Ok. And what are your observations?
Or do you expect us to debug your issue and interpret the outputs you send here
for you?
As a side note, the rndc outputs you are pasting into your emails are mostly
useless to debug memory issues.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and y
I’ve been running for 12+ hours with a max-cache-size of 256M (since I’m on a
machine with 2GB that does a lot of data reduction as it’s a honeypot firewall).
This is what I’ve collected.
+++ Statistics Dump +++ (1749514002)
++ Incoming Requests ++
203077 QUERY
12014
I take it back, it does at the beginning of the manual.
It would be helpful if all references to had links back to the
explanation.
Odd that when you specify a percentage the effective amount is logged by named,
but when you specify an absolute amount it’s not.
> On Jun 8, 2025, at 10:46 P
Actually it does
https://bind9.readthedocs.io/en/v9.20.9/reference.html#term-sizeval
-- Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
> On 9 Jun 2025, at 06.47, Philip Prindeville via bind-users
> wrote:
>
> I read:
>
> https://bind9.readthedocs.io/en
I read:
https://bind9.readthedocs.io/en/v9.20.9/reference.html#namedconf-statement-max-cache-size
and it doesn’t explain the notation for .
> On Jun 8, 2025, at 10:39 PM, Ondřej Surý wrote:
>
> What If you actually read the manual that I sent you - syntax of sizeval is
> explained there.
>
What If you actually read the manual that I sent you - syntax of sizeval is
explained there.
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
> On 9. 6. 2025, at 6:34, Philip Prindevi
Maybe GB is the only unit it groks.
Jun 8 22:31:52 OpenWrt named[19145]: /etc/bind/named.conf:42: expected integer
and optional unit or percent near ‘1536MB’
Nope:
Jun 8 22:32:48 OpenWrt named[19609]: /etc/bind/named.conf:43: expected integer
and optional unit or percent near ‘2GB'
> On
It does have the effect.
Also there’s BIND 9 ARM at https://bind9.readthedocs.io/en/v9.20.9/
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be differentw . Please do not feel
obligated to reply outside your normal working hours.
> On 9. 6. 2025, at 6:20, Philip Prinde
Jun 8 22:22:10 OpenWrt named[15142]: /etc/bind/named.conf:42: expected integer
and optional unit or percent near '1638MB'
> On Jun 8, 2025, at 10:17 PM, Ondřej Surý wrote:
>
> Yes, there's no math involved, it just honors the limit.
>
> FTR you can also say:
>
> max-cache-size 2GB;
>
> You
I’ll try to get a smoking gun.
How do you configure an explicit number of bytes with max-cache-size?
The manpage says:
max-cache-size ( default | unlimited | | );
but doesn’t explain the syntax of “sizeval”.
I tried “1638M” but that doesn’t seem to have an effect.
> On Jun 8, 2025, at 10
Yes, there's no math involved, it just honors the limit.
FTR you can also say:
max-cache-size 2GB;
You don't have to specify it to the last byte.
Ondrej
--
Ondřej Surý (He/Him)
ond...@isc.org
My working hours and your working hours may be different. Please do not feel
obligated to reply outsi
I don't see anything wrong with the memory in the attached file - 13MB doesn't
seem to be causing any havoc.
And it roughly matches what I am seeing here with fresh named instance on
64-bit machine:
$ smem -P name[d]
PID User Command Swap USS PSS RSS
Odd. I tried:
max-cache-size 1717986918;
and restarted and I don’t see anything in the logs about it. But I did when I
used a percentage.
> On Jun 8, 2025, at 10:02 PM, Ondřej Surý wrote:
>
> The 1.7GB is what the system is reporting. That’s why I asked as I’ve seen
> OpenWRT repo
The 1.7GB is what the system is reporting. That’s why I asked as I’ve seen
OpenWRT reporting weird or no values before.
171MB cache is little on a low side and negative effects from overmem LRU
cleaning will going to hurt the performance.
I would suggest to set a fixed size for the cache - 1.6G
This is on an embedded system, i.e. a 4-core AMD64 low-power machine with 16GB
of memory, that uses 2GB of that as a tmpfs.
