Hi Petr,
great that you mention where to look into the code, I'm not familiar
with it yet. This is certainly what I'm looking for, the search
algorithm for a client IP to find its view. The lab test depends on an
investment in a Supernic (and the appropriate chassis/Motherboard/PCI
architectu
On 25. 08. 24 9:20, Greg Choules via bind-users wrote:
Regarding view selection, I don't know exactly how the code works or how
efficient it is. But certainly I have seen some configs with a lot of
views and they seem to function OK.
Views are matched one by one, you can have a look at functio
Hi Grant.
That doesn't work for zones that then get used in a `response-policy`
block. In this case you *must* define a zone §each time; so one (or up to
64) per view/instance of `response-policy`. Test it on your laptop/in a VM.
What this does mean is that (if you are using views) you *could* have
On 8/24/24 07:37, Carlos Horowicz via bind-users wrote:
2. if RPZ records are held in memory, why would an RPZ zone need to be
stored n times if there are n orthogonal views ? That is, why the more
views the more memory needed. Maybe you meant the qpcache, to store
different answers, though I d
Hi there,
On Sat, 24 Aug 2024, Carlos Horowicz wrote:
...
... is there an algorithm in bind9 or out there that quickly maps a
client IP address to a CIDR, e.g. a something like a binary tree
quicksearch ? or balanced red-black tree ?
I don't know if this is going to help, but we use IP to CID
Hi Greg,
thanks for your insights.
Ok so the limit of 64 response policy zones applies to one view.
I wonder, assuming the views are orthogonal (no overlapping of CIDRs, as
in an ISP assigning CIDRs to local loops):
1. is there an algorithm in bind9 or out there that quickly maps a
client I
Hi Carlos.
If you have enough RAM it should be possible to create multiple views, each
with a zone (primary or secondary, up to you) that contains the RPZ data
for that view and a response-policy that uses that zone.
The limit on number of zones is per response-policy block. But if you're
using se
Hi E R.
My short answer would be, don't configure views unless you have a good use
case for them. For example you are running resolvers that have two
different kinds of clients that need to be handled differently - one client
set needs RPZ, the other doesn't. Or something like that.
BIND has views
On 04/19/2017 10:58 AM, Victoria Risk wrote:
We have implemented ECS for recursive queries in 9.10.5-S, the
subscriber preview edition of BIND, which will be released today. For
now, ECS recursion is available only to users with a support contract
with ISC. Development of this feature was a signi
> On Apr 19, 2017, at 8:47 AM, Nico CARTRON wrote:
>
>> Nor did I see
>> details on how to have BIND send ECS with queries when it's a recursive
>> server.
>
> As far as I know, ECS for Recursive queries is not yet implemented by ISC, or
> at least it is not publicly available.
We have impleme
On 04/19/2017 09:49 AM, Nico CARTRON wrote:
Of course I meant +subnet / +nosubnet
;-)
Thank you for the pointers Nico & Tony. I'm sure I'll find a way to get
myself into trouble with what you've provided.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signatur
On 19-Apr-2017 16:47 BST, wrote:
> On 19-Apr-2017 15:59 BST, wrote:
> [...]
> > I'd also like to see if it's possible to have dig send ECS info.
>
> +edns / +noedns , but you'll need a recent dig version.
Of course I meant +subnet / +nosubnet
--
Nico
Hi Grant,
On 19-Apr-2017 15:59 BST, wrote:
> On 04/19/2017 03:37 AM, Tony Finch wrote:
> > This is what the EDNS client subnet option is about. You can use it in
> > BIND by adding "ecs" clauses to your address match lists for views or
> > acls. However it isn't documented in the ARM and it has
Grant Taylor via bind-users wrote:
>
> The only occurrences I found for "ecs" on the two release notes didn't
> include more details about how to configure views to use it.
Yes, it's a bit mysterious.
> Nor did I see details on how to have BIND send ECS with queries when
> it's a recursive serve
On 04/19/2017 03:37 AM, Tony Finch wrote:
This is what the EDNS client subnet option is about. You can use it in
BIND by adding "ecs" clauses to your address match lists for views or
acls. However it isn't documented in the ARM and it has significant
problems. See
https://kb.isc.org/article/AA-01
I understand the concept, but I'm not sure I fully understand how to
configure it.
I've updated my bind to 9.11 P05 compiled with "--with-ecdsa", and as far
as I can read EDNS is enabled for authoritative bind installations
automatically.
But I'm still getting wrong answers from my installation.
