Could you send the email from another account (which doesn't use your DNS
server)? It's not too hard to set up a free account with services like Outlook,
Yahoo or (if desperate) Gmail.
On Mon, 03 Jun 2024 18:46:40 +0200
Thomas Barth via bind-users wrote:
> Hello,
>
> I cannot send them an em
On Sat, 16 Sep 2023 10:22:26 +0100 (BST)
"G.W. Haywood via bind-users" wrote:
> Hi there,
> ...
>I'd be surprised if the OP couldn't manage with 2^20 IPs in a segment -
> but then I guess he does work in the .gov domain.
^^^
The OP's contact e
On Sat, 10 Jun 2023 19:24:03 +0200
Ondřej Surý wrote:
> You are over-complicating things. If unconfigured, named binds the outgoing
> UDP to 0.0.0.0 (::0), which means the chosen IP address is picked by the
> kernel. You need to configure priorities on your interfaces in the kernel -
> ip rout
On Wed, 3 Aug 2022 15:10:39 -0400
Timothe Litt wrote:
> Hmm. Your resolv.conf says that it's written by NetworkManager.
>
> What I suggested should have stopped it from updating resolv.conf.
>
> See
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_an
On Wed, 3 Aug 2022 13:47:41 +0200
Victor Johansson via bind-users wrote:
> Hey,
>
> I just want to add that there is a better way to do this in iptables
> with hashlimit. The normal rate limit in iptables is too crude.
>
> Below is an example from the rate-limit-chain, to which you simply send
There has been lots of discussion recently about DNSSEC issues, including
whether it's desirable to sign internal zones. Independent of this most recent
issue, a couple of weeks ago I did an informal survey, using DNSVIZ, of various
TLDs. I found the following rather surprising results:
DNS-VIZ
On Thu, 17 Feb 2022 15:26:35 +0100
Ondřej Surý wrote:
...
> This is part of the problem - debugging on Windows is extremely painful and
> requires expertise with extremely high learning curve.
>
> --
> Ondřej Surý — ISC (He/Him)
I wonder if difficult debugging is deliberate -- it would certa
On Tue, 6 Jul 2021 12:44:15 +
"MURTARI, JOHN" wrote:
> Folks, let me add my desire for a quick download dig supporting DoH. It
> could really help with some testing, some ready stuff for Ubuntu 18/20,
> Redhat/CentOS, could make a lot of people happy. Maybe the libs included
> and we s
It ought to be possible to write a front-end to listen on the standard control
channel and only forward (properly-keyed) 'status' requests to the "real" port
that BIND listens to.
>From looking at the RNDC exchange via Wireshark however, you'd have to adapt
>some of BIND's code that does the e
The site mxtoolbox.com has a suite of tools to check your DNS, email and Web
servers from the outside. They're easy to use and might turn up something.
On Fri, 11 Jun 2021 09:10:32 -0700
techli...@phpcoderusa.com wrote:
> Hi,
>
> The two domains I am working with on my SOHO home server are 1)
On Fri, 4 Jun 2021 13:58:40 -0700
Gregory Sloop wrote:
> This feels a lot like responding to trolls, but I'll instead assume that
> you're asking (or making a point) in good faith.
>
> So, we'll stipulate that - you're actually interested in truth and knowledge.
>
> So, it's easily compiled on
If you can have BIND log directly to a file, couldn't you use a FIFO
(prwxrwxrwx) or Unix domain socket (srwxrwxrwx) and avoid the disk I/O by
sending the log data directly to the forwarder? (E.g., Pulse Audio listens on a
socket for audio data from an application, and sends it in real-time to t
Actually, it's in keeping with the *original* definition of hacking!
On Sun, 9 May 2021 23:55:13 -0600
@lbutlr wrote:
> On 06 May 2021, at 09:57, Dennis Clarke via bind-users
> wrote:
> > I do NOT trust a build result where I had to go hacking into all the
> > Makefiles just to get it to buil
A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP) IP
address for my very simple domain. It worked, except that it totally messed up
the organization of the zone file. Since the file only has 44 active lines
(which are organized logically), I maintain it by hand. After nsup
Interesting, although we host different domains, in and from different
geographic areas, we got the same queries as yours on the same day, with some
at about the same time (we're EDT).