90% would cripple the system. I’m going to try 10% (after all, it’s only doing
name service for 200 machines, maybe 450 RRs, and more than have of the
machines are IoTs t
Working on it:
https://github.com/openwrt/packages/pull/26721
Here’s my statistics-channel output:
named-stats.xml
Description: XML document
> On May 18, 2025, at 10:30 PM, Ondřej Surý wrote:
>
> Well, you’ve provided basically nothing as leads, so it is hard to tell
> what’s going on w
Does the named report proper max-cache-size into the log when starting?
Something like:
'max-cache-
size 90%' - setting to 86522MB (out of 96136MB)
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your
> On Jun 8, 2025, at 3:07 PM, Philip Prindeville via bind-users
> wrote:
>
>
>
>> On May 21, 2025, at 3:38 PM, Ben Scott wrote:
>>
>> - Original Message -
>>> From: "Philip Prindeville via bind-users"
>>> To: "bind-users"
>>> Sent: Sunday, May 18, 2025 5:20:59 PM
>>> Subject: Sig
> On May 21, 2025, at 3:38 PM, Ben Scott wrote:
>
> - Original Message -
>> From: "Philip Prindeville via bind-users"
>> To: "bind-users"
>> Sent: Sunday, May 18, 2025 5:20:59 PM
>> Subject: Significant memory usage
>
>> What I’ve noticed is that at startup I’m using about 33K pages
> On May 21, 2025, at 3:38 PM, Ben Scott wrote:
>
> - Original Message -
>> From: "Philip Prindeville via bind-users"
>> To: "bind-users"
>> Sent: Sunday, May 18, 2025 5:20:59 PM
>> Subject: Significant memory usage
>
>> What I’ve noticed is that at startup I’m using about 33K pages
Hi Luca,
This is correct: dnssec-validation auto; If you use "yes" there, then
you must supply a trust anchor. Auto is the default.
The only idea I have is this:
zone "." IN {
type hint;
file "named.ca";
};
You don't need this anymore. BIND 9.18 will automatically find the
root zones starting
On 04/06/2025 18:50, Greg Choules wrote:
The help text for delv says you can specify a source using -b, the
same as you can with dig:
Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] [q-class]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [defaul
On 6/5/25 06:50, Sahil Sharma D via bind-users wrote:
*_Use case :_*//
Trying to load 120M identifier of length 15 digit which will load in
zone using nsupdate in a batch of 1000.
A file created having 120M identifier and sent to nsupdate in a batch of
1000 to add identifier in bind.
_Befo
The help text for delv says you can specify a source using -b, the same as
you can with dig:
Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] [q-class]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [default: in]
q-type is one of (a,any,mx,
Hi Stace.
The transport protocol used to ask the question is (or should be)
independent of the question being asked. So in this case asking for a
PTR record for an IPv6 address wouldn't change whether IPv4 or IPv6 is
used to make the recursive queries.
I've done a bit more testing on this, a
On 03/06/2025 22:06, Petr Špaček wrote:
I've created
https://gitlab.isc.org/isc-projects/bind9/-/issues/5351
so we can improve logging. Your input on what sort of information is
useful would be much appreciated.
Thanks very much for that. I've added a comment. :-)
--
Visit https://lists.isc.or
On 6/3/25 11:29, Nick Tait wrote:
On 02/06/2025 23:30, Petr Špaček wrote:
In short, with an empty cache, BIND will exceed pre-configured limit
on number of queries it can do. This is protection from various
attacks which misuse DNS to attack itself.
Thanks for the explanation!
This particula
On 6/3/25 12:06, Petr Špaček wrote:
On 6/3/25 11:29, Nick Tait wrote:
On 02/06/2025 23:30, Petr Špaček wrote:
In short, with an empty cache, BIND will exceed pre-configured limit
on number of queries it can do. This is protection from various
attacks which misuse DNS to attack itself.
Thanks
On 3 Jun 2025, at 10:29, Nick Tait via bind-users wrote:
> But I also noticed that delv only makes A queries (not ), and even if I
> specify "-6" on the command-line it makes no difference?
