On 6/16/21 2:52 PM, Reindl Harald wrote:
Does this alteration at the top make it any clearer?
Note: at the command prompt, I use the following terminology:
# means run as root
$ means run as user
Inside a file, "#" mean it is a comment
not really - either use the
On 08/09/2017 03:28 PM, /dev/rob0 wrote:
Your issue might more effectively be dealt with in a Fedora forum, or
as a Fedora bug.
Tried that to no avail: both Ask Fedora and Fedora Forum
But Reindl knew what to do and it fix the thing. It now
runs so smooth it is like poetry.
__
On 08/09/2017 03:28 PM, /dev/rob0 wrote:
Your mail client has a problem with line wrapping, which made this
very difficult to read.
Ya, no fooling. That would be Zoho's web mail. I had to
post from the field.
I am back in station on Thunderbird now.
___
>> You're thinking that the rate limit is intended to protect YOUR server.
>> It's actually to prevent your server from being used as a reflector to
>> attack some OTHER server. The spoofed addresses all point to that
>> server.
>Sorry I just can't understand that why my server is being used to
If I remember correctly, $GENERATE is a zone file syntax only. When you start
up BIND, it parses those out and loads the generated records as if you'd
written them out manually. $GENERATE just helps condense the zone file, but
has no impact on overall operation.
I'm sure someone from ISC coul
When you do a dig, the TTL is the 2nd column:
;; ANSWER SECTION:
www.google.com. 604800 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 74.125.225.20
www.l.google.com. 300 IN A 74.125.225.19
www.l.google.com. 300 IN A
You can set interface-interval to a low number to make BIND scan for new
interfaces frequently:
interface-interval
interface-interval minutes;
interface-interval defines the time in MINUTES when scan all interfaces on the
server and will begin to listen on new interfaces (assuming they are no
The reason I've heard a few times is that users are uncomfortable using only 1
address. In the past I've done 2 or 3 addresses just so that we can give out 3
addresses that all point to the same pool of servers.
Silly, I know, but sometimes it's easier to placate than to change
someone/groups
>> do you propose he specify the ratios with BIND?
>>
>> One (icky) solution is to hand out more addresses for one server than
>> the otherŠ
>>
>> www.example.com IN A 192.168.1.1
>> www.example.com IN A 192.168.1.2
>> www.example.com IN A 192.168.1.3
>> www.example.com IN A 192.168.2
>
> > I have had a tendency to dig axfr from my Windows workstation
>
> +1 to you for using `dig' on Windows; most don't even know it exists
> and suffer the `nslookup' pain. ;-)
>
First thing I do on a new windows box is download the BIND package and throw
dig on the box ... well, right after
there is a perl module out there that may help:
http://cpan.uwinnipeg.ca/htdocs/BIND-Config-Parser/BIND/Config/Parser.html
I don't know - I'm not much of a perl monkey (or any of one, really), but I may
work for what you'd like.
t.
-Original Message-
From: bind-users-bounces+tsnyder=ri
eferral).
Basically, it's short cutting the delegation process, but that's it, the server
still has to do all the work.
Cheers,
Todd.
-
This transmission (including any attachments) may contain confidential
informat
Change:
file "/var/log/query.log" version; 3 size 5m;
to:
file "/var/log/query.log" versions 3 size 5m;
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Nate
Homier
Sent: Thursday, March 03,
It seems to do a regular lookup, plus maybe an ANY
But I've also noticed that it seems to find test.domain.com. I often put a
'test.whatever.com. IN A 127.0.0.1' into zones and a couple I checked it found
them, even though it shouldn't have by "normal" means
it also found a 'blog' record I had
dig -b {srcip}
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of John
Williams
Sent: Thursday, December 09, 2010 9:51 AM
To: bind-users@lists.isc.org
Subject: DIG Source IP
If I have a Linux h
What version of bind, on what OS?
There may be some things you can do with iptables to limit connections
http://www.debian-administration.org/articles/187
I don't recall seeing anything native to BIND that would allow for limits per
src.
t.
