Hi E R.
My short answer would be, don't configure views unless you have a good use
case for them. For example you are running resolvers that have two
different kinds of clients that need to be handled differently - one client
set needs RPZ, the other doesn't. Or something like that.
BIND has views
Hi Jeff.
Query logging is quite an overhead and very heavy on writing to storage, so
use it sparingly as it can have a detrimental impact on performance. For
any moderately loaded server I would not have it enabled by default.
Cheers, Greg
On Thu, 12 Jan 2023 at 18:22, Jeff Sumner wrote:
> I’ve
Hi Jesus.
No. Zone Transfer always uses TCP. Is it really that much of an overhead
for you?
Cheers, Greg
On Fri, 13 Jan 2023 at 05:56, Jesus Cea wrote:
> I have a dns zone with many dns updates per minute. The updates are
> tiny, like 2-3 records, <500 bytes in total.
>
> Currently my secondari
x27;s not worth worrying about.
Cheers, Greg
On Fri, 13 Jan 2023 at 06:19, Jesus Cea wrote:
> On 13/1/23 7:12, Greg Choules via bind-users wrote:
> > Hi Jesus.
> > No. Zone Transfer always uses TCP. Is it really that much of an overhead
> > for you?
>
> Not now
Hi Bruce.
There's potentially a bunch of things to note here.
DNS conversations are independent of each other. The dig to your own server
(dig -6 ec.europa.eu) may be over v4 or v6. But the subsequent queries that
server makes (if any) may be over v4, or v6, or both. It depends how your
server is c
Hi David.
"recursion yes;" tells named that it can (if it has to) make queries to
other places if it needs more information in order to answer a client
query. Pure authoritative servers shouldn't need it and should have
"recursion no;". So the first question is, do your servers make queries out
to
Hi John.
A few questions, if I may.
- Why *must* you forward everything to Akamai?
- Was that a real example of a daft query: 10.11.12.13 type A? If not, do
you have some real examples of queries being made to your servers please?
- Notwithstanding the nature of these illegal queries, if they *are*
Hi David.
With "minimal-responses", usually I would set it to "no" for a purely
authoritative server because resolvers need all the help they can get. But
for a purely recursive server I would set it to "yes" because end users
don't need (any wouldn't do anything with it anyway) Authority or
Additi
Hi John.
Personally, I would start by drawing a picture (I like pictures) of all the
players in the game and gathering data, leaving nothing out, including:
- All servers, with all IP addresses.
- SOA and NS records of working zones and the troublesome RPZ zone.
- Which servers are author
Hi Håvard.
I currently have 9.18.8 installed; the version of named-compilezone is the
same. As a test I just converted a text format zone file to raw and then
that raw file back to text and it looks fine to me:
- named-compilezone -f text -F raw -o junk.raw junk db.junk
- named-compilezone -f raw -
Hi Sandeep.
>From a quick look in Wireshark at what my own server (9.18.8) is doing,
this looks like Akamai not responding correctly to a BIND QNAME
minimisation query. Here's one response, from 95.101.36.192 for example, of
many similar ones showing an issue. The response code shouldn't be REFUSED
Hi Jan.
There could be SO many things going on here. I have a few questions:
- Do you mean 200 QPS or 200,000 QPS? I was wondering if a "k" had missed
the print. If it's really 200, this box (not necessarily just BIND) sounds
very ill. 200 QPS is background noise and (depending what's going on)
sho
Hi Jan.
Since the queries are unique the responses should be NXDOMAIN, which *will*
be cached and therefore consume memory. This is why I was curious what you
are hitting it with.
You can see these cache entries if you dump it using "rndc dump -cache".
This produces a file (by default) called "name
Point taken. Unique does not necessarily mean non-existent and *something*
will end up in cache. So restricting your max-cache-size would seem to be
the thing for you. If it were my server, I would monitor just how much RAM
is getting used in total and adjust max-cache-size to allow BIND to use as
Hi Patrik. 9.9? Classic! :D
I don't believe there should be any incompatibilities. Are you perhaps
falling foul of this? From Cricket's book, chapter 11
It’s important that the name of the key—not just the binary data the key
points to— be identical on both ends of the transaction. If it’s not, th
Hi Serg.