Have yo tried using an IPv6 address with the -x option?
delv -x :::45.90.5.195 +ns +qmin +maxque
On 02/06/2025 23:30, Petr Špaček wrote:
In short, with an empty cache, BIND will exceed pre-configured limit
on number of queries it can do. This is protection from various
attacks which misuse DNS to attack itself.
Thanks for the explanation!
This particular recursive query doesn't seem espe
On 6/2/25 12:01, Nick Tait via bind-users wrote:
I can reproduce the issue by clearing the BIND cache, and then running the
following DIG command, to attempt a reverse DNS lookup of 45.90.5.195
On 6/2/25 12:54, Carlos Horowicz via bind-users wrote:
The problem seems related to "No zone cut at
Hi
The problem seems related to "No zone cut at 90.45.in-addr.arpa." ,
shouldn't trigger a SERVFAIL with qname-minimisation relaxed
This is strange, because the intermediate response has a SOA , and NSEC
seems enough to fail-over to qname-minimisation off .. it seems you're
force to set the
Hi Jeremy
Thanks for the Link
> Can you share an example here of the NAPTR or SRV query resulting in
> Additional section records?
The additional sections make sense to me, they avoid further A/
lookups but I suspect they might be the cause for the crashed of small
memory CPE's. I have one
> To further dig into that direction, I was asking Google if there is a
> bind setting to limit or disable the sending of additional RR with an
> answer but could not find such a setting.
>
> * Is there such a setting?
See minimal-responses in the ARM
https://bind9.readthedocs.io/en/stable/refere
On Saturday, May 24, 2025 3:53:57 AM CEST Fred Morris wrote:
> On Fri, 23 May 2025, Grant Taylor via bind-users wrote:
> > I don't think there is anything that I would describe that way. But there
> > may be some rate limiting option(s) that you could use to at least cripple
> > using DNS queries
On 5/23/25 8:53 PM, Fred Morris wrote:
If you fail in an outright, reproducible, measurable fashion you give
your opponent predictability and confidence. As a defender you want to
undermine that and look like an under-resourced, poorly administered
network that somehow, we don't know exactly ho
On Fri, 23 May 2025, Grant Taylor via bind-users wrote:
On 5/22/25 9:23 AM, Karol Nowicki via bind-users wrote:
Does ISC Bind software by native has any dns tunneling prevention embedded
?
I don't think there is anything that I would describe that way. But there
may be some rate limiting
On 5/22/25 9:23 AM, Karol Nowicki via bind-users wrote:
Does ISC Bind software by native has any dns tunneling prevention
embedded ?
I don't think there is anything that I would describe that way. But
there may be some rate limiting option(s) that you could use to at least
cripple using DNS
an you tell me the error message? I would not expect the zone stopping
> from loading, but it's hard to tell without full configuration.
>
> Note that when switching, signatures and NSEC records from the dynamic
> zone would be removed and moving to inline-signing requires a full
>
On Thursday, May 22, 2025 4:23:05 PM CEST Karol Nowicki via bind-users wrote:
> Does ISC Bind software by native has any dns tunneling prevention embedded?
> Thanks
BIND on its own does not do this. Assuming that you are running it on a LAN as
a resolver meanwhile, you can make it the only thing
On Thursday, May 22, 2025 4:23:05 PM CEST Karol Nowicki via bind-users wrote:
> Does ISC Bind software by native has any dns tunneling prevention embedded?
> Thanks
BIND on its own does not do this. Assuming that you are running it on a LAN as
a resolver meanwhile, you can make it the only thing
No. This is not a thing regular DNS servers do.-- Mark AndrewsOn 23 May 2025, at 00:23, Karol Nowicki via bind-users wrote:
Does ISC Bind software by native has any dns tunneling prevention embedded ? Thanks Wysłane z Yahoo Mail do iPhone
-- Visit https://lists.isc.org/mailman/listinfo/bind-users
Am 22.05.2025 um 14:23:05 Uhr schrieb Karol Nowicki via bind-users:
> Does ISC Bind software by native has any dns tunneling prevention
> embedded ?