13-Apr-2021 02:19:58.468 security: info: client 76.20.145.58#3074 (sl): query
(cache) 'sl/ANY/IN' denied
13-Ap
Interesting observation. I just did lookups on 4 recent (< 24 hrs ago)
'sl/ANY/IN' queries logged by our BIND and got:
2 Comcast cable IPs (hsd1.tx.comcast.net and hsd1.ma.comcast.net)
1 OVH Hosting IP (Montreal)
1 Afranet IP (Tehran!)
The whois info for the OVH IP contains the line:
Comment:
We also get *lots* of suspicious queries of the same kind, from various
privileged and unprivileged ports, which I'm pretty sure are DDoS attempts. For
example:
12-Apr-2021 23:44:17.767 security: info: client 107.213.131.17#80 (sl): query
(cache) 'sl/ANY/IN' denied
12-Apr-2021 23:44:19.477
Well said!
On Mon, 29 Mar 2021 16:11:54 +0100
Tony Finch wrote:
> alcol alcol wrote:
>
> > seriously? is like linux/unix FAQ 😄
>
> Please, if you can't be helpful, don't reply at all. We all have to learn
> somehow, and the best way to show your knowledge is to share it generously.
>
> T
Our DMARC Policy has been "p=quarantine" since 30 Jun 2019, so I guess it won't
affect us. (It was "p=none" before that -- we only started using DKIM in Apr
2017.)
On Tue, 16 Feb 2021 20:54:30 + (UTC)
Dan Mahoney wrote:
> Greetings bind-users netizens.
>
> Dan Mahoney, ISC SysAdmin here.
Would it be possible to use a virtual interface from within bind/named that
gets mapped by some privileged facility to a hardware interface? (This is the
sort of thing that VMs have to do all the time.) For example, could a brctl
bridge help?
Or maybe CAP_NET_BIND_SERVICE would allow the interf
I don't think tcpdump was installed by default with various versions of Debian
that I set up in the last few years for networking. I didn't bother to install
it, as it's output is different enough (old fashioned?) from the sharks to be
annoying. It *was* installed with OpenSuSE 15.2 though. (Ope
I rather prefer tshark to tcpdump: it's essentially the command line version of
wireshark, and thus has wireshark's protocol "dissecting" abilities.
On Wed, 10 Feb 2021 22:20:08 +
"John W. Blue via bind-users" wrote:
> Three words: tcpdump and wireshark
>
> It is like peanut and jelly ..
Do you know about mxtoolbox.com? It (and other similar sites) does a good job
of diagnosing DNS-related problems. I use it now and then to check out my own
sites, as it gives a "second opinion".
In particular its "DNS Lookup' function reported the following for
"internet-dns1.state.ma.us"
Ty
It sounds to me like dnssec-verify is sending the output in question to STDERR
instead of STDOUT.
On Sat, 06 Feb 2021 19:02:28 +
Matthew Richardson wrote:
> I have been using Perl to do a reasonable amount of scripting, running bind
> utilities and processing the results into variables. T
> On Tue, 2020-11-24 at 22:22 -0500, Paul Kosinski wrote:
> > My reading of the headers (below) does *not* suggest "Reply All".
> >
> > Rather, they show that mx.pao1.isc.org sent/forwarded the email once,
> > and it was received by lists.isc.org once with E
t 21:56 -0500, Paul Kosinski via bind-users wrote:
> > I've been getting two identical copies of recent posts to this list...
>
> Me too, but it's because of people hitting reply-all thinking that they
> are replying to the list and the poster. People really need to verify
I've been getting two identical copies of recent posts to this list
(such as this item). This only started happening in the past 24 hours
or so. Is anyone else seeing this?
Upon examination of the headers of the two copies, it looks like ISC's
list-servers are doing the duplication.
(The first p
With regard to using chroot, hasn't named/BIND long had the "-u" (user)
and "-t" (directory) options to accomplish the same thing more easily?
On Fri, 16 Oct 2020 12:47:35 -0500
Chuck Aurora wrote:
> /me catching up on earlier parts of this thread,
>
> On 2020-10-15 11:42, alcol alcol wrote:
>
The article is from 2016, probably before DNSSEC become so widespread.
But I would guess that their current overall approach is not a radical
departure from what was outlined in the article.