Can you post the output of "named -V" please?
You're looking for "--disable-linux-caps", which you don't want.
I'm not sure how (if) BIND interacts with AnyIP, but it should pick up new
interfaces as they are added, *if* it is built with the necessary
capabilities enabled. 'named' starts
Hi Nath.
What have you got on SrvB for biopyrenees.net, or net?
On SrvB, please do "dig @127.0.0.1 sri.biopyrenees.net" (please use the
actual address rather than "localhost") and paste the full result here. I
am interested in flags and the query time right now.
Cheers, Greg
On Wed, 22 Mar 2023 a
Hi Jason.
I just tried this on my server (9.18.11) and it does indeed appear to be
qname minimisation. The following servers (NS for tn.gov) just don't
respond to the query "_.edison.tn.gov":
dns4.tn.gov: type A, class IN, addr 170.141.167.222
dns5.tn.gov: type A, class IN, addr 170.141.168.22
QM
Hi Jiaming.
The arguments to "also-notify {...};" are explicit IP addresses.
Why do you need it? Do you have some secondaries that are not listed as NS
in zones?
Regarding views. Why would you have the same zone in an internal and
external view? A few years ago, having to maintain multiple zones
Hi Jiaming.
I had a similar requirement. Since there were not many (a few tens or at
most a hundred) names that needed to be resolved differently locally my
approach was to create a zone for each of them and to not have the parent
zone at all. Each specific zone would contain a single A record (or
Hi Jiaming.
Every zone *must* have one SOA record and at least one NS record. This is a
requirement of the protocol.
Internal clients will (probably) be making recursive queries to the
internal DNS server for A, , MX, SRV records (maybe some more types as
well). It is unlikely they will be mak
Hi Håvard
Odd, it works for me. Try a literal copy/paste of the link below. Or go to
https://kb.isc.org and search for packages:
https://kb.isc.org/docs/isc-packages-for-bind-9
Cheers, Greg
On Wed, 19 Apr 2023 at 12:03, Havard Eidnes via bind-users <
bind-users@lists.isc.org> wrote:
> >>and
Hi Jiaming.
Here's what I would do. I am assuming one nameserver for the public zone
and one (different) nameserver for the internal zones. You would use more
in practice but I'm keeping it simple, for illustration.
The external NS is reachable from anywhere in the Internet. If you host it
in your
Hi Jiaming.
You're welcome.
Personally I don't see why you want to obscure information about internal
zones, since they can't be reached from the Internet anyway.
Creating a dummy intermediate zone (an ENT - Empty Non-Terminal) may work,
but it seems to add complexity for no - or very little - ben
Hello.
By far the simplest way to install BIND natively on Mac is to use the
Homebrew package manager. I have 9.18.14 installed on mine and it works
fine.
The other alternative is to run it from the Docker image. See here for
details: https://hub.docker.com/r/internetsystemsconsortium/bind9
Hope t
The named binary *could* exist in many places; it depends on the OS. For
example, with a Homebrew install on my Mac it's here:
/usr/local/Cellar/bind/9.18.14/sbin/named because of this build parameter:
--prefix=/usr/local/Cellar/bind/9.18.14
It's linked to from /usr/local/opt/bind/sbin/named, for c
Hi Alex.
TL;DR 9.18 is stricter than 9.16 at handling junk responses from
authoritative servers.
Looking at a packet capture for this from my own BIND server (9.18.14) the
response from 195.178.56.17 is FORMERR, which tends to mean that it objects
to something in the query. The correct response to
You are most welcome, I'm glad you got it running. Now the fun starts! :D
Greg
On Tue, 30 May 2023 at 21:02, Pacific wrote:
> Thank you and to everyone who took the time to respond. Your collective
> input did the trick and I now have bind running successfully through a brew
> install.