-Original Message-
From: bind-users-bounces+
hit the view
you want to hit, without any guess work.
YMMV.
Cheers,
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Stewart
Dean
Sent: Monday, October 25, 2010 2:54 PM
To: bind-users
If you haven’t restarted the server, you could do an rndc dumpdb and grab the
zone content I’d think
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Jay Moore
Sent: Tuesday, October 05, 2010 1:13 PM
To: bind-users@list
This is the BIND admins bible:
http://oreilly.com/catalog/9780596100575
Grab it and start having a read. You will want to upgrade your version of BIND
if at all possible as it's a little out of date, and much of the support you
may need may be difficult.
$0.02
Todd.
From: bind-
If you are trying to reach RIM.com (makers of BlackBerry), we are at rim.com
;; QUESTION SECTION:
;rim.com. IN MX
;; ANSWER SECTION:
rim.com. 600 IN MX 10 mx05.rim.net.
rim.com. 600 IN MX 10 mx03.rim.net.
rim.com.
>> You need to specify different "file" locations for each of the slaved
>> zones (even if the data is the same) in each view.
>>
>Does that apply for master zones which are common (i.e. the same data)
>to both views as well?
In my experience, you can use a shared file for mastering. We have ado
If you wanted to throw CVS into the mix, it would make all this pretty easy.
You can have it run scripts on checkin, and you know all the files changed from
a cvs diff, so it’s easy to run that through the named-checkzone.
CVS doesn’t have to make things much more complicated. You could create
What version of BIND are you running? If you're getting FD limits, I'd think
it's an older version with a bug, and your problems might also be alleviated by
upgrading.
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-
missed, but it's the best solution I've found so far.
Cheers,
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Prashant
Ramhit
Sent: Friday, May 21, 2010 10:37 AM
To: bind-users@
iguration examples if there is something
you can't figure out and I'm confident people will more readily help out.
Specific things to look for:
-ACLs
- acl
- allow-recusion
- allow-query-cache
- allow-query
-logging statement
-rndc flush
Cheers,
T
Are all the slaves authoritative for all the zones? If so, unless
you're using forwarding, or some really odd delegation, queries
shouldn't be going to the master servers.
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounc
he issue is happening after the packet reaches the
server, then I'd bump up the debug level and turn on a bunch of logging
and make sure ntp is working fine and start watching logs while
generating a bunch of traffic from a test box.
Cheers,
Todd.
Are the timed out queries recursive or authoritative?
I'd suggest tcpdump running on both the BIND servers and the client, so
you can match send/receive and show missed packets directly.
Cheers,
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.is
experience/examples of how to effectively diagram
complex deployments. Specifically, how you may have diagrammed views in
a visually simple manner.
Examples are welcome, and feel free to reply privately if you don't want
to share on the list.
Thanks for you
the
wrong file, and lets us remember which ones are shared easily.
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of
Jason Gates
Sent: Thursday, March 11, 2010 10:06 AM
To: bind-users@lis
Good day,
We've started seeing this bug on a couple servers, but I see no mention
of it being fixed, so I don't know what version I should upgrade to.
Nor can I find anything that lays out the impact/risk of this.
Does anyone know the status of this bug?
Thanks!
From: bind-users-boun...@lists
checkout "allow-query-cache"
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of
Riccardo Castellani
Sent: Tuesday, February 09, 2010 1:06 PM
To: bind-users@lists.isc.org
Subject: query (cache) 'xx
hich seems to bypass all the
congestion, is a short term fix until we can figure out how to make
things a little smoother.
Apologies for the wall of text - this is a frequent discussion with
very little in the way of conclusion around here :)
Todd.
On Wed, Jan 20, 2010 at 10:33 PM, Joseph S
going to keep tuning, but it looks like we've reached some sort
of tipping point where inefficiencies in our methodology, architecture
and the underlying protocol might be combining to make for less than
ideal conditions for fast changes.
Thanks for this tip ... big 'ah-ha' m
e transfer mechanism, not the SOA query.
Can anyone help with ideas on this? Are we missing something obvious?
