All,
I am (we all are (?)) interested in techniques for mitigating DNS amplification
attacks for both recursive and authoritative BIND servers (versions 9.x).
Google found http://www.secureworks.com/research/threats/dns-amplification/ and
http://www.publicsafety.gc.ca/prg/em/ccirc/2009/av09-
Hello,
Did I miss any feedback on this, or perhaps there isn't any to offer (?)
Thank you.
>
> From: Fr34k
>To: Bindlist
>Sent: Friday, March 9, 2012 10:30 AM
>Subject: DNS Amplification Attack Mitigation
>
>
>
>All,
>
&
Hi All,
I wanted some feedback on max-cache-ttl usage and best-practices, please.
The BIND 9 ARM says:
"max-cache-ttl Sets the maximum time for which the server will cache ordinary
(positive) answers. The
default is one week (7 days). A value of zero may cause all queries to return
SERVFAIL
Dear ISC et al.,
Within the last month, we've seen new versions for the 9.8.x, 9.7.x, and 9.6.x
trains.
http://www.isc.org/software/bind/versions
Should we expect a 9.9.0 update in the near future (e.g., 9.9.1)?
Any status would be appreciated.
Thank you for all your support!
Perhaps provide the ocsp.entrust.net folks 3rd party evaluation tool(s) to
identify areas of concerns?
For example, here are two:
http://www.dnsvalidation.com/reports/4f96bdec7d79ee78db44
http://www.intodns.com/ocsp.entrust.net
These find more than one critical item to fix.
Why is everyone
Great question (Augie) and great feedback (JP).
As DNSSEC is adopted, some type of mitigation process will be welcomed.
For that reason, I think this is on topic.
>
> From: Jan-Piet Mens
>To: bind-users@lists.isc.org
>Sent: Thursday, April 26, 2012 2:51 PM
We are exploring similar audits and opportunities for cleanup.
For domains we delegate PTRs, we track NS hostnames (e.g. IN NS
ns1.bogus.customer.tld) that have gone NXDOMAIN.
If ns1.bogus.customer.tld remains NXDOMAIN for 30+ days, we remove the
delegation.
The idea behind 30+ days is to allo
Hello,
You may wish to read ISC/BIND's ARM about these settings (i.e., what they do,
how they work, what the defaults are, etc):
recursive-clients N;
tcp-clients M;
clients-per-query P;
max-clients-per-query R;
where N, M, P, and R are numbers appropriate for y
rndc status
Is this a trick question?
>
> From: Kirk Hoganson
>To: bind-users@lists.isc.org
>Sent: Tuesday, July 10, 2012 3:22 PM
>Subject: Loaded zone files query
>
>
>Does anyone know of a simple way to discover how many zone files bind has
>successfully l
ritivly answer nosuch* for it).
>
>As best as I can tell
>number of zones: X
>x=number of zones listed in named.conf + any automatically added zones
>
>
>not quite what he's asking for, but I've not been able to find a better
>answer ei
We have been monitoring the same.
Google found an unrelated, yet similar, issue a few years ago:
http://pages.cs.wisc.edu/~plonka/netgear-sntp/#ToC16
>
> From: Rafael Molina
>To: bind-users@lists.isc.org
>Sent: Thursday, June 28, 2012 8:30 AM
>Subject: A lo
Hello,
We are finding several of our recursive BIND 9.9.1-P3 servers (on Solaris
10 OS) hung and I want to be able to qualify the symptoms in order to
convince others that P4 (or 9.9.2?) will (or will not) address this.
Let me define what "hung" means in our experience: We find that named is
I would like to report.
Thank you.
>____
> From: Fr34k
>To: Bindlist
>Sent: Thursday, October 25, 2012 9:51 AM
>Subject: Re: BIND 9.9.1-P4 is now available
>
>
>Hello,
>
>
>We are finding several of our recursive BIND 9.9.1-P3 s
Hello Jeremy,
Thank you for your reply.
