Re: Adding records to a domain I don't control for anyone who uses my nameserver
On Mon, Mar 02, 2009 at 01:07:36PM -0500, Matthew Huff mh...@ox.com wrote a message of 62 lines which said: Spoofing the dns zones are the only solution. It won't work when (if) DNSSEC will be deployed (and I assume the banking sector will be one of the first to adopt it)... Why not using your own XMPP server, that you control and where you can activate logging? Trying to archive conversations on other servers seem pointless anyway, what if the users IM with Twitter or with a Web form? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding records to a domain I don't control for anyone who uses my nameserver
Spoofing the dns zones are the only solution. Why not using your own XMPP server, that you control and where you can activate logging? Actually, in a previous lifetime, we discovered that the MOST effective way to deal with this was to write it into the policy and procedures manual and make sure that everyone signs a copy of the manual with full understanding of the rules and why they are in place. Monitor for a bit (with no blocking in place so that fallback-to-hidden-protocol doesn't happen), warn the folks that were doing it, then, after a month, fire the folks that are caught continuing to break the policy. As long as you don't enforce the underlying rules, there will always be someone breaking the rules, working around the system, and all you are doing is continuously playing catch-up. I don't like playing cat-and-mouse. In the current economy, if someone feels that it is important enough to chat with someone at risk of losing their job, you don't need them, and they will prove to be a risk in some other way before too long anyway. If it's the CEO/CIO/CFO that continues to break the rules, you are working for the wrong company -- which, in this economy leads to an entire different set of problems. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
how to create a private test. zone?
Hello, I'm trying to create a private test. zone for use in my local testing lab. I've setup an recursive DNS server that will serve the test. zone (in Sun host; see the network diagram bellow). The resolution of a domain in the test zone works as expected, eg: dig sun.test ; DiG 9.4.2-P2 sun.test ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 65413 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;sun.test. IN A ;; ANSWER SECTION: sun.test. 600 IN A 192.168.2.1 ;; AUTHORITY SECTION: test. 600 IN NS sun.test. ;; Query time: 2 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) ;; WHEN: Sun Mar 1 10:39:28 2009 ;; MSG SIZE rcvd: 56 After this, I wanted to delegate the example.test. zone to another local DNS server of mine (the Plesk host). I did the delegation by adding the following RR in the test. zone (in the Sun host): example IN NS plesk I tried to resolve the example.test domain with: dig example.test ; DiG 9.4.2-P2 example.test ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 20407 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.test. IN A ;; Query time: 31 msec ;; SERVER: 192.168.2.1#53(192.168.2.1) ;; WHEN: Sun Mar 1 10:40:39 2009 ;; MSG SIZE rcvd: 30 Which failed... NB: I can see my local dns server sending queries to my isp dns server. But why? NB: Asking the same question directly at the Plesk DNS server works: dig example.test @plesk.test ; DiG 9.4.2-P2 example.test @plesk.test ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 2358 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.test. IN A ;; ANSWER SECTION: example.test. 86400 IN A 192.168.2.10 ;; AUTHORITY SECTION: example.test. 86400 IN NS plesk.test. ;; Query time: 2 msec ;; SERVER: 192.168.2.10#53(192.168.2.10) ;; WHEN: Sun Mar 1 10:41:43 2009 ;; MSG SIZE rcvd: 66 What I'm doing wrong in the delegation, and how can I fix it? My network diagram is: +-+ | isp | +-+ 10.0.2.3 (DNS) | ---+--- 10/24 | +-+ 10.0.2.15 +-+ | sun | |plesk| +-+ 192.168.2.1 +-+ 192.168.2.10 | | ---+-+- 192.168.2/24 isp my ISP DNS server host. sun my local DNS server host that hosts the test. zone. NB: this is an recursive server. NB: it also forwards to isp dns server. NB: local resolv.conf points to 192.168.2.1 plesk my other local DNS server host that hosts the example.test. zone. NB: this is an authoritative server only. NB: local resolv.conf points to 192.168.2.1 This is what the Sun DNS server has about the test. zone: $TTL10m ; default TTL $ORIGIN test. ; base domain-name @ IN SOA sun hostmaster ( 2008042800 ; serial 10m; refresh 15m; retry 3w ; expire 10m; minimum ) IN NS sun sun IN A 192.168.2.1 plesk IN A 192.168.2.10 ; delegate example.test. to plesk.test. example IN NS plesk ;exampleIN A 192.168.2.10 And this is what the Plesk DNS server has about the example.test. zone: @ IN SOA plesk.test. ironman.example.test. ( 1235830200 ; Serial 10800 ; Refresh 3600; Retry 604800 ; Expire 10800 ) ; Minimum example.test.IN NS plesk.test. example.test.IN A192.168.2.10 If you need more information, please let me known. Thanks! Best regards, Rui Lopes ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND 9 and BIND 8 issue
