On 12/11/23 18:47, Blason R wrote:
Oh I forgot to tell you that. This is BIND RPZ and all the queries are
recursive.
Okay, what RPZ configuration do you have? Is it messing with the
queries you're testing in any way?
What configuration do you have for RPZ related to DNSSEC?
Dig output
On 8/21/23 10:11 AM, Mark Elkins via bind-users wrote:
Hi,
Hi,
1) Count how many delegated domains there are (Names with NS records)
Mind your $ORIGIN and check the number of NS record owners.
2) Extract the above Names - so I can look for changes (Added/Deleted names)
I suspect that
On 6/29/23 6:44 AM, Matus UHLAR - fantomas wrote:
bind has "sortlist" statement that could do what you want. It will
provide all IPs but sorted differently.
+1 to "sortlist". I couldn't remember the exact nomenclature nor how it
was used.
Otherwise, you can set up multiple views with
On 6/12/23 2:48 AM, Matus UHLAR - fantomas wrote:
note that query-source settings affects source IP of packet, while "ip
rule" affects outgoing interface (unless you also configure SNAT for
those packets), so they are not exactly the same.
Late comment: `ip route` can have some influence on
On 5/15/23 1:58 PM, Kereszt Vezeték wrote:
Hi Everybody
Hi,
I have a dns server in my private network with a local domain. The dns
server forward the public request to the google dns server . I wold like
separate hosts in the inside network.
One group allow only the local host resolve,
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
Yes, this is one of the problem "authoritative zones for local use".
Authorizing the /zone/ for local use wasn't the problem. The problem
was that the world could get some of that zone's data from the query
cache even if they couldn't query
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote:
If your server has authroritative zones for internal use, yes, in such
case allow-query is good idea.
The server that I first set this on had a secondary copy of the root
zone for my systems use. I ended up adding additional restrictions to
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can query
your server for non-local information.
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and
On 3/11/23 10:43 AM, Fred Morris wrote:
I've found myself in situations in the past where NOTIFY has been
fetishized as "real time"
"real time" can be a VERY loaded phrase.
Some sometimes it's measured in fractions of a second. Other times it's
measured in minutes.
I've always simply
On 3/11/23 10:37 AM, Paul Stead wrote:
Sorry I should have made it clearer that the notifier should only be
shuffled to the top of the list if it is a defined primary for said zone.
Okay. The try the notifier first /if/ it's a configured primary makes
more sense to me. I guess I've not had
Hi Paul,
Thank you for explaining.
On 3/10/23 12:21 AM, Paul Stead wrote:
Imagine that 1.1.1.1 has lost network connectivity recently. A notify
comes from 2.2.2.2 - if I understand correctly Bind will try 1.1.1.1
first, time out and then try 2.2.2.2 - even though we know given the
situation
On 3/9/23 2:25 PM, Paul Stead wrote:
Chiming in to say +1 to Kalus' logic and sight of benefit here.
Please forgive my ignorance in asking:
Why doesn't the order of the configured primaries suffice?
N.B. I'm assuming that this is the the order of the primaries for a zone
in the named.conf
On 1/17/23 4:45 PM, Michael Richardson wrote:
Many people do exactly that.
Sorry, I don't see that as an answer to -- my understanding of -- the
OP's question of "Does the primary server that handles the DNSSEC duties
need to be not hidden / publicly accessible?"
Specifically what many
On 11/7/22 9:45 AM, Fred Morris wrote:
The PUBLIC DNS is not secure against eavesdropping or parallel
construction and never will be.
Even if the information is out there, I believe there is an exposure
risk for ISPs if they do something that makes it /easy/ to correlate
customer / client
On 11/7/22 9:08 AM, Matus UHLAR - fantomas wrote:
I'm afraid that this problem can become really huge when someone creates
huge amount of generated records, e.g. using proposed module.
Even if BIND's cache is simply FIFO -- which I'm fairly certain that
it's smarter than that -- and flushes
On 11/6/22 6:39 AM, Matus UHLAR - fantomas wrote:
3. allow your servers to to fetch 66.136.193.in-addr.arpa.
Is this 3rd step documented somewhere?
I searched for it in RFC 2317 but didn't find it. Maybe I over looked it.
alternatively they can choose to 0/28.66.136.193.in-addr.arpa. or
On 11/6/22 11:12 AM, Carl Byington via bind-users wrote:
or use $clientname.66.136.193.in-addr.arpa. as the intermediate zone
which has a slight advantage when the same client has multiple disjoint
parts of the same /24.
I find that $CLIENTNAME or some other stand in for the client is a
On 11/5/22 4:32 AM, Ondřej Surý wrote:
The IPv4 reverse zone is easy to scrape and stored for situations
like this… just saying.
Fair enough.
Though if we're going to not officially sanctioned behavior, I'm
inclined to create a local version of the 66.136.193.in-addr.arpa. zone
that CNAMEs
On 11/4/22 2:07 PM, Mark Andrews wrote:
Any ISP that offers these delegations should be allowing their
customers to transfer the zone that contains the CNAMEs for the
customer address space by default.
I've had enough trouble getting ISPs to support 2317 delegation period.
I think that
On 11/4/22 12:09 PM, Cuttler, Brian R (HEALTH) via bind-users wrote:
My pointer zones are more like
Zone "28.66.136.193.in-addr.arpa.", I've never had that leading "0-"
Is that typical? What does it do?