On Tue, 23 Jun 2020 13:41:18 +0200
Alessandro Vesely wrote:
> On 2020-06-05 9:29 p.m., Paul Kosin
A very interesting article on how China uses DNS (among other things)
to "control" Internet usage.
https://blog.thousandeyes.com/deconstructing-great-firewall-china/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
> with my internet connection"
>
> > Even if your ISP allows it, chances are that other mail servers will reject
> > it
>
> that's a completl different story
>
> > On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:
> >> H
How many ISPs allow traffic on port 25? My impression is that even many
(non-enterprise) business customers can't use port 25.
On Sat, 2 May 2020 09:28:54 +0200
Reindl Harald wrote:
> Am 02.05.20 um 09:00 schrieb Michael De Roover:
> > That's actually my biggest concern with DoH, ISP blocking.
I was pleased that I was able to get our two (successive) ISPs to set
up reverse DNS for our small number of IP addresses, and each twice to
change them when they moved us to moved us to new IP ranges (due to the
IPv4 crunch). It never even occurred to me that it might be possible to
have them dele
lient 134.0.217.53#27016 (WWw.imENT.cOm):
query: WWw.imENT.cOm IN A -E (216.55.100.245)
Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.69#23417 (WWw.IMeNt.cOM):
query: WWw.IMeNt.cOM IN A -E (216.55.100.245)
Thanks,
Paul Kosinski
___
Please visit
"... long ago adapted to using full numbers, including area codes, for
pretty much *all* phone dialing ..."
Except that that proved to be so onerous that people often use "speed
dialing" for commonly dialed numbers. (Not to mention the fact that
people usually address their friends and coworkers b
Following https://www.icann.org/en/system/files/files/sac-064-en.pdf,
it sounds like modest groups of Internet users (such as informal clubs)
that don't have their own official domain (like "iment.com") are out of
luck if they would like to have local subdomains -- unless they want to
use the quite
Testing how lists.isc.org handles DMARC "Quarantine" (and "Reject")
policy. The enterpr...@mozilla.org mailing list forwards such email in a
way that some recipients choke on it (i.e., can't validate it).
___
Please visit https://lists.isc.org/mailman/lis
A *bank* not using DNSSEC?? Glad I don't have any money there.
On Sun, 16 Jun 2019 14:00:36 +0100 (BST)
"G.W. Haywood via bind-users" wrote:
> Hi there,
>
> On Sun, 16 Jun 2019, Mark Andrews wrote:
>
> > The servers for this zone are broken, they do not respond to
> > queries with DNS COOKI
ified?
On Mon, 4 Mar 2019 19:30:36 +0100
Matus UHLAR - fantomas wrote:
> >On 4 Mar 2019, at 16:20, Paul Kosinski wrote:
> >> provides our users with general caching DNS service for
> >> all other domains.
> >
> >[...]
> >
> >> Its "named.conf&
We have a BIND server on our LAN which is authoritative for our ".local"
domain and also provides our users with general caching DNS service for
all other domains.
Its "named.conf" file doesn't list any "forwarders" any more, and
"forward-only" is gone, but it still has a leftover "recursion yes"
I haven't analyzed the details and pitfalls, but could a Web proxy
mechanism of some sort be of help? In particular, rather than having
your users directly access "teamviewer.org" (or whatever), have them to
access "teamviewer.local", which is resolved by your internal DNS to a
specialized proxy se
Maybe port scanners will find open ports pretty quickly, but I've found
that using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere,
and making 22 totally unresponsive discourages most such attempts. This
increases se
Code refactoring is nothing compared to what Mozilla did to Firefox!
It's hard to believe they didn't change the name, given that they
totally changed the add-on interface and thereby removed so many of the
features that made Firefox our browser of choice.
On Thu, 20 Sep 2018 09:48:08 +0100 (BST
t, 18 Aug 2018 20:12:01 +0200
Reindl Harald wrote:
>
>
> Am 18.08.2018 um 20:02 schrieb Paul Kosinski:
> > When I started using Linux almost 20 years ago, I think there was
> > only nslookup, and no dig. So by habit, I tend to use it unless the
> > extra power of dig ou
When I started using Linux almost 20 years ago, I think there was only
nslookup, and no dig. So by habit, I tend to use it unless the extra
power of dig outweighs its extra complexity. I don't remember what I
used on Windows back when I was regularly using both.