>
> I go
Hi Sami.
Firstly, a couple of definitions:
NXDOMAIN is a response from an authoritative server (or a resolver because
it cached it). It is a positive confirmation that "this name does not
exist". It means that the QNAME in the query cannot be found, for any
record type.
SERVFAIL is a response from
That's because this domain is broken. The NS for it are:
antlauncher.com: type NS, class IN, ns ns1626.ztomy.com (204.11.56.26)
antlauncher.com: type NS, class IN, ns ns2626.ztomy.com (204.11.57.26)
No matter what query you send them (so far) they respond with REFUSED and
claim not to be authorit
Hi Sami.
That's not what I said.
Yes, you can do this with RPZ if you want - it's all in the BIND ARM - but
it's not something I would do.
Cheers, Greg
On Mon, 19 Jun 2023 at 12:40, wrote:
> Thank you Greg
>
> So if I understand correctly if we receive a servfail return code we can
> not modify
>From the correct email alias this time!
On Mon, 19 Jun 2023 at 16:50, Greg Choules
wrote:
> Hi Lee/Sami.
> `break-dnssec yes;` *may* also be needed in some cases. But not here as
> the zone isn't signed anyway.
>
> The reason that "example.com" works but "antlauncher.com" doesn't is down
> to B
Hi Sami.
Let me ask you a question.
How would you define the terms "latency" and "response time"?
Greg
On Tue, 27 Jun 2023 at 17:23, wrote:
> Hello In DNS benchmarking which is more important latency or response
> time? for a DNS server what is the difference between the two values?
>
>
>
> R
Hi Ubence.
Firstly, may we see your configs please. It's impossible to say exactly
what's going on from a human description.
Secondly, views and different answers. Yes it *is* entirely possible to use
views to provide answers based on client IP - `match-clients. I would start
with the most specifi
Hi Ubence.
That is starting to get complex!
Firstly, yes BIND parses views top down, so order matters.
Secondly, most specific domain wins (like more specific routes).
I now see that you have created three levels of zones:
domain.com
lab.domain.com
system.lab.domain.com
This config looks like it
Hi.
Ah, I got the networks the wrong way round.
Sorry, it wasn't until I saw Sten's response that it occurred to me that
not everyone knows how views work. Indeed a query will be tested against
each view, top down. If it satisfies the criteria for a view (either/both
match-clients and match-destin
Hi Sami.
In the "response-policy" block in your config, what (if anything) is the
value of the statement "qname-wait-recurse"?
If you do not have that set explicitly, please do "named -C" to list the
defaults and see what it is; probably "yes".
This parameter controls whether RPZ waits until succe
Real data please:
- example queries (genuine, not invented for illustration)
- real domains
- real IP addresses
- packet captures
- both BIND server configs
- zone file contents
- startup logs
There are so many things it *could* be, the more information the better.
Cheers, Greg
On Sun, 16 Jul 20
This time from the correct email alias!
On Mon, 17 Jul 2023 at 22:58, Greg Choules
wrote:
> Hi.
> Some observations:
> - Please don't use nslookup. Please use dig, it is much more versatile and
> gives much more information with which to try and interpret what might be
> going on.
> - If you're
You may already have BIND installed; most distros do. If not, it's easy.
You don't *have* to run named, but tools like this (and dig, particularly)
are very useful to have.
Do "which arpaname" to see if you have it already.
Cheers, Greg
On Thu, 24 Aug 2023 at 08:00, Marco wrote:
> Am 24.08.202
Hi Blason.
"incometax.gov.in" is a domain known to cause problems. Take a binary
packet capture and look at it in Wireshark. Also see this
https://dnsviz.net/d/incometax.gov.in/dnssec/
A workaround in BIND is to disable DNSSEC validation for just that domain
whilst leaving it on generally: see bel
Hi Ben.
