> I respect the ISC.ORG, but you are not treating me or Karl Auer with respect
> in trying to censor work on WikiDNS and asking us to stop the next generation
> of DNS software with JSON records written in Python 3.
You are posting on the "bind-users" mailing list. See
https://lists.isc.org/m
> > Have seen some anycast DNS implementations using more than one address,
> > some times even on the same subnet, any considerations or reasons for
> > doing that?
>
> We do that.
>
> We use two different, indepentent methods to route traffic to the IPs.
> We feel this provides a greater degre
> > On the DNS server, a large number of "ANY" type queries occur,why?
>
> Probably the reflection+amplification attack which goes on, specially
> in China, for several months. CNCERT knows about it so I suggest you
> contact them.
Note that there are multiple reflection+amplification attacks go
> > Personally I don't know why "dig -t any" would be a problem. It's
> > not exactly the same as doing an axfr transfer of the zone - it still
> > only gets limited information.
>
> They're the current query type du jour for DDoS amplification attacks,
> which I assume the OP is experiencing.
> I have since learned that you get different version output from dig,
> named -v, and a dns query and the version statement only affects
> specific outputs.
What is the difference between using dig and a DNS query?
I expect the same result from using dig to query for "version.bind
chaos txt" and
> I have started getting error sending response: not enough free resources
> on my dhcp server during random times during the day. Google isnt
> providing much other than it could be an issue with the switch, or a
> network card issue. top on the server doesnt show it using hardly any
> resourc
> Again, it's not about how effective the block is or can be. Unless Italy
> becomes like China or even worse (but the US had the chance end up
> almost in the same situation very recently, so this is NOT an
> Italian-only problem), there is no way to inhibit users from reaching a
> given resource
> I get no joy from port 80 at spamhaus.org now, so perhaps Spamhaus is
> under DoS attack yet again.
Yes, they are. Specifically spoofed source DNS-based amplification
attacks against 154.35.160.11 and 82.94.216.239. We're blocking about
100 Mbps of such traffic at our borders - I'm sure we're no
> I need to build a pair DNS cache servers to support 5000+ clients (
> PC's and Servers ). I have been looking for some guides on tuning
> BIND and the OS for Enterprise performance rather than the defaults.
> The version of bind is bind-9.8.2.
5000 clients is such a low number that I don't thin
> > One mitigation approach is to blackhole the domains using local zones.
>
> That?s not much of a mitigation. Not having open resolvers would be
> mitigation.
Not having open resolvers is good - but unfortunately doesn't help
against misbehaving clients (e.g. small home routers with DNS proxie
> DNS server*(200.10.152.234) *is facing problem while resolution and
> during troubleshooting it was identified that resolution was not
> happening while using the gateway as *"192.168.70.253"*.But once the
> gateway at DNS*(200.10.152.234)*end was changed from
> *"192.168.70.253"*to *"192.168
> One Firewall should be enough.
> So, what you consider this firewall should do ?
> In my opinion:
> Block requests coming from a blacklist (Who will generate this list ?)
> Block denial of service requests. It needs to measure the requests rate
> to detects when is under attack.
> Block port sca
> we don't run *anything* on physical machines and all our nameservers
> (auth, caching with a mix of bind/unbound/rbldnsd) as anything else runs
> on top of VMware vSphere 5.5, previously 4.1/5.0 since 2008
>
> there is zero to no justification these days for run anything on bare
> metal when
> > Complexity?
>
> which complexity?
>
> a virtual guest is less complex because you don't need a ton of daemons
> for hardware-monitoring, drivers and what not on the guest
For me the relevant comparison is my ordinary OS vs. my ordinary OS +
VMWare.
> complex are 30 phyiscal servers instead
> > If you are crawling lots of new names, the cache size won't have much
> > impact. Each new query will require recursing vs hitting the cache. Try
> > "rndc recursing" and look at what you have sitting around waiting for
> > answers. Hopefully that provides some clues. This can be all sorts
> >Ideally every machine should be registering its own PTR record in
> >the DNS and addresses without machines shouldn't have PTR records.
> >The only reason ISP did this is that they were too lazy to manage
> >PTR records for their customers.
>
> And because no ISP wants "you.suck.isp.com" to sho
> > >A very popular option is to only create or delegate IPv6 PTR entries
> > >for hosts with static address assignments, and to return NXDOMAIN for
> > >address space used for dynamic address assignments.