Dear all bind users, I am new to manage 3 BIND 9 servers, lately, I got some complains about users cannot connect to some websites while they use our BIND 9 servers, this issue will be solved if they use other ISP's BIND 8 servers, one example is as below. Can we modify any configurations of BIND 9 server to solve this issue so that users don't need to change anything? Sincerly, Bradon Kuo from Taiwan, Taipei, lserver 168.95.1.1 Default Server: dns.hinet.net Address: 168.95.1.1 www.hangan.org.tw Server: dns.hinet.net Address: 168.95.1.1 Non-authoritative answer: Name:www.hangan.org.tw Address: 211.21.92.25 lserver 163.21.249.166 Default Server: dns.tp.edu.tw Address: 163.21.249.166 www.hangan.org.tw Server: dns.tp.edu.tw Address: 163.21.249.166 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to dns.tp.edu.tw timed-out 台北市教育網路中心 郭春吉 電話:2722-3004 傳真:2722-3574___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change my primary DNS server safely...
Thanks Jeff and Robert, Robert's plan seems to be the best way to do the thing so I'll follow that plan ;) Thanks again, Thomas. On Fri, Feb 27, 2009 at 17:39, Jeff Lightner jlight...@water.com wrote: In your case it sounds like you're going to have two external IPs. If so I'd leave the Apache server with BIND running and add the new server as first one at the registrar. That way anyone that has your old server cached will continue to get to it. Any new queries hopefully would cache your new server. After you're sure the new server is up and running for a few days you can stop BIND on the old one (to reduce load on it). -Original Message- From: Thomas Manson [mailto:dev.mansontho...@gmail.com] Sent: Friday, February 27, 2009 10:06 AM To: Jeff Lightner Cc: bind-users@lists.isc.org Subject: Re: Change my primary DNS server safely... Hi Jeff, Actually, I've Postfix/Apache2/Bind (primary DNS) on the same machine which is hosted by one company. I want to dedicate a server to be the primary DNS. This server is hosted by another company. (the first server will be re installed soon but will stay in the original hosting company). The secondary DNS is already a dedicated server. So my new primary DNS is ready and the old server will still be running (at least for the apache2 service). Should I let BIND running on the old server or stop it ? (whould it be annoying if the old ip still answer to query ?) Regards, Thomas. On Fri, Feb 27, 2009 at 14:50, Jeff Lightner jlight...@water.com wrote: Not sure where the trepidation comes in here. Hopefully you ARE running a slave server as well so if the primary isn't reachable the slave would resolve lookups until you fixed any problem. Here we've moved our servers from one network provider to another so had to change the IPs of the master and the slave at the Network registrars. We did those one at a time. That is to say we first did the slave and once we were sure it was resolving correctly and had allowed time for everyone's caches to clear (we waited 3 days/72 hours) then we moved the master. We've also completely replaced both our primary and slave by installing new servers and setting them with the IPs. There again we did it by doing one at a time. For those there was no propagation time since the IP stayed the same. If you're simply moving your master to a new IP (as the outside world sees it) then you'll have to allow time for the caches to clear as we did. If you're simply moving it to a new IP internally then your network folks should be able to NAT that IP to the same external IP your prior server had. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Manson Sent: Thursday, February 26, 2009 8:04 PM To: bind-users@lists.isc.org Subject: Change my primary DNS server safely... Hello, I need to change the primary DNS server which manage hundreds of domains. I've setup the new machine so that it has the correct named configuration for each domains (script generated). I plan to change the IP behind the ns0.mydomain.com so that it points to the new machine. As I feel it's a bit risky to do that, if you have any suggestion, I'll be glad to hear it. Thanks, Thomas. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 and BIND 8 issue
On Fri, Feb 27, 2009 at 11:39:40AM +0800, bradonkuo wrote:
Dear all bind users,
Hi Brandon,
I am new to manage 3 BIND 9 servers, lately, I got some complains about users
cannot connect to
some websites while they use our BIND 9 servers, this issue will be solved if
they use other
ISP's BIND 8 servers, one example is as below. Can we modify any
configurations of BIND 9 server to
solve this issue so that users don't need to change anything?