In short, kinda. "recursive-clients" limits the overall number of
concurrent recursive queries the server will handle.
For each of those queries there is also "clients-per-query", which limits
the number of different sources all asking the same question at the same
time. This is so that, fo
Hi Fred.
No, the sense is correct.
Imagine you have a server with a secondary zone of (say) "example.com",
which transfers data for that zone from a primary somewhere. The secondary
loads data received during a zone transfer straight into memory and uses it.
It is optional for the secondary to also
Hi John.
Can you tell me a bit more please?
- What zones exist in both BIND and MS DNS for something.10.in-addr.arpa?
- Where are hosts auto registering to? I'd guess MS, but it would be good
to confirm.
- What does fragmentation look like? A few real examples would be useful.
I'm trying to underst
Hi John.
Sorry if this sounds picky, but a dot out of place in this game is the
difference between success and crash-n-burn.
Please can you show me EXACTLY what ...10.in-addra.arpa zones you have in
both sets of DNS?
>From previous work with AD clients I think that, if it doesn't already
exist, M
Hi.
Although it is technically possible to do reverses on non-octet boundaries
(for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a
complete pita, in my experience. Personally I would not head down that
path. Stick to /8, /16 or /24.
Cheers, Greg
On Sat, 16 Sept 2023 at 09:20, G.W. Hay
>From the correct mail alias!
On Sat, 16 Sept 2023 at 21:50, Greg Choules
wrote:
> Hi Ged.
> 172.16/12 is not a special case. The whole problem (IMHO) stems from how
> humans have chosen to represent both IP addresses (v4; v6 are different and
> actually a little easier) AND DNS domain names; bo
Hi Prashasti.
I'm on my phone, so I'll keep it brief.
- ditch both 9.8 and 9.11; install 9.18
- why are you forwarding to yourself? 127.0.0.1
- get binary packet captures and look at them in Wireshark to see what's
actually going on.
- real IPs please.
- why use "port xxx"?
Cheers, Greg
On Tue, 1
Hi Nick.
First question, does the internal zone *have* to keep the same name? As has
been said already, this is a fairly common setup done by people a long time
ago who usually didn't think through the consequences of their actions.
What follows assumes you could change the name of the internal zon
Hi there.
Can you send some information, for those unfamiliar with what you're trying
to do?
- Full BIND config
- IP addresses of relevant things, like interfaces of the servers on which
you are running BIND and of Teamviewer.
- What does Teamviewer need from DNS? What kinds of queries is it making
Have you checked the routeing table on this server?
Without any other evidence, this looks to me like packets are going places
you aren't expecting.
In the first screenshot the query goes to 213.227.191.1 and apparently a
response doesn't come back until 4s later. When I try it using dig I get an
Hello.
There are well known and documented issues with the zone "gov.in" and there
were some recent problems with "gov" as well.
Please search this mailing list archive for those domains and you may find
some useful hints, tips and information that explain and help you with your
own problem.
Cheer
I really wouldn't recommend that.
If you have to, create exceptions for domains that won't validate correctly
by using the "validate-except {..." statement.
In parallel with that, encourage people with broken domains to fix them,
which makes life better for all of us.
Cheers, Greg
On Tue, 12 Dec
Hi Michel.
You will get an authoritative answer (AA bit = 1) if the server is either
primary (master) or secondary (slave) for the QNAME (query name); in this
case "reseau1.lan". From the config snip you provided this is because you
have the config:
zone "reseau1.lan" {
type master;
...
};
If
Hi.
The existence of a `.jnl` file for the zone means that, at some point in
the past anyway, you *did* allow dynamic updates to this zone and some
updates were made, which were stored in the journal file.
I would like to ask a couple of questions:
1) What is the timeline of your investigation? Ma
Hi Michel.
Please can you send the following information:
- name and IP address of the authoritative server
- the full contents of the zone file for "reseau1.lan"
- name and IP address of the other server - what does this server do?
- What is the machine "pc1", on which you are running the digs?