> >
> > I talk to a lot of large providers at M3AAWG and that's the consensus
> > about what
> > We're still in the early phases of IPv6. If sufficient ISPs drop PTR
> > for dynamic IPv6 addresses, email providers and others who base some
> > sort of "reputation" on IPv4 PTRs today will simply have to adapt.
>
>
> Steinar,
>
> I think this is bigger than anti-spam logic. Simply put: Cu
> I believe this problem should be fixed in 9.16.1:
>
> 5361. [bug] named might not accept new connections after
> hitting tcp-clients quota. [GL #1643]
>
> However, we had two authoritative name servers running 9.16.1 which
> stopped accepting new TCP connections
We have what appears to be a significant memory leak in BIND-9.16.1.
Environment:
FreeBSD 12.1-STABLE.
BIND-9.16.1 installed from packages.
Also uses libuv-1.35.0 installed from packages.
Authoritative only.
Around 800 zones of varying sizes. DNSSEC in use.
Running a ps command for the named
>> We have what appears to be a significant memory leak in BIND-9.16.1.
...
> I seem to remember we got 'bitten' by large memory use when moving
> from a previous version of bind - do you have 'max-cache-size' set in
> your config?
Yes. Set to 1G. In reality it shouldn't need a cache at all, since
Followup:
> We have what appears to be a significant memory leak in BIND-9.16.1.
>
> Environment:
> FreeBSD 12.1-STABLE.
> BIND-9.16.1 installed from packages.
> Also uses libuv-1.35.0 installed from packages.
> Authoritative only.
> Around 800 zones of varying sizes. DNSSEC in use.
>
> Run
> please see release notes:
>
> https://downloads.isc.org/isc/bind9/9.16.3/RELEASE-NOTES-bind-9.16.3.html
>
> This is listed in Known Issues for BIND 9.16.1:
>
>> • UDP network ports used for listening can no longer simultaneously be
>> used for sending traffic. An example configuration wh
> I would run a firewall even for BIND alone on a box in case the box
> gets compromised through BIND. Allowing remote access and DNS, then
> dropping everything else as the general firewall policy should be
> pretty straightforward. But with the IP on this particular BIND box
> being public, it's
> I'm not talking of DNS *resolvers* here. I'm talking of authoritative
> servers. If my authoritative server is authoritative for zones A, B and
> C, then I should only get queries for those zones from legitimate
> resolvers and clients. Queries for any other zones should *not* be
> coming to my s
> ! I tried to use this recommendation, https://kb.isc.org/docs/aa-00206,
> ! marking all IPv6 addrs as bogus, but it does not make a difference in
> ! behaviour.
>
> Update: Actually there is a difference if this recommended
> configuration is present or not - only the NXDOMAIN outcome is the
> s
>> 2.5 days in, and 9.11 is still running good, with no crashing.
>>
>> Safe to say that this memory leak is definitely an issue with 9.16.
>
> Which version of libuv are you using? I am running 1.41 and the latest is
> 1.42.
>
> I haven’t seen that behavior and my recursives handle about 100,0
(Also sending to bind-users as bind-workers is scheduled to be shutdown.)
>>> If I start named, then (without changing named.conf) do "rndc reconfig"
>>> and then send named a DoT query (dig +tls or kdig +tls) named dies with
>>>
>>> Jan 11 13:45:53 dns named[78236]: netmgr/tlsdns.c:1517: fatal e
> Followup: Unfortunately, this didn't solve the whole problem. While
> doing the above testing I was running named as root, in order to
> generate a core dump. When I'm now testing with named running as
> user bind (and then dropping privileges after startup), it seems to
> be unable to rebind to
>>> doing the above testing I was running named as root, in order to
>>> generate a core dump. When I'm now testing with named running as
>>> user bind (and then dropping privileges after startup), it seems to
>>> be unable to rebind to port 853 after an "rndc reconfigure". This
>>> is probably exp
> now BIND 9.18 is supporting DoT directly I tried to go away from a solution
> with stunnel4 and therefore I compiled 9.18.1 and modified named.conf
> So far everything is working fine. All the tests with dig , openssl and lsof
> is showing it’s working.
> The problem: when I run a „rndc reload
> Please allow me to correct this:
>
> named.conf statement 'dnssec-enabled yes;' allows forwarding DNSSEC
> signatures (and other metadata) without validating them.