I can only take wild guesses here as i don't know about the
configuration of your BIND9 servers but let me assure you that you won't
need to downgrade to BIND8 in order to provide recursive DNS to your
users, BIND9 is totally capable of that but there has been a change in
the default configuration meaning that it no longer does allow recursive
queries by default. You would have to enable that in your configuration
via the following statements:
options {
recursion yes;
allow-query {
0.0.0.0/0;
# is most likely what you want here
# as per its name your server
# looks very much like its also an authoritative
# nameserver.
};
allow-recursion {
192.168.0.0/16;
# or substitute/add this by the network ranges your
# institution uses for its clients
}
};
Please let me stress on some things:
- It is best current practice to separate your recursive Nameservice
from your authoritative Nameservice, its just more tidy and sane. [1]
So what you really _should_ do is urge your users to use a separate
recursive [3] DNS Server you provide them with instead of your
authoritative. [4]
- BIND8 is deprecated and _should_ be rolled out of production wherever
possible. [2]
[1] http://cr.yp.to/djbdns/separation.html
[2] https://www.isc.org/software/bind/security
[3] http://en.wikipedia.org/wiki/Domain_name_system#DNS_resolvers
[4] http://en.wikipedia.org/wiki/Name_server#Authoritative_name_server
Stefan
--
printk(CARDNAME: Bad Craziness - sent packet while busy.\n );
linux-2.6.6/drivers/net/smc9194.c
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Unable to resolve visitriverside.com
I am unable to resolve visitriverside.com with my Bind 9 server. I don't have any problems resolving other domains, it just appears to be this host. http://www.perturb.org/code/dns-tool.php?host=visitriverside.comtype=A I can't resolve the name servers for this domain either. If I check my named.log I see it attempt to resolve and everything looks normal. 03-Mar-2009 08:58:00.505 client 65.182.224.20#42104: query: visitriverside.com IN A + Nothing shows up in the error log... so I'm sort of stuck. Any ideas? - Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND logging in a separate node
What I'm trying to do is log /var/bind/named.stats in a separate node. Note that file name is commonly used for the rndc stats statistics-file. It may be a good idea to use a different name so you don't cause confusion or conflict. So my question is, can I specify the node IP address and the filename in the named.conf where I wand to stat_file to write to? If not another option is to use syslog for all the logging and then move the syslog to a different node. However, I want only bind logging to be moved to a separate node. I still want all the other system logging to go to /var/adm/messages as usual on the same node. So can I can configure either named.conf or syslog.conf or both so that I can move the bind logging to a separate box? For that use the syslog and configure your Solaris 10 syslogger to forward your logging to a different syslog server. You will have to configure your syslogger for this. Also in your named.conf's syslog channel, you can use the syslog destination clause to choose which syslog facility to log to (so you can then configure your syslogger appropriately.) Maybe someone on this list can share some Solaris syslog.conf examples here ... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND logging in a separate node
Jeremy, Thanks for the response. Yes I need to change the file name to avoid confusion. Yes I can forward the syslog to a different node my making changes in the syslogger. But I'm not sure how to make such changes so that only named/bind related syslog will be forwarded and the rest will continue to log locally. --- On Tue, 3/3/09, Jeremy C. Reed jeremy_r...@isc.org wrote: From: Jeremy C. Reed jeremy_r...@isc.org Subject: Re: BIND logging in a separate node To: Prabhat Rana prana9...@yahoo.com Cc: bind-users@lists.isc.org Date: Tuesday, March 3, 2009, 11:08 AM What I'm trying to do is log /var/bind/named.stats in a separate node. Note that file name is commonly used for the rndc stats statistics-file. It may be a good idea to use a different name so you don't cause confusion or conflict. So my question is, can I specify the node IP address and the filename in the named.conf where I wand to stat_file to write to? If not another option is to use syslog for all the logging and then move the syslog to a different node. However, I want only bind logging to be moved to a separate node. I still want all the other system logging to go to /var/adm/messages as usual on the same node. So can I can configure either named.conf or syslog.conf or both so that I can move the bind logging to a separate box? For that use the syslog and configure your Solaris 10 syslogger to forward your logging to a different syslog server. You will have to configure your syslogger for this. Also in your named.conf's syslog channel, you can use the syslog destination clause to choose which syslog facility to log to (so you can then configure your syslogger appropriately.) Maybe someone on this list can share some Solaris syslog.conf examples here ... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND logging in a separate node
Something like the following might work.