-
Hi again and thanks for that.
I'm still not exactly clear on the setup. I think the auth server is
172.16.0.254 (I don't know what pc1 is).
But anyway, looking at your results I see the AA bit for everything. It
appears that these queries both went directly to the auth server because
recursion is d
Hi again.
Please start a packet capture on the auth server. This should do it:
sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53
Then from pc1, please do these and copy/paste text output, not screenshots:
dig @172.16.0.254 pc1.reseau1.lan NS +norecurse
dig @172.16.0.254 pc1.reseau1.lan SOA +
Hi both.
You can't do it using ACLs. But you can do it using primaries. This is
hinted at in the section about the primaries statement, but not clearly
expanded on.
For example:
# define a primaries list called "also-notifed" (or anything you like).
Define as many lists as you need.
primaries also
Hi Wolfgang.
Firstly let me say that I have never been a fan of QoS. So I'm slightly
biased against the whole thing in the first place.
But regarding your comment "It’s not easy for the network to guess the
requirements of an application," I would disagree. Traffic classification
and setting of DS
2nd $beverage consumed.
I have never liked sortlist since I inherited it 16 years ago in my
previous job.
For me it suffers from at least one fundamental problem:
- If a client, say at location "1", is given a bunch of sorted A records
with the server at location "1" first, what does the client do
Please don't encourage using "search" in resolv.conf or the Windows
equivalent. Search domains make queries take longer, impose unnecessary
load on resolvers and make diagnosis of issues harder because, when users
say "it doesn't work" you have no idea what it was that didn't work.
I tried using s
Hi.
If I understand you correctly, you are trying to get your resolver to go to
two different places (main_hidden_dns_server and other_dns_server) for
answers to the same question, and then want it combine those answers into a
single response to the client, which contains PTR records for both names
Hi Amaury.
You should be able to do this by defining your own trust anchors. This
should explain what you need:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#trusted-keys-and-managed-keys
Have fun.
Greg
On Sat, 16 Mar 2024 at 13:38, Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wr
Hi Sami.
"allow-..." statements are to restrict from which sources *this* server
will accept messages, of whichever type.
On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it
to process NOTIFY messages sent to it from the primary (master), but ignore
any others. Actually, this
Hi cjc.
My answers would be:
- Leave `dnssec-validation` alone (auto) and ensure your server has a path
to the Internet to make queries.
- Don't mess with root hints. The only time anyone should need to do this
is when running a completely captive server living in a custom namespace
that is NOT t
Hi Crist.
Firstly, DNS servers do not make recursive queries, unless they have been
configured to forward.
Secondly, please start a packet capture on your server (save to disc, so
you can analyse it later in Wireshark) then start BIND and make some test
queries to your server. Look at what your ser
Hi.
In BIND, since 9.11, there is an option/view statement called
"minimal-any", which defaults to "no". That might be what you're after.
Cheers, Greg
On Sat, 20 Apr 2024 at 17:29, Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wrote:
> Hello everyone,
>
> I've been looking for days and days
Adding my 2p, I would take that principle a step further.
Create a generic, unique SRV record that represents what you want to
happen. Then create specific CNAME records for each server. The reasons for
the extra, generic record are that it represents the service you want to
offer and all "server..
Hi Brian.
We're going to need some details please, like for starters:
- What's the domain being queried?
- A network diagram showing where your BIND server is and what it's
forwarding to.
- IP addresses of everything.
- A packet capture (binary pcap format, not a snippet or a screenshot) from
your
Hi Thomas.
Firstly, I doubt you actually need to kill and restart `named`. Flushing
the cache would probably work, either all of it or just selected names.
Secondly, take a packet capture of this happening and analyse what BIND is
really doing, in Wireshark.
- If it shows up that certain NS are ca
Hi Sami.
If you can, I would set up a new BIND (test) server running the current
code - 9.18.27 - next to your current production system and compare how
they behave: current code uses NS queries for qmin rather than _... A
queries. There may still be failures, but this would allow you to pinpoint
b
Hi Brian.