Slight problem here: My 9.18.5 named doesn't know about dnssec-enabled:
Sep 26 09:00:51 xxx named[38797]: /usr/local/etc/namedb/na
> A good border router will do a few things for network hygiene. It will filter
> incoming packets that have a source address from the internal network, and it
> will filter outgoing packets that don't have a source IP in the internal
> network.
>
> A DNS server should do a similar thing: it wil
> > A border router knows what is "inside" and "outside" your network, while
> > a DNS server does not. Important difference.
>
> You're missing the point. This is not about inside and outside networks, it
> is about rfc1918 responses from internet queries.
I'm afraid I have seen too many organi
> > I have seen mail bounced because of a
> > mismatch between SMTP greeting name and PTR record name. It's not as
> > common as the simple "is there any PTR record" check, but it does
> > happen.
>
> - it's clear violation of RFC 5321 (and former 2821, 821) - server MUST NOT
> reject conn
> >How about these two?
> >
> >> nullmx.domainmanager.com
> >Non-authoritative answer:
> >Name:mta.dewile.net
> >Address: 69.59.189.80
> >Aliases: nullmx.domainmanager.com
> >
> >> smtp.secureserver.net
> >Non-authoritative answer:
> >Name:smtp.where.secureserver.net
> >Address: 208.109.
> I cannot put more than four name servers in the domain management web
> interface (whois record). But in my zone file I already have more than
> four NS listed. Is there any way I can publish more than four domains
> in my whois record?
This has nothing to do with BIND.
Steinar Haug, Nethelp co
> > Thanks Dave, yes i know about OpenDNS, I'm trying to imlement somehting
> > kind of similar to that in a small scale.
> > So i was wondering about Bind dns capabilities and may be third party
> > stuffs that could integrate with bind dns in addition to the ip/website
> > list.
>
> This i
> My name servers have got many times of traffic attack.
> When the large bulk of traffic is delivered to nameserver, the server
> is almost dead.
> For example, the attacking traffic was more than 2G to a single host sometime.
Are these your authoritative or your recursive name servers? These are
> >> My name servers have got many times of traffic attack.
> >> When the large bulk of traffic is delivered to nameserver, the server
> >> is almost dead.
> >> For example, the attacking traffic was more than 2G to a single host
> >> sometime.
> >
> > Are these your authoritative or your recursiv
> > As is probably obvious, I consider it an irritating bug ;o)
>
> +1
Agreed. A warning that can be redirected to /dev/null might be okay.
Changing it unconditionally is not.
Steinar Haug, Nethelp consulting, sth...@nethelp.no
___
Please visit h
> I'm trying to see where we can have-
>
> $GENERATE 1-254 $.9 PTR cpe-9-$.qld.guilty_party.removed
>
> . and if a client wishes custom rDNS we can insert-
>
> 123.9PTRfoo.example.com
You need to have separate $GENERATE ranges which don't include the PTR.
> I'm assuming thats not p
> It appears that dig is printing results that it attributes to the wrong
> server.
Not really.
> While troubleshooting an inconsistent NS issue (upstream from us), a trace
> (at the end of this message) shows that DNS3.UIOWA.EDU listed two NS
> records, when in fact, if you query DNS3.UIOWA.EDU
> It doesn't make sense to me how DNS3.UIOWA.EDU can return the correct cached
> result for the NS records of sioux-center.k12.ia.us but an incorrect "norec"
> result. Doesn't specifying "no recursion" mean that it has to be either
> authoritative for that domain or have the entry cached in order
> If the dns3.uiowa.edu's cache was flushed for sioux-center.k12.ia.us, what
> do you think the query results for
> dig @DNS3.UIOWA.EDU sioux-center.k12.ia.us ns +noall +answer
> would be?
I think you would get what you get right now with +norec, *until* the
name server acquired some of the
> Yes, by improve I meant to have both files approximately same size.
> As for my last question, I thought maybe there is an option that makes us be
> able to define a shared directory for all DNS server so they all cache data
> in one place instead of caching on each server and therefore the issue
> I recently migrated our old DNS servers to new hardware and BIND 9.6
> installations. One domain is exhibiting some strangeness,
> dns3.potomacnetworks.com. Our main DNS servers are authoritative for this
> subdomain and it should point to 216.250.231.11, however, the whole world
> sees it pointi
> > Here's your 216.250.243.230 address:
> >
> > % whois dns3.potomacnetworks.com
> >
> > Whois Server Version 2.0
> >
> > Domain names in the .com and .net domains can now be registered
> > with many different competing registrars. Go to
> > http://www.internic.net
> > for detailed information.