On Sat, 18 Aug 2018 11:42:20 -0600
We have a couple of small domains whose DNS is served by BIND on our dedicated
machines. Almost 3 years ago we had set up DMARC records, and were getting
reports from various MXs every day until a couple of days ago (Aug 13). Then
they suddenly stopped!
Nothing in the BIND config or zone files
We do something somewhat similar with our LAN. We have a new cable
connection and an old DSL connection. The cable is 60x faster, but has
a dynamic IP and blocks various ports (esp. 25), so we keep the DSL so
we can send email directly etc.
Obviously, we don't want to stream video or even do much
Most of your replies seem not to address the (immediately
preceding) paragraph they appear to be responding to.
On Mon, 25 Jun 2018 22:15:07 +0200
Reindl Harald wrote:
>
>
> Am 25.06.2018 um 22:01 schrieb Paul Kosinski:
> > Somebody who has irresponsibly (and apparently want
dvertently assisting in the attack,
and should be contacted and asked to help in the remediation. (Note
that *their* resources, as well as yours, are being wasted.)
On Mon, 25 Jun 2018 17:47:23 +0200
Reindl Harald wrote:
> Am 25.06.2018 um 17:37 schrieb Barry Margolin:
> > In articl
se the query doesn't come until after
the connection is established.)
On Mon, 25 Jun 2018 15:32:44 +0200
Reindl Harald wrote:
>
>
> Am 25.06.2018 um 05:39 schrieb Paul Kosinski:
> > Is it possible to get BIND not to respond at all, thereby causing
> > a timeout on
Is it possible to get BIND not to respond at all, thereby causing
a timeout on the query? That would perhaps reduce load more than
NXDOMAIN or deleting the sone(s) would.
On Mon, 25 Jun 2018 00:03:09 +0200
jo...@hasig.de wrote:
> yes, but it minimizes the use of resources because the only answer
Setting the permissions of a *private* key to 0644 sounds like a bad
idea. Maybe you mean 0640?
On Fri, 2 Mar 2018 23:28:28 +
"Prof. Dr. Michael Schefczyk" wrote:
> Dear Mark,
>
> I did get the issue resolved while setting up a test environment.
>
> The issue is that normal permissions in
Google search for "man named" turns up:
https://ftp.isc.org/isc/bind9/cur/9.9/doc/arm/man.named.html
which says (among more details):
named [-4] [-6] [-c config-file] [-d debug-level] [-E engine-name] [-f]
[-g] [-M option] [-m flag] [-n #cpus] [-p port] [-s] [-S #max-socks]
[-t direc
Could it be that you're network limited?
In any case, the values of the following parameters may be illuminating
(they may be obtained via "rndc status").
CPUs found
worker threads
UDP listeners per interface
For example, my very lightly loaded authoritative server reports:
version: BIN
Speaking of units, University of Chicago Professor Nicholas Metropolis
(who had been one of the original Manhattan Project scientists at Los
Alamos) remarked that the standard lecture period of 50 minutes lasted
approximately 1 Micro-Century.
On Fri, 2 Feb 2018 17:00:10 -0500
Warren Kumari wrote
Michelle (and others who may be interested),
I have found mxtoolbox.com to be helpful in diagnosing DNS and related
problems. It is able do all kinds of DNS lookups from *outside* your
domain so you can see what your normal Internet users see. It will do
basic stuff (manually initiated) for free,
andom strings of characters, but rather follow certain
linguistic statistics.)
On Thu, 9 Nov 2017 17:56:03 +0100
Reindl Harald wrote:
>
>
> Am 09.11.2017 um 15:55 schrieb Paul Kosinski:
> > Exact matching needs a search algorithm too
>
> no it don't - unless you c
Exact matching needs a search algorithm too.
If the DNS server in only authoritative for a couple of domains (and
subdomains), a simple linear search would be adequate (or even optimal,
due to its low overhead). Many DNS servers, however, are authoritative
for multiple domains, and so might need s
Maybe he has no say in what ISP is used, and they have draconian policies...
On Sat, 16 Sep 2017 19:48:51 +0200
Matus UHLAR - fantomas wrote:
> . . .