>> Let me define what "hung" means in our experience: We find that named is
>> running but will not respond to queries, "rndc status" will respond with
>> output but that output shows that named is not processing any queries (see
>> below), other rndc com
Hello Jeremy,
Thank you for your reply.
I plan to send more information to ISC when I have it - FYI
Looks like my response didn't make it out yesterday, so here is another attempt.
Please see my responses within below:
- Original Message -
> From: Jeremy C. Reed
> To:
Maybe this:
3212. [bug] rbtdb.c: failed to remove a node from the deadnodes
list prior to adding a reference to it leading a
possible assertion failure. [RT #23219]
source: ftp://ftp.isc.org/isc/bind9/9.8.6/CHANGES
Note: I stopped l
ne 22, 2015 8:40 AM, Fr34k wrote:
Put a dot at the end of the lookup so that Windows doesn't added whatever the
domain name suffix/es it may be configured with.That is,
nslookup google.com.
I suspect the windows client is adding whatever the domain name suffix/es
Put a dot at the end of the query hostname so that Windows doesn't add whatever
the domain name suffix/es the Windows client may be configured with.That is,
nslookup google.com.
It may be the case that the windows client is adding whatever domain name
suffix/es it has been configured with (e.g
Hello,
When we were using 9.5.0-P2, we had to compile with 4096 FDs; otherwise, we saw
the same socket complaints.
The default only has 1024. It would appear that your environment may require
more FDs as ours did.
HTH -- Chris
- Original Message
From: pollex <[EMAIL PROTECTED]>
T
Hello,
We leverage rsync: http://samba.anu.edu.au/rsync/ over scp (copy only
those files changed automagically over SSH), perl, and cron.
Basically, a config DNS server super-master where you do all your changes and
test them.
This super-master rsync's to several over DNS servers (say X servers
No reason to spend that type of cash for SLB DNS.
I would suggest Foundry SIXL for 1/4 of the cost
http://www.foundrynet.com/products/app-switch/fixed-systems/si-xl.html
No, I don't work for Foundry.
- Original Message
From: Ken DBA <[EMAIL PROTECTED]>
To: bind-users ; Kevin Darcy <[E
Hello,
Running 9.5.1b2 on Solaris9.
Crashed with this info:
Dec 31 13:04:25 named[308]: [ID 873579 daemon.crit] rbtdb.c:1482:
REQUIRE((node)->references > 0) failed
Dec 31 13:04:25 named[308]: [ID 873579 daemon.crit] exiting (due to assertion
failure)
Dec 31 13:05:07 genunix: [ID 603404 kern.no
Hello,
Has the "max-cache-size" setting in named.conf been considered?
If not, note that in early releases of 9.5.x max-cache-size is 32M by default
instead of unlimited as in 9.4.x
>From the CHANGES file with the bind-9.5.0-P2 source:
""max-cache-size" defaults to 32M"
Using:
max-cache-size 0
Hello,
The ole rainy day bite.
Some quick ideas for dealing with, what I will call, defunct domains.
FIRST, STOP THE MADNESS:
Define what a defunct zone is in your TOS/AUP, so you have the power to deal
with this situation as you see fit.
DEAL WITH IT AS YOU SEE FIT:
Setup that wildcard for th
For Solaris9 kernal tunables, this may help:
http://docs.sun.com/app/docs/doc/816-7137/6md5pauj7?l=en&a=view
But note that in my experience BIND 9.4.x will not use these OS limits, but
what how many FDs have compiled BIND with.
For our purposes, 9.5.1b2 worked great on Solaris9
We are now runnin
Hello,
Were there "... more information on these developments early next week"?
My apologies if I missed them.
Thank you.
- Original Message
From: Larissa Shapiro
To: bind-us...@isc.org
Sent: Sun, September 19, 2010 5:54:15 PM
Subject: Notice regarding BIND 9.7.2
Dear User Communi
I was about to ask again, but figured I had better check isc.org first.