Yes, you can define your own hint zone and tell BIND to use it. The
contents (I called the file "db.root" but the name is your choice) could be
as simple as:
@ 300 IN A 127.0.0.3
@ 300 IN NS @
which says for this zone (which will be called ".", coming next) the NS is
the same name and i
Hi Brian.
Ni problem. The server may tell the client (dig; please not nslookup)
information about where the answer came from, if 'minimal-responses' is set
to "no". Usually clients don't need to know that, so please take a look at
how m-r works:
https://bind9.readthedocs.io/en/latest/reference.html
Hi Renzo.
Firstly, please can we see your BIND configuration and have the actual AD
domain name.
Secondly, BIND, or any other recursive DNS server, does not 'forward' to
the root servers, unless you have configured it explicitly to do so, which
would be a bad idea and not work anyway. It will recu
Hi Renzo.
Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the
Internet on behalf of its clients, so it forwards to BIND.
In that case, two questions:
1) What version of BIND are you running? You can get this with "named -V"
2) What is in the file "named.ca"?
For a long time (
Hi Renzo.
Thank you for that. The hints look OK. A bit old, but they will work.
The first thing I would advise you to do as a matter of priority is to
upgrade BIND.
9.11 has been end-of-life for a few years and there have been many security
fixes since then. 9.18.27 is the current version.
You co
Hi Renzo.
You're welcome.
1) Correct. You don't need forwarding for a simple resolver. Take a look at
the meaning of the RD flag in the BIND protocol header. This should help
you understand the difference between recursive and non-recursive queries.
2) No. See 1)
3) Yes. For a standard resolver fac
Hi again Renzo.
In general, BIND (and other resolvers) make non-recursives (aka iterative)
queries to authoritative servers, such as the roots and others.
- Clients (laptops etc.) make recursive queries to the DCs. If the DCs know
the answer they respond immediately; no forwarding needed.
- If th
Correct.
On Fri, 28 Jun 2024, 12:54 Renzo Marengo, wrote:
> Ok very veri interesting,and about this doubt?
>
> etc/resolv.conf in bind server is used only from client services ? E.g.
> ping tool
> I think bind9 dns service doesn't contact any /etc/resolv.conf, right?
>
> Thanks again
>
> Il gior
Hi Brian.
You need the NS record(s) in hints because this is what a resolver wants
first; the name(s) of the NS for a given zone.
Regarding "@" or ".", they amount to the same thing in my example, though
perhaps I was being a bit lazy and minimal.
@ represents the name of the zone (or the most rec
Hi Kees.
A few questions:
- What version of BIND are you running?
- How large (number of RRs) are your zones?
- What is the peak rate of dynamic updates?
- Do you have "max-journal-size" configured to anything?
- Are you perhaps getting short on disc storage in the place where BIND
keeps its files?
Hi Gabe.
Prefetch still exists; reference here:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-prefetch
Hope that helps.
Greg
On Tue, 23 Jul 2024 at 17:36, Gabe Loyer wrote:
> In searching for documentation I can only find something for prefetch in
> 9.10, which appar
Hi.
Please, please, please upgrade your OS and BIND.
CentOS 6 went EoS 3 years ago, from what I can tell.
BIND 9.8 is 12 years old and there have been far too many changes and
security fixes in that time to list in a mail. If you want to see for
yourself, explore https://downloads.isc.org/isc/bind
Hi John.
The reason is step 4c here:
https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3
The A record in the response is for a name that BIND wasn't asked for
(otherwise why a CNAME at all?), so in the interests of not just believing
random answers that might potentially poison the cache,
Hi Carlos.
If you have enough RAM it should be possible to create multiple views, each
with a zone (primary or secondary, up to you) that contains the RPZ data
for that view and a response-policy that uses that zone.
The limit on number of zones is per response-policy block. But if you're
using se
Hi Grant.