> >Note:1.2.3.4 is not what they really return . I've changed it for
> >privacy .
>
> why? it's your ISP, there's no need to hide IP they send t
Has IPv4 faded away and I didn't notice? Unlike the well planned switch
to Area Codes, IPv6 is not backward compatible.
(The telcos would have gotten rather a lot of complaints if they said
every had to get a new telephone number, and also -- new telephones.)
On Wed, 14 Jun 2017 22:10:25 +1000
M
It's been some years now, but I had worked on developing code for a high
throughput network server (not BIND). We found that on multi-socketed
NUMA machines we could have similar contention problems, and it was
quite important to make sure that threads which needed access to the
same memory areas w
"The tinfoil hat brigade in some distributions has resisted using them,
fearing some conspiracy to provide not-so-random numbers."
I think the NSA *did*, in fact, compromise the "Dual Elliptic Curve
Deterministic Random Bit Generator" and paid RSA to make it the default
in one of their products --
remainder to
> upgrade/replace/refresh their XP boxes?
>
>
> -
> Kevin
>
>
>
> -Original Message-----
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf
> Of Paul Kosinski Sent: Tuesday, April 18, 2017 5:09 PM
> To:
- Kevin
>
> -Original Message-----
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf
> Of Paul Kosinski Sent: Monday, April 17, 2017 9:08 PM
> To: bind-users@lists.isc.org
> Subject: Re: BIND 9 windows XP builds
>
> I can see som
I can see somebody running XP for some "legacy" software that doesn't
run nicely on newer versions of Windows, but I would think it extremely
risky to have such a machine connected to the Internet.
Maybe whoever runs BIND on XP should consider converting that machine to
Linux, and running BIND on
"I’ve been around long enough to remember when upward compatibility was
something that was expected."
Having been around since before even Unix, I must say I agree totally.
As I understand it, Linus does not take kindly to Linux Kernel changes
that break forward/upward compatibility (of the ABI).
ND itself could fail-over the DNS lookups and
solve the immediate problem.
On Sat, 27 Aug 2016 23:29:08 -0700
Dave Warren wrote:
> On Sat, Aug 27, 2016, at 11:32, Paul Kosinski wrote:
> > So my question is, is it possible to configure my forwarding BIND to
> > have a primary and *s
"Your better bet is surely to dump the forwarders and to do your own
recursion."
It doesn't solve the connectivity issue, but it sounds reasonable in
it's own right: I'll have to try it.
On Sat, 27 Aug 2016 14:32:09 -0500
/dev/rob0 wrote:
> On Sat, Aug 27, 20
I have a rather unusual network with a gateway machine that connects to
two ISPs: a slower DSL with a static IP and a faster cable (Comcast)
with a DHCP IP. The gateway machine runs two instances of BIND (plus
the usual firewalling): an authoritative one for a couple of domains
(and only those doma
If the client is at all remote (i.e. the request passes through a
router), the MAC address isn't preserved.
On Sat, 6 Aug 2016 17:42:59 -0700
Fima Leshinsky wrote:
> I'd like to log the client's MAC address. Is this possible? Could
> someone point me in the right direction?
>
> Thank you!
> Fi
I thought port 0 was never valid as either source or destination.
On Wed, 27 Jul 2016 11:22:06 +0300
"Ejaz" wrote:
>
> Thanks you.
>
> The traffic will go to router which is handled by the Network dept.
> The fear that may router can crash if we start enabling the
> packet capture since
I have avoided the problem chroot causes in a fairly general fashion by
using "mount --bind". For example:
/bin/mount --bind /lib /chroot/dns/lib
will make the entire /lib directory available to the chrooted BIND,
assuming the path /chroot/dns is created beforehand to serve as the
chroot base f
Interesting idea -- it never occurred to me that I could have separate
zone files for sub-domains.
So, if I had a tiny zone file for "dynamic.example.com" alone, and a
bigger zone file for all the other stuff for "example.com", could I be
*sure* that nsupdate would *only* modify the tiny file, and
I was trying to use nsupdate to automatically update a single A record
in our domain to its latest dynamic, but public, IP address. Although it
did indeed rewrite the zone file to reflect the new IP address, it also
rearranged all the entries in the file into seemingly random order
(maybe sorted by
74 matches
Mail list logo