BIND:
...
channel my_syslog {
syslog local6;
severity info;
};
...
syslog.conf:
...
local6.* @remote-syslog-server // Forward all messages
with local6 facility to a remote syslog server
...
You don't have to use the local6 facility. Just choose some facility
that is not being used by any other process that logs to syslog.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Prabhat Rana
Sent: Tuesday, March 03, 2009 11:42 AM
To: Jeremy C. Reed
Cc: bind-users@lists.isc.org
Subject: Re: BIND logging in a separate node
Jeremy,
Thanks for the response. Yes I need to change the file name
to avoid confusion. Yes I can forward the syslog to a
different node my making changes in the syslogger. But I'm
not sure how to make such changes so that only named/bind
related syslog will be forwarded and the rest will continue
to log locally.
--- On Tue, 3/3/09, Jeremy C. Reed jeremy_r...@isc.org wrote:
From: Jeremy C. Reed jeremy_r...@isc.org
Subject: Re: BIND logging in a separate node
To: Prabhat Rana prana9...@yahoo.com
Cc: bind-users@lists.isc.org
Date: Tuesday, March 3, 2009, 11:08 AM
What I'm trying to do is log /var/bind/named.stats
in a separate node.
Note that file name is commonly used for the rndc stats
statistics-file.
It may be a good idea to use a different name so you don't cause
confusion or conflict.
So my question is, can I specify the node IP address
and the filename in
the named.conf where I wand to stat_file to write to?
If not another option is to use syslog for all the
logging and then move
the syslog to a different node. However, I want only
bind logging to be
moved to a separate node. I still want all the other
system logging to
go to /var/adm/messages as usual on the same node. So
can I can
configure either named.conf or syslog.conf or both so
that I can move
the bind logging to a separate box?
For that use the syslog and configure your Solaris 10 syslogger to
forward your logging to a different syslog server. You will have to
configure your syslogger for this. Also in your named.conf's syslog
channel, you can use the syslog destination clause to
choose which
syslog facility to log to (so you can then configure your syslogger
appropriately.)
Maybe someone on this list can share some Solaris
syslog.conf examples
here ...