Please give more info what you want to accomplish.
> Wysłane z Yahoo Mail do iPhone
Please configure your mail software not to include such lines.
Sure. Your decision, of course. But any network application is only going
to work if the underlying network supporting it doesn't do silly things
with its traffic.
On Thu, 22 May 2025 at 15:23, wrote:
> Thank you for all your assistance. I have made the decision to
> decommission Bind9 and insta
Thank you for all your assistance. I have made the decision to
decommission Bind9 and install Unbound in its place. There seem to be a
lot more configuration options that might help me with the problems I am
having. Problems I never had with Windows Server 2003.
Thanks anyway and take care of
On 5/21/25 23:38, Ben Scott wrote:
What I’ve noticed is that at startup I’m using about 33K pages as the VSZ (per
top on x86_64 hardware).
VSZ (virtual size) just counts the number of virtual memory pages associated
with the process in some way. That includes RAM, but also memory mapped fi
- Original Message -
> From: "Philip Prindeville via bind-users"
> To: "bind-users"
> Sent: Sunday, May 18, 2025 5:20:59 PM
> Subject: Significant memory usage
> What I’ve noticed is that at startup I’m using about 33K pages as the VSZ (per
> top on x86_64 hardware).
VSZ (virtual size
ll without full configuration.
Note that when switching, signatures and NSEC records from the dynamic
zone would be removed and moving to inline-signing requires a full
re-sign of the zone.
- Matthijs
I assume I could freeze, sync, clean DNSSEC records in the file, and
reload with inline-signin
>From the correct alias this time!
On Mon, 19 May 2025 at 22:46, Greg Choules
wrote:
> Your router (or your ISP behind it) is losing a lot of traffic. Here is a
> timeline of frames with explanations of each, which would have been so much
> simpler if you hadn't tried to hide your actual address
Well, you’ve provided basically nothing as leads, so it is hard to tell what’s
going on with just output of named -V.
I would suggest to recompile names with jemalloc enabled and then use jemalloc
profiling to see where the memory goes.
See https://www.isc.org/blogs/2023-BIND-memory-management-
On 18.05.2025 19:53, bi...@clearviz.biz
wrote:
I include it because all of the packets
seem to have the same problem (the router attempts a ping to my
main server (ending in octet ".10"), which it claims the host is
unreachable. Not sure why tha
Crist Clark wrote:
> Tired of looking at the log messages warning me that inline-signing
> will be the default in 9.20. I want to convert my 9.18 to using
> inline-signing. Right now all of the zones use dnssec-policy and are
> dynamic.
My experience was that it was best to do bu
Preposterous. PREPOSTEROUS!!!
Expect no meaningful response other than that, not from here. Such a high horse
mentality, utterly diabolical!
Michael De Roover
> On 16 May 2025, at 03:53, akritrim® Intelligence™
> wrote:
>
> i didn’t receive your reply but saw this on lists archive so replyi
Benny Pedersen via bind-users skrev den 2025-05-15 20:42:
Matus UHLAR - fantomas skrev den 2025-05-15 17:04:
turn off QNAME minimisation on DNS servers used by mailservers for
DNSBL/DNSWL checks.
make a better rbldnsd that support qname :)
or dump zone from rbldnsd to bind.zone, the bind zon
Matus UHLAR - fantomas skrev den 2025-05-15 17:04:
turn off QNAME minimisation on DNS servers used by mailservers for
DNSBL/DNSWL checks.
On 15.05.25 20:42, Benny Pedersen via bind-users wrote:
make a better rbldnsd that support qname :)
or dump zone from rbldnsd to bind.zone, the bind zone c
On 5/15/25 20:42, Benny Pedersen via bind-users wrote:
Matus UHLAR - fantomas skrev den 2025-05-15 17:04:
turn off QNAME minimisation on DNS servers used by mailservers for
DNSBL/DNSWL checks.
make a better rbldnsd that support qname :)
All it would take to fix it is returning NOERROR inste
i didn’t receive your reply but saw this on lists archive so replying to
you:
Do be aware that Ondrej is a member of ISC, the organization that
develops
BIND. He is also one of the maintainers of the Debian release of BIND
which
you are using.
