Re: NXDOMAIN Analysis

The answers to both questions can probably be answered by logs (possibly a slightly different config than my example below). Have a look at the manual for logging: https://bind9.readthedocs.io/en/v9_18_9/reference.html#logging-block-definition-and-usage My guess is that you can gain insite to both

Re: NXDOMAIN processing

On 4/26/21 2:45 PM, bamberg2000 via bind-users wrote: Hi! Hi, BIND 9.11.5, I forward the request ("forward zone" or global "forward first") to another server and I get NXDOMAIN. Is it possible to process NXDOMAIN other than "redirect zone"? I just want to repeat the request to another for

Re: NXDOMAIN processing

On 26.04.21 20:45, bamberg2000 via bind-users wrote: BIND 9.11.5, I forward the request ("forward zone" or global "forward first") to another server and I get NXDOMAIN. Is it possible to process NXDOMAIN other than "redirect zone"? I just want to repeat the request to another forwarder. It's

Re: NXDOMAIN problems

Hi there, On Tue, 17 Nov 2020, Boylan, Ross wrote: I have been experiencing NXDOMAIN errors ... ... There are a lot of complications. ... The remote machine is only accessible though VPN ... the nameserver ... is also accessible only through VPN ... The VPN connection has always been a bit to

Re: NXDOMAIN problems

On 17.11.20 05:41, Boylan, Ross wrote: One other detail may be important: I just added a bridge interface and virtual machines. I presume the VPN tunnel was using the hardware interface (enp5s0) before, and is using the bridge (br0) now. OpenConnect creates the tunnel (tun0); both the name and

Re: NXDOMAIN problems

On 16.11.20 22:58, Boylan, Ross wrote: I have been experiencing NXDOMAIN errors persistently, though not 100% of the time, for a machine I am trying to reach. The queries worked OK before today. I not only don't know what's causing it, but am having trouble tracing what's going on inside of bin

Re: NXDOMAIN problems

Ross, I don’t have an answer for you what’s happening, but it would help you with the debugging if you see what happens on the wire? Using wireshark is usually helpful. Also reviewing named.conf after you made the networking change might help and sharing the anonymized named.conf might trigger

Re: NXDOMAIN problems

One other detail may be important: I just added a bridge interface and virtual machines. I presume the VPN tunnel was using the hardware interface (enp5s0) before, and is using the bridge (br0) now. OpenConnect creates the tunnel (tun0); both the name and inspection of the code indicate the tu

RE: NXDOMAIN but still get it...

nslookup sucks. What’s most likely happening is: · On your initial query, some sort of transient error is occurring while trying to resolve centos.mirror.iweb.ca, e.g. a timeout, a misconfigured server returning SERVFAIL, a delegated server not being authoritative, etc. · nsloo

Re: nxdomain

Barry, On Thu, 2013-08-29 at 16:16 -0400, Barry Margolin wrote: > In article , > Noel Butler wrote: > > > replying to ones self a few times in one day or a sign I need a break.. > > but... > > > > I think the issue is this > > > > Trying "www.undernet.org" > > Received 34 bytes from 198.147.

Re: nxdomain

In article , Noel Butler wrote: > replying to ones self a few times in one day or a sign I need a break.. > but... > > I think the issue is this > > Trying "www.undernet.org" > Received 34 bytes from 198.147.21.12#53 in 348 ms > Trying "www.undernet.org.ausics.net" > Using domain server: > >

Re: nxdomain

Good Morning, Wow, all these messages, as other posters have pointed out to me, dig shows what I wanted to see, REFUSED, only host shows NXDOMAIN and from other posts I see why I am getting that result, so in the end its all just a false alarm, my servers are doing the right thing, so I can rest ea

Re: nxdomain

On Aug 29 2013, Mark Andrews wrote: The fix will be to only go onto the next element of the search list on nxdomain. Searches really should stop on REFUSED, SERVFAIL, NOERROR, NOTIMP. Regardless of the stopping rule, host and nslookup ought to display the FQDN they are claiming to get (say) a

Re: nxdomain

The fix will be to only go onto the next element of the search list on nxdomain. Searches really should stop on REFUSED, SERVFAIL, NOERROR, NOTIMP. You move onto the next nameserver on REFUSED, SERVFAIL, NOTIMP. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61

Re: nxdomain

Yeah, I went out for a bit, came back and fresh, decided to take another look, I got no further than looking at my own confs and it clicked this was an old bug, that _was_ fixed... I've updated my RT entry to reflect that. On Thu, 2013-08-29 at 07:47 +0100, Steven Carr wrote: > I think the short