Behold:
http://www.isc.org/software/bind/972-p2
FYI.
Thanks.
- Original Message
From: Hauke Lampe
To: Larissa Shapiro ; bind-us...@isc.org
Sent: Mon, September 27, 2010 1:07:39 PM
Subject: Re: Notice regarding B
- Original Message
> From: Mark Andrews
> To: Barry Margolin
> Cc: comp-protocols-dns-b...@isc.org
> Sent: Thu, October 28, 2010 9:49:46 PM
> Subject: Re: out of place mx records.
>
>
> In message , Barry
>Mar
> golin writes:
> > In article ,
> > Tony Finch wrote:
> >
> > > O
Hello,
I can't speak to your question, as I'm not a list administrator nor do I know
the answer.
However, as a list member/consumer, I do appreciate the tools people share on
this list: free or pay.
In fact, I use many of them as audit tools for DNS misconfigurations.
I find that using a 3rd p
Most likely a bug. Either way, that version is EOL and ISC's recommended
course
of action is " Upgrade to ESV or Current"
http://www.isc.org/software/bind/versions
>
>From: Juan O
>To: bind-users@lists.isc.org
>Sent: Fri, November 19, 2010 10:18:45 AM
>Subject: Crashed Bind
>
> Hello.
>In m
See RFC1123 and RFC1912 which suggest that legitimate nodes on the Internet
have
appropriate forward/reverse DNS entries.
By appropriate, I mean DNS entires which distinguish which hosts are
static/business space from residential/dhcp space.
Reason: So others on the Internet can make informed
Hello,
# The ARM says: #
clients-per-query, max-clients-per-query
These set the initial value (minimum) and maximum number of recursive
simultaneous clients for any given query () that the server
will accept before dropping additional clients. named will attempt to self tune
this value and chan
- Original Message
> From: Mark Andrews
> To: Fr34k
> Cc: Bindlist
> Sent: Wed, March 23, 2011 9:04:00 PM
> Subject: Re: Q on clients-per-query, max-clients-per-query
>
>
> In message <>, Fr34k writes:
> > Hello,
> >
> > # The ARM
Hello,
Given: BIND 9.7.2-P2 on Solaris 10.
For about an hour, I had a network event where a caching DNS server could not
get recursive queries back from authoritative DNS servers on the Internet.
Obviously, this is a problem.
Moreover, the authority for our most popular hostnames have set ver
- Original Message
> From: Mark Andrews
> To: Fr34k
> Cc: Bindlist
> Sent: Mon, April 4, 2011 9:02:35 PM
> Subject: Re: BIND 9.7 behavior - lack of response causes
>
>
> What do you have lame-ttl set to?
I don't. That is, I don't have lame-ttl
Hello All,
Thanks Evan.
Should the Community expect a BIND 9.7.3 train update/maintenance release
which,
among other things, addresses this mem.c issue?
If so, any ETA?
It is not my intent to sound pushy. Let me explain.
We were in the process of rolling 9.7.3 out but we stopped figuring a
http://www.sans.org/reading_room/whitepapers/dns/dns-sinkhole_33523
Perhaps the above link target may help.
Thanks.
>
>From: "Lightner, Jeff"
>To: Ryan Novosielski ; babu dheen ;
>Bind Users Mailing List ; "c...@cam.ac.uk"
>
>Sent: Monday, October 17, 2011 4:
Hello,
Environment: Solaris10 SPARC and x86, BIND 9.7.3-P3 and 9.8.1
Anomaly: In our logs, we have been noticing "maximum number of FD events"
entries. For example,
named[8592]: [ID 873579 daemon.info] sockmgr 288760: maximum number of FD
events (64) received
Action: Our web searches h
Hello,
Environment: Solaris10 SPARC, BIND 9.8.1
Anomaly: In our logs, we have been noticing "open_socket... permission
denied..." entries. For example,
named[15910]: [ID 873579 daemon.warning] dispatch 2bcf50:
open_socket(::#2049) -> permission denied: continuing
named[15910]: [ID 873579
Hello,
Read the BIND ARM (Admin Ref. Manual) about these settings, but here is an
example of what I use:
clients-per-query 10 ;
max-clients-per-query 20 ;
http://www.isc.org/software/bind/documentation
Previously, this resource was posted on this list which is good info to have
Hello,
Having trouble looking up dacspro.com.