Why should i be aware? Is he is a threat or so
Matus UHLAR - fantomas skrev den 2025-05-15 17:04:
turn off QNAME minimisation on DNS servers used by mailservers for
DNSBL/DNSWL checks.
make a better rbldnsd that support qname :)
or dump zone from rbldnsd to bind.zone, the bind zone can be in sqlite
to not be so memory hungry
or report
Thanks, I didn't find this information during my search in archives.
I will disable it.
-Message d'origine-
De : bind-users De la part de Matus UHLAR -
fantomas
Envoyé : jeudi 15 mai 2025 17:02
À : bind-users@lists.isc.org
Objet : Re: long FQDN resolution
On 15.0
I was beaten to it!
It's called QNAME minimisation and is specified here:
https://datatracker.ietf.org/doc/html/rfc9156
In BIND it can be disabled with this statement:
https://bind9.readthedocs.io/en/v9.20.8/reference.html#namedconf-statement-qname-minimization
Hope that helps, Greg
On Thu, 15 M
Am 15.05.2025 um 14:31:40 Uhr schrieb DEMBLANS Mathieu:
> It is problematic for DNSBL requests because it generate a lot of
> useless requests and this kind of service look at the number of
> requests done (usage policy):
Disable qname minimization for that.
--
Gruß
Marco
Send unsolicited bul
On 15.05.25 14:31, DEMBLANS Mathieu wrote:
I have a question about mecanism for requests of long subdomains FQDN.
Our DNS, which is in recursive configuration, split long fqdn request with
subdomains requests like :
Original request from the client to our recursive DNS : A a.b.c.d.example.com
On 15.05.25 14:31, DEMBLANS Mathieu wrote:
I have a question about mecanism for requests of long subdomains FQDN.
Our DNS, which is in recursive configuration, split long fqdn request with
subdomains requests like :
Original request from the client to our recursive DNS : A a.b.c.d.example.com
You are running an unsupported BIND 9.18 release. I would start with upgrading
to the latest 9.18 or even 9.20 release. There’s no point in debugging software
that’s missing one year of accumulated bug fixes.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be di
On Mon, 2025-05-12 at 15:20 +0100, Ondřej Surý wrote:
>
> > On 12. 5. 2025, at 15:11, MCBRIDE, DAVID W.
> > wrote:
> >
> > The alternative is to disable the creation of all empty zones
> > entirely with `empty-zones-enable no;`, however, this is
> > unattractive as it will fail broken.
>
> This
> On 12. 5. 2025, at 15:11, MCBRIDE, DAVID W.
> wrote:
>
> The alternative is to disable the creation of all empty zones entirely
> with `empty-zones-enable no;`, however, this is unattractive as it will
> fail broken.
This would be my preferred solution.
> (I can try to ensure that the catalo
ot;Connection Refused" errors. I am gathering
that other devices needing DNS resolutions on the WAP are also failing
similarly. I will analyze accordingly.
Question: What is setting the "timeout" value in re: these
queries, and can I tweak it for a bit more time? Is
Sorry let me try again. I missed your other questions...
On 11/05/2025 17:17, Fred Morris wrote:
BIND insists on addresses bound to interfaces (at least, that's my
contention, based on experience yesterday, which may or may not
reflect some reality which has been manufactured today).
resolved
On 11/05/2025 17:17, Fred Morris wrote:
BIND insists on addresses bound to interfaces (at least, that's my
contention, based on experience yesterday, which may or may not
reflect some reality which has been manufactured today).
resolved uses a loopback address which is not bound to an interfac
BIND insists on addresses bound to interfaces (at least, that's my
contention, based on experience yesterday, which may or may not reflect
some reality which has been manufactured today).
resolved uses a loopback address which is not bound to an interface (at
least that's my experience, which
like the fact that it 'feels' like part of systemd, including
> stuff like:
> o You can specify search domains in your netplan configuration
> (using networkd as the renderer in netplan).