He
Alberto Rinaudo wrote:
> I have a bind installation on a aws server and I'm trying to set up views
> to give different responses based on the source location.
>
> It works fine when this dns server is the first dns used by a client, I
> guess because the source address used to discriminate betwee
> If the 'type' info in a zone statement determines master or slave, can
> you have 2 views in the same named.conf file, one with type master zones
> and the other with type slave zones?
There are a couple of ways to read this question, and the answer depends
on which way you intended it.
A quer
On Tue, Apr 30, 2013 at 04:36:52PM +, Manson, John wrote:
> If the 'type' info in a zone statement determines master or slave,
Yes, this is so. There are other types as well, such as hint, stub,
and forward. See Bv9ARM.ch06.html#zone_statement_grammar for details
and other types.
> can you
I think views have mostly to do with the source of the queries, thus
presenting a different 'view' of zone data depending on who the client is.
You could have one view only with master zones and other view with salve
zones, but I'm not sure what the purpose would be, unless for example
you want to
You also have these acl's, which I find quite useful:
allow-query {acl-list}
allow-query-cache {acl-list}
allow-recursion {acl-list}
As I recall, all of them are valid inside a view.
You could also try to throw in some debug logging.
Here is what I do for troubleshooting:
#> rndc querylog
#> r
Am 28.07.2011 01:18, schrieb Bob:
> These two views are identical in any way I can see, so the fault may
> be in an included configuration file that is not included in your
> message.
>
> Look for allow-query, allow-recursion or allow-cache statements in
> your other config files.
Did this. The o
These two views are identical in any way I can see, so the fault may be
in an included configuration file that is not included in your message.
Look for allow-query, allow-recursion or allow-cache statements in your
other config files.
When using views, I often find it more manageable to move
On 6/18/2011 12:08 AM, Thomas Schweikle wrote:
Hi!
I have set up a view for one site. It is bound to change answers as
necessary for different IP-ranges. It works as far as I could see.
But with one ip-range there is a problem ...
I can query internal addresses:
!user@kvm2~# host intweb.example
In message <201011141952.oaejqp2y009...@nermal.bellut.net>, Bodo Bellut writes:
>
> Hi,
>
> I'm currently using a BIND9 slave for two masters. Master 1 is
> using views (internal and external), master 2 doesn't have any
> views configured.
>
> This setup works for master 1 without any problem
Hi Sebastian,
>I couldn't find anywhere and wonder if it is possible to use diffrent views
>at diffrent times i.e.:
I used CRON and some command files to do that a few years ago
when I wasnt going to be around but a client was moving servers.
Also depends on just how big your named.conf file is
ssuming the non-trusted_nets are any net which is not in trusted_nets)
Mit freundlichen Grüßen,
Robert Willmann
Commerzbank AG
Date: Thu, 22 Apr 2010 09:05:33 -0700
From: Doug Barton
Subject: Re: Views on differrent interfaces
To: Tom Schmitt
Cc: bind-us...@isc.org
Message-ID:
On 4/22/2010 5:30 AM, Tom Schmitt wrote:
>
> Thank you for your answer.
> But this doesn't work: With match-destination and match-clients I can only
> define the same match-clients statement for both destionation interfaces, not
> differrent one.
>
> The only workaround I see how to rech my goa
drews
> An: "Tom Schmitt"
> CC: bind-us...@isc.org
> Betreff: Re: Views on differrent interfaces
>
> match-destination.
>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma.
match-destination.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-us
Chris,
Thanks that worked.
RootNet08
On Tue, Nov 18, 2008 at 12:46 AM, Chris Buxton <[EMAIL PROTECTED]>wrote:
> Remove your subnet from the bogons ACL at the beginning.
>
> acl bogons {
> ! 192.168.16.0/21;
> 0.0.0.0/8;
> [...]
> 192.168.0.0/16;
> [...]
> };
>
> Chris Buxton
> Professional
On Mon, Nov 17, 2008 at 09:38:13PM -0600, root net wrote:
> I have a server I am testing before I put in production. Working on a more
> secure bind config. BTW if anyone has any other suggestions on locking down
> bind beside below and chroot let me know.
Use TSIG for master-slave communication,
Remove your subnet from the bogons ACL at the beginning.
acl bogons {
! 192.168.16.0/21;
0.0.0.0/8;
[...]
192.168.0.0/16;
[...]
};
Chris Buxton
Professional Services
Men & Mice
On Nov 17, 2008, at 8:38 PM, root net wrote:
Hello,
I have a server I am te
33 matches
Mail list logo
