4168
I knew node.js was made by twelve year olds, but even so... Words
fail me.
-Robin
On Sat, Dec 29, 2012 at 12:53:51AM +, Phil Mayers wrote:
> [Grumble stupid mobile devices .
Here's the digging my ISP did:
[root@dvs-node01 ~]# node
> var dns = require('dns')
undefined
> dns.resolve('github.com', function(e, h) { console.log(JSON.stringify(h)) } )
{ oncomplete: [Function: onanswer] }
> ["207.97.227.239"]
undefined
> dns.resolve6('github.com', function(e, h) { console.l
On Fri, Dec 28, 2012 at 07:57:24PM +, Phil Mayers wrote:
> Robin Lee Powell wrote:
>
> >
> >So I've got some IPv6-only VMs set up that need to talk to the
> >general internet for things like downloading packages. As you
> >can imagine, this requ
So I've got some IPv6-only VMs set up that need to talk to the
general internet for things like downloading packages. As you can
imagine, this requires that they have NAT64 and DNS64, because lots
and lots of things are IPv4 only.
The problem is that many things do *stupid shit* when given both
1 - 100 of 101 matches
Mail list logo