Cheers,
Todd.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
use includes for your zone configuration, keeping
it out of named.conf.
It's pretty trivial for a lab quality deployment, but for production,
I'd look around or develop something a little more robust.
Cheers,
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[
that will end up putting an MX record for each zone in each zone without
needing a bunch of different lines or includes.
Hopefully that helps, or is even in the right direction.
YMMV.
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org
ility checking isn't really what BIND is used for.
If you wanted to do it on the cheap, you could write a script that would
check for service on the IP for a domain, and if it doesn't answer,
updates the zone to remove/change the record.
Todd.
-Original Message-
From:
o-null-route-an-attackers-ip/
Failing that, I believe there is a bind directive (blackhole) that might do
what you want, but I've never looked into it.
Finally, if you are simply trying to block certain domains, you could load them
as master zones on your server and leave them blank.
Cheers,
To
Good day all...
As we move to more and more views in our organization, I'm working to
find the best way to organize all the related files for view
management. I'm curious how others have done it so I can improve on
my current system. We currently only have 4 views, but we're looking
at needing m
Hi all,
I'm charged with building a geographically distributed application,
and I'm having a lot of trouble finding a good DNS server we can use
with Windows. Historically I've always run our applications on Cent
OS, but for this project we're using Windows as it's the existing
infrastr
I've got a monitoring script in place that does an rndc stats and
parses the output, then graphs it for me nicely.
Yesterday I needed to flush the cache on a number of my servers, and I
saw a big spike in queries recorded by the server in the "success"
category. The spike was about 40% more than t
back up. Again, it adds complexity, but it doesn't necessarily add an
attack vector, nor a sysadmin task. I am sure there are drawbacks to
idea, but there are benefits. If only I were a programmer ...
Cheers,
Todd.
-
T
The problem with this approach is when you are running a couple thousand
servers - suddenly, you are running a couple thousand more instances of BIND
that need monitoring/patching/care/feeding.
A more clever resolver, or a simpler caching setup locally would be ideal.
Otherwise, you could redo
ically.
The other nice thing about putting this all into a DB is that you can
look back and get historical stats quite easily.
Look at tools like rrd/cacti for graphing, and we've been using perl for
the monitoring stuff.
Not quite as simple as looking for log lines, but all pretty easy
verify my changes?
Cheers,
Todd.
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privi
Please ignore me - I realized too late that someone else was installing
BIND as I was compiling, and that created the directory I was seeing.
I realize now that BIND wouldn't be creating this ... it was silly of me
to assume that.
Cheers,
Todd.
-Original Message-
From: bind-users
e, I'm not much of a developer, and I'm not really familiar with
the processes.
I'm guessing that there must be a way to change this, as everything is
just makefiles/source at compile time, but I am not sure
ave up trying.
We cannot reload named on the box right now, so I am looking to see if
anyone has suggestions about what might be causing this, and/or ways to
resolve it without restarting the named daemon.
Thanks in advance,
Todd.
cleaned up?
Thanks,
Todd.
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or cons
Checkout the "transfer-source" directive for the transfers, and the
"notify-source" directive. I've not used the latter, so I'm not exactly
sure if it fits, but I expect that it will.
DNS and BIND @Google Books is a useful reference:
http://books.google.com.hk/books?id=zkZN52WhG8sC&printsec=
Thanks very much for the help - I was having a brain issue! That is
much simpler than I was trying to devise.
Thanks to Andy as well.
Cheers!
Todd.
-Original Message-
From: Matthew Pounsett [mailto:m...@conundrum.com]
Sent: Monday, June 01, 2009 3:49 PM
To: Todd Snyder
Cc: bind-users
t direction?
Cheers,
Todd.
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or c
Do you have "notify no;" in your config options?
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Michael Di Martino
Sent: Thursday, May 28, 2009 10:17 AM
To: bind-users@lists.isc.org
Subject: Transfer delays
List Members,
I realize this question isn't strictly BIND related, but I am running
BIND, and would like to use BIND to start looking at DNSSEC.