>
> According to this link: https://www.isc.org/node/474
>
> The dynamic update vulnerability affects all BIND 9 versions, but what
> about BIND 8? Is it not affected or not tested?
BIND 8 is End of Life. It has several known vulnerabilities. See for
instance
https://www.isc.org/node/378
> I would like to hear more about why this is so. We are currently
> debating sending query logs to a remote syslog server to enhance some
> security tools. We are running BIND 9.6.1-P1 with multithreading enabled
> on RHEL 4 (2 dual-core 2.8 GHz Opterons with 1MB cache, 4G of RAM). I
> have ru
> > Hello I wanted to ask how could be possible in some way
> > to have 2 or more multi master name servers authoritative for one domain,
> > instead of the classical master slave model.
>
> Simple thing to do. I have a test lab here that I did this in a few years
> ago. 2 masters and 4 slav
> I've recompiled the nameserver as a 64-bit program and confirmed
> that they can now exceed 2GB. But I'd like to be able support
> much larger cache sizes. We have some CS researchers on campus
> that are making heavy use of our recursive resolvers. I'd like
> to support their research but I need
> > Have you *measured* the hit rate of your current BIND resolvers
> > with different cache sizes? How many queries per second are you
> > trying to support?
>
> We do about 3,000 queries/second typically. I haven't measured query
> -rates vs cache sizes. We've had max-cache-size set to 3GB for a
> Folks on DSL should remember that their magic number is less than 1500 bytes
> (1492 is common, as is 1453).
*Some folks on DSL*. There are definitely DSL networks being operated
with a 1500 byte MTU offered to the user.
Steinar Haug, Nethelp consulting, sth...@nethelp.no
> > > I know of no such feature. What do you mean by "spoofed" anyway? How
> > > would you expect named to detect "spoofing", and is that its job?
> >
> > It seems (not tested by me) that Nominum CNS does that: when many
> > responses arrive which do not match (src IP address, query ID, etc)
> > a
> No! Log files are indicating any issue! The only indication I have about the
> problem, is the lack if queries in the log files. No timeouts, no failures. I
> even tried to query a fake domain. The result was a normal record (with A+).
> I did not find any error!
> So, how on earth do I log t
> It's a pppoe connection.
> The ip address is changed almost every time i start the computer.
> Can i set up bind9 with this ip(not static/broadband ip address)?
It'll be a hack. But you *could* in principle restart bind every time
the address changes, to get it to listen to the new address. And
> Well i wonder this is the right place. What server characteristics you
> recomend me as minimum for a bind that will get about
> 1 req/sec
Insufficient information. What kind of queries should the server
handle? There's a big difference between an authoritative only server
and a recursive
> > What exactly does "slow down" mean here? Are you missing messages in
> > the log files? Or are requests not answered in a timely fashion?
> >
>
> "slow down" means an increment in the time consumed by bind to answer a
> query.
> "heavy load" means about 20 millions query / day per machine, wit
> I think what is "OK" is up to each administrator.
>
> Obviously the zone administrators have decided that they want people to
> use the 2s TTL.
>
> That being said, it is up to each individual recursive server operator
> if they want to honor what the zone administrators have published, or if
> >> Good morning, I'm trying to make it more difficult for an attacker to
> >> get my DNS server version.
> >
> > Waste of time. The attacks are automated, and will be mounted anyway.
> >
>
> Indeed. At least one of my legacy servers returns "4.9.4-P1-Would you
> believe Win98SE?", which was
> The workaround works, does BIND 9.14 has a patch to resolve this? Since we
> have a multiple Cache server, we need to do this every time we encounter
> another domain that has this same issue.
There's probably no patch to "resolve" this, because the correct way
to fix the problem is at the sourc
> Is it good idea and possible to create Master and Slaves nameservers using
> different OSes.
> For example , Master OS =Centos 7 and Slaves Os=Ubuntu 18 or Windows 2016
I guess that depends on what you want to achieve.
If you want maximum diversity you might want to use different OSes
*and* a
63 matches
Mail list logo