> o The "resolvectl" utility feels like a sibling to the
enderer in netplan).
o The "resolvectl" utility feels like a sibling to the other
systemd utilities like "systemctl", "journalctl", etc.
Nick.
P.S. I hope I'm not (re-) starting some sort of holy war. That is not my
intention, and I'm definitely /
Of course: it's ALWAYS DNS! (Sorry, I had to say that because it's
Saturday. I'll move on.)
Actually in this case I'm pretty sure it /is/ systemd resolved, so yeah it
is kinda DNS because systemd is kinda trying to do DNS.
On Sat, 10 May 2025, Greg Choules via bind-users wrote:
[...] But al
On 10 May 2025, at 4:29, bi...@clearviz.biz wrote:
The resolv.conf file contains:
nameserver 127.0.0.53
search mydomain.net
On a "vanilla" Ubuntu system, the file to which */etc/resolv.conf*
is a symlink contains (in addition to the above) relevant comments,
including the followin
127.anything is valid on the loopback interface as it is a /8. You will
have to add addresses as aliases, but that is easy. Read the man pages
first and check what addresses already exist on lo0. Ubuntu must have
gotten 127.0.0.53 from somewhere.
Get tcpdump and Wireshark working so you can see wha
Hoi Arnold,
Be aware that in most configurations /etc/resolv.conf is (re)created
at boot time on configuration of the nic. If the nic is configured
through dhcp, check there for the weird ip address! If it is
configured otherwise, check there.
It might be that the stub file is not overwritten at
On 2025-05-10 02:03, Greg Choules wrote:
@Danilo you are correct, the contents of /etc/resolv.conf are not set
by BIND and BIND itself does not use them. But all applications running
on that machine (including dig, unless you specify @) that
want some kind of name resolution will make OS syste
On 2025-05-10 04:26, Ondřej Surý wrote:
I think there's too many moving parts.
Personally, I would suggest to remove systemd-resolved as a first step
and configure the system to use the configured resolver directly.
Systemd-resolved was disabled a while ago. One of the first things I
did.
I think there’s too many moving parts.Personally, I would suggest to remove systemd-resolved as a first step and configure the system to use the configured resolver directly.However, it is also unclear to me whether the desktop station in question is Linux, Windows and if it is Linux what distribut
@Danilo you are correct, the contents of /etc/resolv.conf are not set by
BIND and BIND itself does not use them. But all applications running on
that machine (including dig, unless you specify @) that want some
kind of name resolution will make OS system calls and then the OS *will*
use what's in r
On 10.05.2025 05:29, bi...@clearviz.biz
wrote:
>Also check /etc/resolv.conf and see what address(es) is/are
listed as nameservers.
The resolv.conf file
contains:
nameserver
127.0.0.53
search
mydom
Well, let's put it this way. I have been monitoring the logs
(/var/log/syslog in particular) as well as the separate logs I created
(named.log and query.log). I'm getting a lot of "Connection refused"
errors and a lot of "SERVFAIL" errors in named.log for various sites. I
don't know if the quer
Based on that I'm pretty confident you can remove this as being a general DNS
server issue.
I would not attempt to even change the configuration in bind at this point as
to not introduce more potential changes into your env as doing those tests will
have mostly validated the DNS server is worki
If you’re hobbled by Windows (and ones five years past EOL), I prefer to
fire up PowerShell and use Resolve-DnsName. Also include the -DnsOnly flag.
Have you been looking at the BIND logs?
Also, a BIND installation isn’t going to mess with resolv.conf. That’s
typically managed by the distro’s net
I also suspect it's not BIND, but how the OS is going about resolving
names.
Test your running BIND by using dig (please, not nslookup) @127.0.0.1
[1] for domains you think you are having a problem with.
Should it be @127.0.0.1 or should it be the machine's IP on which the
DNS server is runnin
From the instance with bind running, can you query both your defined
forwarders? Does it work consistently for a variety of domains?
dig @1.1.1.1 isc.org
dig @8.8.8.8 isc.org
Yes, it does. The above two commands work as well as several other
domains I tried, and the response has been immedia
I noted that it appears your internal network is 123.123.123.0/24. This
ip range is assigned globally to a Chinese ISP. This may not be a good
idea.