I've spent the better part of today looking around for resources.
I've found a few:
http://www.dnssec-deployment.org/
https://www.ripe.net/projects/disi//dnssec_howto
l DNS configuration, where recursion from the root isn't used.
That seems to be the situation you're in (not able to reach the root)
At least, that is my interpretation of it.
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On
nd I'm
getting the behaviour I was looking for - so the server seems to behave
as I thought in "forward first" mode, but not in "forward only" mode.
Has the logic here changed, or am I misinterpreting the book?
Thanks!
Todd.
-Original Message-
From: bind-users
-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Tuesday, May 05, 2009 11:08 AM
To: bind-us...@isc.org
Subject: Delegation or PEBKAC problems?
Good day,
(BIND 9.6.0-P1)
Although, to me, delegation seems like a fairly simple configuration, I
seem to be having problems. What I am trying to do is
irst server, I can talk to the delegated nameserver no
problem. We thought it might be firewall/acl related, but digs confirm
that they can talk directly without problem. They are, logically
speaking, on the same switch, with no firewalls between.
Todd.
now, and I can't see what I've
done wrong. My best guess right now is that we're htiting some oddness
with views/delegation.
Can anyone think of something I've missed? Can anyone clarify my view
of delegation?
Thanks,
Todd.
or
allow-transfers { acl1; acl2; };
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jonathan
Petersson
Sent: Thursday, April 09, 2009 3:20 AM
To: Jeff Pang
Cc: Bind Mailing
Subject: Re: about allow-transfer
allow-transfer
> I agree with Rick Dicaire that this should not be done as a zone at
all.
> Instead, this should be implemented in rndc. I do agree with the
premise that it
> would be nice to be able to have a list of all zones on the server.
I would tend to agree that rndc is the best place for it, except in
>BIND already creates an internal view "_bind" with class CH to contain
the zones version.bind, hostname.bind, authors.bind, etc. I was thinking
in >terms of zones.bind living there as well.
>Of course there's the barber-shaving question: should zones.bind
contain an entry describing itself?
You say "my" DNS servers - if you own them, why not just look at the
named.conf? "grep zone named.conf" should tell you pretty quickly.
If you are using external hosting, you will need to talk to your
provider. They should be able to provide you a list.
t.
-Original Message-
From: bin
This was a slave server hitting a master. Both were hitting the same
master in this case.
Cheers,
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin
Sent: Wednesday, March 25, 2009 8:45 PM
To: comp
d the data in Concord (etc) if
you wanted to be able to generate alerts.
As for your error, it looks like that client is trying to update the
zone with a record that already exists.
Cheers,
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users
I am looking for a clever way to do the new serial number. Date will do
the first bit no problem (date +%Y%m%d), but I'd love to find a clever
way to auto increment the last 2 digits unless it's a new day. Then I
could use the same script every time.
/puts on thinking cap.
-Original Message
ng that jumps out at me to
explain this behaviour. Am I misunderstanding the serials?
Thanks,
Todd.
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material
verify that zones
are available on the slaves, they need to take the automatic empty zones
into consideration if they are using different versions of BIND.
Sorry if I caused confusion.
Todd.
-
This transmission (including any atta
e safe.
t.
-Original Message-
From: John D. Vo [mailto:j...@eagle.net]
Sent: Friday, March 20, 2009 3:27 PM
To: Todd Snyder
Cc: bind-users@lists.isc.org
Subject: Re: number of zones not matching
Yes, Todd. 9.2.2.
Todd Snyder wrote:
> I had to do this a couple times lately .. this is the simples
I had to do this a couple times lately .. this is the simplest way I've
found. It's not elegant or nifty, but it works.
on the master:
grep zone named.conf | awk '{print $2} | sort > master.zones
on the slave:
grep zone named.conf | awk '{print $2} | sort > slave.zones
get the files on the sa
reconfig and it
rejects some lines, but loads the ones that work. I'd like to be able
to dump the running config (like sh run).
Cheers,
Todd.