This domain has three NS servers, one of which is not responding (ns02) to my
queries.
dacspro.com. 172800 IN NS ns01.gnenc.org.
dacspro.com. 172800 IN NS ns02.gnenc.org.
dacspro.com. 172800
Disregard. PEBKAC issue.
Happy Holidays.
- Original Message -
> From: Fr34k
> To: Bindlist
> Cc:
> Sent: Friday, December 23, 2011 2:09 PM
> Subject: Trouble looking up dacspro.com
>
>
>
> Hello,
>
> Having trouble looking up dacspro.com.
>
>
I suspect that dig is confused. Let me explain.
Looks like WHOIS says that these (2) servers are authoritative for this domain:
ns1.thehartford.com. ['162.136.188.1'] [TTL=172800]
ns2.thehartford.com. ['162.136.190.1'] [TTL=172800]
However, the DNS configuration says something diffe
Hello,
Some folks prefer to script something.
Some may find this tool helpful:
http://www.laffeycomputer.com/rpl.html
I'm sure there are other ways.
HTH
- Original Message
From: John D. Vo
To: bind-users@lists.isc.org
Sent: Tuesday, March 24, 2009 1:03:22 PM
Subject: Make changes e
Our experience with blue(s)cat was not a good one.
That product would sporadically lose all of our zones.
Vendor blamed us (so did our angry customers).
Thing was, no one was in the office. We came into work one morning to phones
ringing -- no DNS.
DNS because master config was empty. FTW?
Mig
I think in Apache, URL redirection is done via "rewrite":
http://wiki.apache.org/httpd/Rewrite
I hope this helps with the intial question since this at the application layer.
While this may help with the original question, this is now off topic.
From: Jeff Ligh
Hello,
Do I dare comment on this? Okay, I do...
RE: Advogato:
If security was easy and conveinent, then everything would be secure. Someone
tell Advogato!
Advogato is complaining because they want an unmanagable environment of dynamic
outbound relays and expect SPF, static DNS records, to keep
Hello,
A few of the default settings changed from 9.4.x to 9.6.x
The appropriate README files, change logs, and BIND ARM will provide details
about them.
Below are some options and logging configurations you may want to investigate.
Ye Ole Disclaimer: Please be sure to understand what these do a
Hello,
As I understand it, there are so many PTRs for that IP address, that DNS will
change protocol from UDP to TCP.
So, the message you are getting is informational because of this protocol
change.
See the long list of PTRs below.
There should be one and only one PTR for that IP.
Making an SM
- Kevin
Fr34k wrote:
> Hello,
> As I understand it, there are so many PTRs for that IP address, that DNS
>will change protocol from UDP to TCP.
> So, the message you are getting is informational because of this protocol
> change.
> See the
If the DNS server now has a RFC1918 IP address, then one will probably have to
setup appropriate NAT rules for a publicly accessible/routable IP address.
On some firewalls, there is a NAT rule for incoming traffic and a another rule
for outgoing traffic (basically mapping the public IP for both
Hello,
Doing a search on this at www.google.com offers this first link:
http://www.tcpipguide.com/free/t_DNSMessageGenerationandTransport-2.htm
HTH
- Original Message
From: Tech W.
To: Stephane Bortzmeyer
Cc: bind-users@lists.isc.org
Sent: Wednesday, July 29, 2009 12:35:31 AM
Subj
Hello,
I think 9.5.0.x versions needed to be compiled with additional file
descriptors; otherwise, socket issues were common on "busy" servers.
Perhaps test bind-9.5.1p3 or bind-9.6.1p1, which I see listed for Sol9/x86 on
sunfreeware.