Re: nxdomain

I think the short answer is don't use the host command, always use dig. Not sure how to find the version of host (none of the usual -V -v -h flags seem to work with it) but on my system (OS X 10.8) host returns refused for the same query... sjcarr@elmo:~ $ host www.undernet.org. ns1.ausics.net Us

Re: nxdomain

replying to ones self a few times in one day or a sign I need a break.. but... I think the issue is this Trying "www.undernet.org" Received 34 bytes from 198.147.21.12#53 in 348 ms Trying "www.undernet.org.ausics.net" Using domain server: Host www.undernet.org not found: 3(NXDOMAIN) it comes do

Re: nxdomain

On Thu, 2013-08-29 at 11:52 +1000, Noel Butler wrote: > Hey Mark, > > Looks like it might be a bug, *BUT* a client utils bug, so I think > his server is likely fine, he's panicking over what's reported not > what's actually going on, I'm sure its not the intended response to > display so I've j

Re: nxdomain

Hey Mark, Looks like it might be a bug, *BUT* a client utils bug, so I think his server is likely fine, he's panicking over what's reported not what's actually going on, I'm sure its not the intended response to display so I've just added bug rep on it, if you disagree, you can always nuke it :)

Re: nxdomain

In message , Nick Edwards writes: > Mark, > > On 8/29/13, Mark Andrews wrote: > > > > In message > > > > , Nick Edwards writes: > >> The typos was more of how I came about my request, forget the typo as > >> such, it the actual answer, to use a more common well known name, if > >> I type > >>

Re: nxdomain

Mark, On 8/29/13, Mark Andrews wrote: > > In message > > , Nick Edwards writes: >> The typos was more of how I came about my request, forget the typo as >> such, it the actual answer, to use a more common well known name, if >> I type >> >> ~$ host www.undernet.org ns1 >> Using domain server: >

Re: nxdomain

In message , Nick Edwards writes: > The typos was more of how I came about my request, forget the typo as > such, it the actual answer, to use a more common well known name, if > I type > > ~$ host www.undernet.org ns1 > Using domain server: > Name: ns1 > > Host www.undernet.org not found: 3(N

Re: nxdomain

The typos was more of how I came about my request, forget the typo as such, it the actual answer, to use a more common well known name, if I type ~$ host www.undernet.org ns1 Using domain server: Name: ns1 Host www.undernet.org not found: 3(NXDOMAIN) Above should be, and I'm darn sure used to b

Re: nxdomain

On 28.08.13 23:13, Nick Edwards wrote: In just testing a few things with our authoritative server, I made a typo, and, much to my surprise the server responds NXDOMAIN to requests from unauthed requesters, this used to return REFUSED, when did this error change? (bind 9.9.3-P2) what typo? --

Re: nxdomain not caching for configured reverse lookup

The use of 7.7.7.7 and 9.9.9.9 was used for testing purpose. This test is to cover the scenario, if I have a reverse lookup which is not configured on 10.212.24.11, i was expecting it to return NXDOMAIN and have it cached. This is not the ideal scenario of usage, but to check the condition, if i

Re: nxdomain not caching for configured reverse lookup

On 20.08.13 15:42, sumsum 2000 wrote: zone "7.7.7.7.in-addr.arpa" IN { type forward; forwarders {10.212.24.11;}; forward only; }; On 20.08.13 21:19, Mark An

Re: nxdomain not caching for configured reverse lookup

The forward zone is not for a zone cut in the DNS tree. As a result the SOA record is above the "zone" and the SOA record gets ignored. In practice almost all forwarded zones match a actual zone so the returned SOA record is accepted. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117,

Re: nxdomain not caching for configured reverse lookup

[root@FF15763 var]# dig -x 7.7.7.7 ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-16.mlos2 <<>> -x 7.7.7.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 62698 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;7.7.7.7.in-add

Re: nxdomain not caching for configured reverse lookup

On 20.08.13 15:42, sumsum 2000 wrote: zone "7.7.7.7.in-addr.arpa" IN { type forward; forwarders {10.212.24.11;}; forward only; }; and when i do dig -x 7.7

Re: NXDOMAIN redirection in BIND 9.9

On 9/30/2011 6:21 PM, Shawn Bakhtiar wrote: "We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrus

Re: NXDOMAIN redirection in BIND 9.9

On Sep 30, 2011, at 7:43 PM, David Miller wrote: > On 9/30/2011 6:21 PM, Shawn Bakhtiar wrote: >> >> "We came to the conclusion that no matter how much we wanted it to not be >> true, people find a way to do NXDOMAIN if they want to. The issue is not >> ours to push, it's between the ISP and t

Re: NXDOMAIN redirection in BIND 9.9

On 9/30/2011 6:21 PM, Shawn Bakhtiar wrote: "We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intr

RE: NXDOMAIN redirection in BIND 9.9

ility to arbitrarily redirecting (without redirecting) content. Important part being the sanctioning of. http://en.wikipedia.org/wiki/DNS_hijacking > Date: Fri, 30 Sep 2011 17:15:01 -0400 > From: ow...@nysernet.org > To: mgr...@isc.org > Subject: Re: NXDOMAIN redirection in BIND 9.9 > CC: b

Re: NXDOMAIN redirection in BIND 9.9

On Thu, Sep 29, 2011 at 04:52:10PM -0500, Michael Graff wrote: > I'm happy you read it, and hope to see you at the forum/customer webinar next > week! I'll be speaking, and will bring my fireproof undies. I'm already signed up, but no worries about flaming - at least not from me ;) > We came to

Re: NXDOMAIN redirection in BIND 9.9

On 9/30/11 10:12 AM, "John Wobus" wrote: > I'm a BIND user who is clamoring to keep such a feature out of BIND. In reality, there are plenty of you (us)... However, as usual (and particularly for anything ruled by committee), a few (often with the most capital) will ruin it for the many. For be

Re: NXDOMAIN redirection in BIND 9.9

On Sep 30, 2011, at 1:12 PM, John Wobus wrote: >>> . . . both Evan's blog post >>> >>> and the announcement of next week's webinar include NXDOMAIN redirection as >>> the first new feature. I'm really surprised by that -

Re: NXDOMAIN redirection in BIND 9.9

. . . both Evan's blog post and the announcement of next week's webinar include NXDOMAIN redirection as the first new feature. I'm really surprised by that - is this something that BIND users were clamoring for? Yes.

Re: NXDOMAIN redirection in BIND 9.9

On Fri Sep 30 2011 at 11:50:51 CEST, Hauke Lampe wrote: > > *except that perhaps those who enable this feature will use it as an excuse > > to avoid enabling validation, which would be a very bad result, IMO. . . > > My reading of the docs says that BIND's NXDOMAIN redirections won't > break DNS

Re: NXDOMAIN redirection in BIND 9.9

On 29.09.2011 23:06, Bill Owens wrote: > *except that perhaps those who enable this feature will use it as an excuse > to avoid enabling validation, which would be a very bad result, IMO. . . My reading of the docs says that BIND's NXDOMAIN redirections won't break DNSSEC-signed results: "If th

Re: NXDOMAIN redirection in BIND 9.9

On 30.09.2011 03:32, 刘明星：） wrote: > How does ISP use a proxy to filters answers and returns whatever they want to > the customer? BIND can do that for you with Response Policy Zones (DNS RPZ). See http://jpmens.net/2011/04/26/how-to-configure-your-bind-resolvers-to-lie-using-response-policy-zone

Re: NXDOMAIN redirection in BIND 9.9

> *except that perhaps those who enable this feature will use it as an > excuse to avoid enabling validation, which would be a very bad result +1 +1 A *very* bad result. -JP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Re: NXDOMAIN redirection in BIND 9.9

At 14:52 29-09-2011, Michael Graff wrote: We came to the conclusion that no matter how much we wanted it to not be true, people find a way to do NXDOMAIN if they want to. The issue is not ours to push, it's between the ISP and the customer ultimately, and people will do it -- and more intrusiv

Re: Re: NXDOMAIN redirection in BIND 9.9

How does ISP use a proxy to filters answers and returns whatever they want to the customer? Mingxing, Liu CNNIC liumingx...@cnnic.cn 发件人： Michael Graff 发送时间： 2011-09-30 05:52:48 收件人： owens 抄送： bind-users 主题： Re: NXDOMAIN redirection in BIND 9.9 On Sep 29, 2011, at 4:06 PM, Bill

Re: NXDOMAIN redirection in BIND 9.9

On Sep 29, 2011, at 4:06 PM, Bill Owens wrote: > I've obviously been asleep and not following along with the announcements of > new features in BIND 9.9 until today I'm happy you read it, and hope to see you at the forum/customer webinar next week! I'll be speaking, and will bring my fireproof