I agree that using forwarding is not necessary and may introduce some
issues.
And yes, you need to stop using nslookup and use dig instead.
On Saturday, 10 May 2025 01:35:28 CEST Greg Choules via bind-users wrote:
> Third, use tcpdump to capture port 53. Do this to a file, then look at it
> offline in Wireshark. (Michael just beat me to that tip). Check how queries
> are arriving into BIND and what it does with them. Particularly look
Hi.
I also suspect it's not BIND, but how the OS is going about resolving names.
Test your running BIND by using dig (please, not nslookup) @127.0.0.1 for
domains you think you are having a problem with.
Also check /etc/resolv.conf and see what address(es) is/are listed as
nameservers.
Third, use
I get a feeling this is going to be less of a bind issue, and more so some
other configuration issue(s).
>From the instance with bind running, can you query both your defined
>forwarders? Does it work consistently for a variety of domains?
dig @1.1.1.1 isc.org
dig @8.8.8.8 isc.org
>From the cl
On Saturday, 10 May 2025 01:18:17 CEST Michael De Roover wrote:
[...]
I do remember writing a reply that got lost while drafting my previous email,
but I don't remember what exactly it is. I do, however, remember its contents,
somewhat. I'll just rewrite it in reply to.. this, I guess.
You'll wa
On Saturday, 10 May 2025 00:58:25 CEST bi...@clearviz.biz wrote:
> Howdy all!. My name is Arnold, and I'm new to both Bind9 and to the
> Bind user's list. I'm hoping to contribute my findings on the use of
> Bind9. in the future but, for now, I need some help in getting my 1st
> install of Bind 9
Hello Panagiotis
Thank you for your reply and I apologize for my late response. I was
away on vacation.
I was just wondering why the resolver reacts immediately with a server
failure and then continues the recursive resolution in the background.
In the meantime, the client has received an error
I don’t think there was anything wrong with your servers. The log messages
indicate problems with the authoritative servers.
In theory authoritative DNS servers should be able to serve content until the
zone content expires. They should be able to be powered off then rebooted and
continue to se
Also don’t use +short if you want to see the NSID.
From my corner of the internet I get the following.
% dig +nsid version.bind. txt ch @dns4.p08.nsone.net
; <<>> DiG 9.21.3-dev <<>> +nsid version.bind. txt ch @dns4.p08.nsone.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUE
Ondřej Surý wrote:
>> dig +short +nsid version.bind. txt ch @dns4.p08.nsone.net
> This needs to be this: ^^^
p> You missed @ and thus you asked your local resolver.
Yes, you are right. Bad on me
I actually have a script that does this, but I transcribed it for posting.
I get:
obiwan-
Thank you, Ondřej!
I'm getting the same answer from all my hosts:
# dig +short +nsid version.bind. txt ch @dns4.p08.nsone.net
"366568643ba5103a1f441fbc3c502ed2eaa0b3d9"
Vincent
On Thu, 1 May 2025, Ondřej Surý wrote:
dig +short +nsid version.bind. txt ch @dns4.p08.nsone.net
This needs to
On Thu, 1 May 2025, Michael Richardson wrote:
Rob McEwen via bind-users wrote:
> I strongly suspect that this was caused (even if indirectly?) by the
MASSIVE
> and many-hours-long power outages in Europe, mainly in Spain and
> Portugal. That started on April 28, 2025, at approximat
Hi Michael,
Thank you so much for chiming in!
My guess is that something is in the way, and it's probably trying to
attack you (or your ISP) with fake replies, but it's doing a bad job.
When I do:
dig +short +nsid version.bind. txt ch dns4.p08.nsone.net
I get:
"9.21.2-1+0~20241120.131+
> dig +short +nsid version.bind. txt ch @dns4.p08.nsone.net
This needs to be this: ^^^
You missed @ and thus you asked your local resolver.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal w
1 - 100 of 2104 matches
Mail list logo