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 and BIND 8 issue
In message 397019c15b5a45899bb02b1b212e1...@bradon, bradonkuo writes: Dear all bind users, I am new to manage 3 BIND 9 servers, lately, I got some complains about = users cannot connect to=20 some websites while they use our BIND 9 servers, this issue will be = solved if they use other ISP's BIND 8 servers, one example is as below. Can we modify any = configurations of BIND 9 server to solve this issue so that users don't need to change anything? Sincerly, Bradon Kuo from Taiwan, Taipei, lserver 168.95.1.1 Default Server: dns.hinet.net Address: 168.95.1.1 www.hangan.org.tw Server: dns.hinet.net Address: 168.95.1.1 Non-authoritative answer: Name:www.hangan.org.tw Address: 211.21.92.25 lserver 163.21.249.166 Default Server: dns.tp.edu.tw Address: 163.21.249.166 www.hangan.org.tw Server: dns.tp.edu.tw Address: 163.21.249.166 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to dns.tp.edu.tw timed-out Depending apon how old the BIND 8 server is it may be promoting the glue below to answer. I can't get any reponse out of the nameserver itself. tcpdump shows queries going out and no responses coming back. Either the nameserver is dead or it is firewalled off. Try asking for the mx record at both servers and see if you get a response. This requires the other ISP to query the nameserver rather than rely on glue. Mark ; DiG 9.7.0pre-alpha www.hangan.org.tw @c.twnic.net.tw ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34204 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.hangan.org.tw. IN A ;; AUTHORITY SECTION: hangan.org.tw. 86400 IN NS www.hangan.org.tw. hangan.org.tw. 86400 IN NS mail.hangan.org.tw. ;; ADDITIONAL SECTION: www.hangan.org.tw. 86400 IN A 211.21.92.25 mail.hangan.org.tw. 86400 IN A 211.21.92.25 ;; Query time: 359 msec ;; SERVER: 168.95.192.10#53(168.95.192.10) ;; WHEN: Wed Mar 4 07:36:47 2009 ;; MSG SIZE rcvd: 100 ; DiG 9.3.6-P1 www.hangan.org.tw @211.21.92.25 ;; global options: printcmd ;; connection timed out; no servers could be reached 07:38:43.523517 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) 07:38:48.543936 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) 07:38:53.566828 211.30.172.21.62657 211.21.92.25.53: 27058+ A? www.hangan.org.tw. (35) -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to create a private test. zone?
In message 49ace778.6040...@ruilopes.com, Rui Lopes writes:
Mark Andrews wrote:
Mark Andrews writes:
In message 49ac5d59.1010...@ruilopes.com, Rui Lopes writes:
Hi,
Ben Bridges wrote:
[...]
You could try creating example.test as a forward zone in named.conf on
your sun server and specifying plesk as the forwarder for that zone.
Indeed, adding a forward zone like bellow works! but why does it work?
or why is it needed?
zone example.test {
type forward;
// forward only;
// forwarders { 192.168.2.10; };
};
Note that I only needed to include the type forward line, the other
lines do not seem to be needed. I'm I missing something? they aren't
really needed? By reading the bind manual it seems we have to include th
em
.
You turned off forwarding for that namespace.
It's the equivalent of:
zone example.test {
type forward;
forwarders { /* empty */ };
};
You could have also added it to the test zones config.
zone test {
type master; // or slave
// or stub
...
forwarders { /* empty */ };
};
Mark
Thanks!
Why isn't bind just following the example.test. NS plesk.test. RR that
is inside the test. zone without removing the forwarders?
Because you have a forwarding turned on at the options/view
level. Unless you have a special reason (like you can't
reach the root servers) that requires forwarding I don't
recommend using it.
Mark
Best regards,
Rui Lopes
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: named with DLZ
Jeff Lightner wrote: I have been talked with getting named with DLZ support on Red Hat 5.2 Enterprise. I have never worked on Red Hat or with RPM, can someone point me to the rpm I need? Any other basic pointers? I was thinking to just build it out myself, but if there is a confident stable rpm, I might as well learn that as well. Try bind-sdb, although I don't believe it supports MySQL for Redhat 5.2 -- I had to compile from source. Josh ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to create a private test. zone?
Rui Lopes wrote:
Mark Andrews wrote:
Mark Andrews writes:
In message 49ac5d59.1010...@ruilopes.com, Rui Lopes writes:
Hi,
Ben Bridges wrote:
[...]
You could try creating example.test as a forward zone in named.conf on
your sun server and specifying plesk as the forwarder for that zone.
Indeed, adding a forward zone like bellow works! but why does it work?
or why is it needed?
zone example.test {
type forward;
// forward only;
// forwarders { 192.168.2.10; };
};
Note that I only needed to include the type forward line, the other
lines do not seem to be needed. I'm I missing something? they aren't
really needed? By reading the bind manual it seems we have to include them
.
You turned off forwarding for that namespace.