HTH
From: "Ewasiuk, G
Hi All,
I thought with some version of BIND 9, one no longer needed a root hints file.
I can't recall the details and my google searches are finding how to set up a
hints file (instead of suggesting this is, say, deprecated).
Can someone shed some light on this?
Thanks
That's exactly what I was recalling -- thanks for your time and response Mr.
Reed.
- Original Message
From: Jeremy C. Reed
To: Fr34k
Cc: Bindlist
Sent: Monday, August 31, 2009 12:37:05 PM
Subject: Re: BIND 9.x and hint file
On Mon, 31 Aug 2009, Fr34k wrote:
> I thought w
Thank you Chris! This is what I was looking for.
- Original Message
From: Chris Thompson
To: Fr34k
Cc: Bind Users Mailing List
Sent: Monday, August 31, 2009 12:33:57 PM
Subject: Re: BIND 9.x and hint file
On Aug 31 2009, Fr34k wrote:
>I thought with some version of BIND 9, one
If you didn't know, you can download dig for Windows.
For example:
http://ftp.isc.org/isc/bind9/9.6.1-P1/BIND9.6.1-P1.zip
Just stick dig.exe and the dll files in a directory that makes sense in your
environment and enjoy!
HTH
- Original Message
From: John Horne
To: Bind users
Sent:
Hello,
Chris, I believe you are correct. That is, "blackhole applies to the sending of
queries in addition to the receiving of queries".
Let me explain.
I discovered this the hard way. I had a /24 in the blackhole because it
contained abusive clients. Within this /24 sat two legitimate authori
See the BIND ARM for the option recursive-clients
As in:
options {
recursive-clients 4000;
};
I don't recall what the default is (maybe 1000), but our environment required
an increase to 4000.
You may also want to look at these options: tcp-clients X; clients-per-query
N; max-c
http://www.openspf.org/ is pretty good.
Not only does it build the file for you, but it can test your live record.
From: Security Admin (NetSec)
To: "bind-users@lists.isc.org"
Sent: Wed, March 24, 2010 4:26:46 PM
Subject: RE: what is a SPF (type 99) record an
Hello,
Sufficient resources on the Internet may be helpful.
For example, http://www.indelible.org/ink/classless/
Searching for "RFC2317" or "classless in-addr.arpa delegation" may result in
additional references.
Hope this helps.
- Original Message
From: Alex
To: bind-users@lists.i
Hello,
named-checkzone is warning you that the MX has a different FQDN than the zone
it is in.
This is fine so long as the "out of zone" MX record is valid, but
named-checkzone wants you to know that it can't verify for sure.
So, it is a heads up message and why the ultimate response is "OK".
I
Hello,
We used rsync to copy our master/primary data to the secondary servers.
Using some script magic, the primary is still the master (via named.conf)
since, as with most DBs, there can only be one source of truth.
However, the secondary servers were almost mirror copies of the primary. Only
Hello,
Looks like NXDOMAIN can be one of the responses.
http://www.spamhaus.org/faq/answers.lasso?section=DNSBL%20Usage#252
That said, I think it is working correctly (a la
"name=33.229.242.205.zen.spamhaus.org type=A: Host not found, try again").
However, perhaps tweak the number of que
Hello,
http://en.wikipedia.org/wiki/Process_%28computing%29 may help to explain what
is going on.
HTH
From: max power
To: bind-users@lists.isc.org
Sent: Wed, April 28, 2010 4:38:06 AM
Subject: bind multi-threaded question
Hi
i am deploying a new dns ser
What does the following command show:
rndc status
- Original Message
From: Kebba Foon
To: Noel Butler
Cc: bind-users@lists.isc.org
Sent: Fri, July 16, 2010 4:41:50 AM
Subject: Re: recursing stop at about 1000 clients
am running 9.6-ESV-R1 on Debian 5.0 lenny
On Fri, 2010-07-16
66 matches
Mail list logo