-
This transmission (including any attachments) may contain confidential
inform
ed, 25 Feb 2009 09:20:52 -0500,
> Todd wrote:
>
>> My apologies again, you are correct. I ran a named -v on the boxes,
>> forgetting that we were directly calling bind in a non-path. We are
>> in fact using 9.4.2-P2 on everything, patched to protect against
>> kaminsk
t; At Tue, 24 Feb 2009 15:10:36 -0500,
> Todd wrote:
>
>> The servers in question are running a mix of BIND versions .. 9.2.3,
>> 9.2.4, 9.3.2, 9.3.4, 9.4.1, 9.4.2-p2, the majority are 9.3.4 and
>> 9.4.2-P2
>
> Then are confused somehow. Among above, the only version
, unfortunately the majority of our infastructure)
upgraded to protect against this.
Are there any suggestions that anyone can provide to mitigate against
this coming up until such a time that we can upgrade?
Thank you,
Todd.
On Tue, Feb 24, 2009 at 11:01 PM, JINMEI Tatuya / 神明達哉
wrote:
> At Tue, 24
I see there is a "files" directive for named.conf - does it
override/set the OS files limit, or if I set it to 5000, and the OS
says 256, am I stuck at 256?
On Tue, Feb 24, 2009 at 3:10 PM, Todd wrote:
> My apologies - that was silly of me.
>
> The servers in question are ru
500,
> Todd wrote:
>
>> We ran into an issue this morning with some caching DNS servers. One
>> of the zones we heavily rely on was having DNS issues, which appears
>> to have been causing very slow responses to us. The servers in
>> question handle about 500queries/secon
Good day,
We ran into an issue this morning with some caching DNS servers. One
of the zones we heavily rely on was having DNS issues, which appears
to have been causing very slow responses to us. The servers in
question handle about 500queries/second.
These particular servers are configured wit
t.
At any rate, now you know. SecureCRT (tty = vt100) and bind don't play
nice.
Cheers,
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Monday, February 02, 2009 11:59 AM
To: bind-us...@is
a user has had success
using an xterm, but me and others are using SecureCRT and have problems.
Can anyone say what this error actually means? We're a little stumped
at what's going on.
Thanks!
Todd.
-
This tr
ndicate that the authorty overrides the delegation,
but I wanted to see if I was correct. Will it always override? Is this
a bad configuration? Will it cause any problems along the way?
Or am I wrong about how all this works altoge
impression that over 512 wasn't
allowed, but there it is ...
I could very well be completely messed up regarding the rules, so please
forgive my ignorance. If you know my answer is in TFM, please batter me
about the head and tell me which FM at lea
If you don't host any zones on the server, then it would always recurse, no?
The server will always answer for zones it's authoritative for, as far as my
understanding.
You might need to explain more about your confguration/desired outcome than you
currently have.
Todd.
---
om"
That's how I've worked around the caching issue. I also set the TTL on
the * record to be 1 second, to ensure that I don't hit any cache.
Cheers,
Todd.
>
> If you're referring to your local system's cache, you can bypass this
> by specifying a DNS ser
able to find
information about this behaviour in the book(s).
Merci!
Todd.
From: Ben Croswell [mailto:ben.crosw...@gmail.com]
Sent: Thursday, December 11, 2008 5:15 PM
To: Todd Snyder
Cc: bind-us...@isc.org
Subject: Re: recursion for reverse/in-addr.arpa
figure out why the server behaves
differently for reverse zones than it would for forward zones.
Cheers,
Todd.
--
Todd Snyder
Data Networks Tools
bb.226.338.2617
Always On, Always Connected.
-
Try the "listen-on" directive.
Read more here:
http://books.google.com.hk/books?id=zkZN52WhG8sC&printsec=frontcover&dq=
dns&ei=dA-3SJ7XEaWijgG7v4Qw&hl=en&sig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q
#PPA270,M1
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J
t couldn't. However, it would fill up the
queue with requests to the servers it couldn't reach, and not use the
servers it could reach. Is there any way to modify this behaviour?
Thanks very much for the help,
Todd.
--
88 matches
Mail list logo