It's the equivalent of:
zone example.test {
type forward;
forwarders { /* empty */ };
};
You could have also added it to the test zones config.
zone test {
type master; // or slave
// or stub
...
forwarders { /* empty */ };
};
Mark
Thanks!
Why isn't bind just following the example.test. NS plesk.test. RR that
is inside the test. zone without removing the forwarders?
It's the result of a couple deliberate design decisions.
When named tries to resolve a name, it looks at the zones which are
explicitly defined in its config. If the name isn't contained in any of
them, then, by BIND's design, it looks to see what the closest
applicable forward statement is, if any. Example.test is *outside* of
the test zone you have defined, so:
BEFORE (no forward defined in the test zone): it finds your global
forwarders and uses them to resolve example.test names.
AFTER (a forward defined in the test zone, with an empty forwarders
list): it finds the test forwarders (since they're closer than the
global forwarders, which are considered to be at the root) and uses them.
The other deliberate design decision is that the resolver algorithm
interprets an empty forwarders list to mean don't forward at all. So
when it finds the empty forwarders list for test it follows the
example.test delegation records and resolves as you expected it to.
- Kevin
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND 9 and BIND 8 issue
hangan.org.tw is delegated to www.hangan.org.tw and mail.hangan.org.tw, the glue records that are provided resolve both of those names to the address 211.21.92.25. I believe BIND 8 considers a glue record to be good enough to serve as an answer, so it returns the glue record. BIND 9, however, is more diligent about trying to get a *better* answer directly from the authoritative servers. I can't get any kind of response from the nameserver at 211.21.92.25, can anyone else (tried with both EDNS0 on and off)? Having both delegated nameservers resolve to the same address is, of course, very bad architecture; it means you have a single point of failure for your entire domain. I'm somewhat surprised that the .tw registry even allows this. - Kevin bradonkuo wrote: Dear all bind users, I am new to manage 3 BIND 9 servers, lately, I got some complains about users cannot connect to some websites while they use our BIND 9 servers, this issue will be solved if they use other ISP's BIND 8 servers, one example is as below. Can we modify any configurations of BIND 9 server to solve this issue so that users don't need to change anything? Sincerly, Bradon Kuo from Taiwan, Taipei, lserver 168.95.1.1 Default Server: dns.hinet.net Address: 168.95.1.1 www.hangan.org.tw http://www.hangan.org.tw Server: dns.hinet.net Address: 168.95.1.1 Non-authoritative answer: Name: www.hangan.org.tw http://www.hangan.org.tw Address: 211.21.92.25 lserver 163.21.249.166 Default Server: dns.tp.edu.tw Address: 163.21.249.166 www.hangan.org.tw http://www.hangan.org.tw Server: dns.tp.edu.tw Address: 163.21.249.166 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to dns.tp.edu.tw timed-out 台北市教育網路中心 郭春吉 電話:2722-3004 傳真:2722-3574 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] Is it possible to set a ddns hostname to access a name-based virtual host?
In article gofs8j$83...@sf1.isc.org, Michael Milligan mi...@acmeps.com wrote: Danny Mayer wrote: Michael Milligan wrote: Just being more general. A URL is a HTTP URI... Google has plenty of explanations. That's nonsense. A URL was never just an HTTP URI. It's one example of one but there have always been more than one type. I wasn't clear. A URL covers a subset of the URI space, as you say. Again, plenty of good (i.e., better than one-liner) explanations can be found on Google. For the purposes of this discussion, though, the distinction between URL and URI is probably irrelevant. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how to create a private test. zone?
In article goip2j$2a0...@sf1.isc.org, Rui Lopes r...@ruilopes.com wrote: Why isn't bind just following the example.test. NS plesk.test. RR that is inside the test. zone without removing the forwarders? Because the point of configuring forwarders is to use them INSTEAD of following NS records. Forwarders are generally used when the server doesn't have direct access to the Internet, so it can't reach the nameservers named in NS records. The basic algorithm is this: If we're authoritative for the zone, return the answer. If the answer is already cached, return it. If there's a forward zone for it, obey it (send to its forwarders if any, otherwise follow NS records). If there's global forwarding enabled, send to them. Follow the NS records. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