That doesn't work for zones that then get used in a `response-policy`
block. In this case you *must* define a zone §each time; so one (or up to
64) per view/instance of `response-policy`. Test it on your laptop/in a VM.
What this does mean is that (if you are using views) you *could* have
Hi Håvard.
Have you tried a different browser? Having said that, I just started 9.20.0
with this config:
statistics-channels { inet 127.0.1.0 port 8080 ; };
Then pointed three different browsers at that address/port and it looks
fine to me in all of them.
Browers tried were Chrome, Safari and Fir
Latest Chrome/Safari/Firefox on MacOS as well and it looks good for me. I
haven't needed to clear cookies or browsing data or anything, it just
worked.
My 9.20.0 is running locally on the Mac, installed via homebrew. Maybe try
that and see what you get?
Perhaps it's something to do with the enviro
Hi Steven.
As you said, `listen-on {...;};` tells BIND which addresses to register for
incoming traffic. This can be a list, not just one address. Any query
received on (say) 10.0.0.1 will be responded to from the same address.
It is possible to choose which address to use for outgoing queries/fet
Take 2. Sent from the wrong email address!
Greg
On Sat, 12 Feb 2022 at 08:01, Greg Choules
wrote:
> > "...to use a traditional VPN solution such as DNSSEC ..."
> DNSSEC is not a VPN service. It is regular, unencrypted DNS on port 53, or
> whichever port you choose - see the manuals and KB artic
Sending from the correct email alias this time!
On Thu, 3 Mar 2022 at 09:53, Greg Choules
wrote:
> Hi Greg.
> Basically, you can't forward out of authority. If server A is
> authoritative for "example.com" it is authoritative for that and
> everything below that, ad infinitum, unless you tell it
Hi Ritah.
I think rndc is a red herring. Whether you can control your server using
rndc or not is a different topic to "why am I seeing 'denied'" in the
logs.
I think a couple of questions you need to ask yourself are:
Should these servers be receiving recursive queries from anywhere?
Hi Veronique.
Every DNS server should support EDNS by now. It has been around for a very
long time. Even if it doesn't support EDNS it should ignore it.
I made some test queries and packet captures to 23.82.12.28. Whatever this
box is, please talk to the manufacturer about EDNS support.
Or.. it ma
Hi Alex.
Your use case may be very different to the one I faced in my previous job.
But there we did not and could not charge for DNS. It was seen as a
necessary but free resource.
If you *really* want to account for how many queries clients are making,
a quick and dirty solution is enabling queryl
Hi Philip.
Can you run packet captures? I'm running 9.18.0 (close enough?) in Docker
and just traced what happens going from "dnssec-validation no;" to
"dnssec-validation auto;" It makes a DNSKEY query for "." to one of the
roots. The response size was over 900 bytes, so depending on what UDP
paylo
Your MTU is not the point. It's what happens beyond your equipment that may
have a bearing. However, as I said, I don't think IP fragmentation will be
your problem in this case, so that's a whole other discussion for a
different day.
pcaps are your friend though. From a packet capture you can see e
Hi Felicia.
As the previous responder said, don't think of entire servers being one or
the other, it's individual zones.
IMHO the terms "primary" and "secondary" are just as meaningful as the
terms "master" and "slave", but without the emotional and historical
baggage. You just have to give yourse
Hi Larry.
sudo tcpdump -ni any -c 1000 -w .pcap port 5353
For I usually include the date, hostname and some other
meaningful stuff to help you remember what it was for in 6 months' time.
Whilst this is running, make some queries in another terminal window.
I hope this helps.
Cheers, Greg
On Mon
Wireshark works just fine on a Mac (I am using it right now) and yes, it is
a great tool. You also have the choice of using tcpdump in a terminal
window, if that's your preference. Personally I usually capture using
tcpdump and view later in Wireshark.
On Fri, 1 Jul 2022 at 12:01, Petr Menšík wro
1 - 100 of 167 matches
Mail list logo