I invite you to go skim RFC 2317 -- Classless IN-ADDR.ARPA Delegation.
TL;DR: 2317 is a
On 11/4/22 11:19 AM, David Carvalho via bind-users wrote:
Thanks again.
You're welcome again. :-)
Probably. Am I supposed to, I have just 2 segments in this network
(and 2 others on another work) ?
Normally no, you're not supposed to /need/ to have a copy of an
intermediate zone.
On 11/4/22 10:54 AM, David Carvalho via bind-users wrote:
Thanks for the replies.
You're welcome.
My reverse zone in named.conf. My secondary dns gets it automatically
daily, along with the "di.ubi.pt.".
ACK
zone "0-28.66.136.193.in-addr.arpa." IN {
allow-query { any; };
On 11/4/22 10:07 AM, David Carvalho via bind-users wrote:
My reverse zone file
What is the origin of your zone file? 0-28.66.136.193.in-addr.arpa.?
1.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.1
You seem to be using RFC 2317 Classless IN-ADDR.ARPA delegation.
As
On 10/27/22 4:18 PM, Andrew Latham wrote:
IRC for example will check for PTR and gate login. I know there are
others but that came to mind quickly. In some regions having PTRs was a
requirement. It has been years but I recall LACNIC required/desired PTRs
be set.
I wasn't aware of IRC's
On 10/27/22 1:24 PM, Marco wrote:
At least for IPv4, there are servers that reject connections from
IPs that don't have a reverse zone with PTR record.
Please elaborate.
I've not heard of (unspecified type of) servers rejecting connections
because of the lack of a PTR record.
I have heard
On 10/27/22 11:23 AM, Marco wrote:
It isn't, because a customer gets /48 or /56 in most cases.
"For example one of their clients has the IP 2001:db::3." is a singular IP.
The customer's router can use various methods to assign addresses, auto
configuration and DHCPv6.
Agreed.
However
On 10/27/22 1:16 AM, Marco Moock wrote:
Hello,
Hi,
how do ISPs automatically create the reverse and forwaring zones for
their customers IP pools?
I think it might be out of scope for what you were asking about, but I
believe the following is an alternative approach.
For example one of
On 10/15/22 1:51 PM, Greg Choules via bind-users wrote:
Hi Grant.
Hi Gred,
I'm quickly replying to your message. I'll reply to Matus & Fred later
when I have more time for a proper reply.
My understanding is this, which is almost identical to what I did in a
former life:
client
On 10/15/22 10:34 AM, Matus UHLAR - fantomas wrote:
If you are an ISP/registry/DNS provider, it makes sense to separate
authoritative zones for your clients' domains, for all those cases your
client move their domains somewhere else without notifying you (hell,
they do that too often), or to
On 10/15/22 10:03 AM, Bob McDonald wrote:
My understanding has always been that the recommendation is/was to
separate recursive and non-recursive servers.
I too (had) long shared -- what I'm going to retroactively call -- that
over simplification.
Now I understand I'm talking about an
On 9/6/22 4:16 PM, Michael De Roover wrote:
once I tried to do the same on the satellite network, BIND on the main
network would see the zone transfer as coming from 192.168.10.51 or
192.168.10.52 -- instead of coming from 192.168.20.3 -- and refuse
it. The same is true the other way around,
On 8/2/22 3:15 PM, Grant Taylor via bind-users wrote:
It looks like you're dealing with A queries for the root domain. I've
blocked this, and similar queries, via iptables firewall in the past.
I've seen a number of responses to Robert's "Stopping ddos" thread
discussing using
On 8/2/22 2:02 PM, Robert Moskowitz wrote:
Any best practices on this?
It looks like you're dealing with A queries for the root domain. I've
blocked this, and similar queries, via iptables firewall in the past.
Also, make sure that you apply the same BIND ACL to the cache that you
do for
On 8/2/22 11:51 AM, Brown, William wrote:
Or perhaps some way of the client side deciding how to handle hard v./
soft failure.
Wouldn't this require the client side being aware of DNSSEC and making
decision based on it?
Maybe it's just me, but I think client application side DNSSEC
On 8/1/22 4:21 PM, Greg Choules via bind-users wrote:
Off the top of my head, could it be this?
random-device
...
BIND will need a good source of randomness for crypto operations.
Drive by plug: If it is lack of entropy, try installing and running
Haveged. At least as a troubleshooting
Let's flip this on it's head.
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
As some enterprise networks begin to engineer towards the concepts of
ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC
signing of an internal zone.
So why shouldn't the internal zone(s) be
On 8/1/22 11:51 AM, John W. Blue via bind-users wrote:
However, the intent of the thread is to talk about the lack of an
AD flag from a non-public internal authoritative server. Based upon
what I am seeing only the AA flag is set.
There are multiple reasons to sign zones. The existence of
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
While that extra overhead is true, it is more accurate to say that if
internal clients are talking directly to an authoritative server the AD
flag will not be set. You will only get the AA flag. So there is
nothing to be gained from
On 7/11/22 11:48 PM, Philip Prindeville wrote:
Hi,
Hi,
I have a remote subnet that has its own DHCP server, but wants to
update the domain which spans several locations and subnets.
What do I need to do on both ends (remote DHCP server and central
DNS server) to push updates over?
I would
On 5/23/22 5:55 PM, Lefteris Tsintjelis via bind-users wrote:
Nothing actually. Windows logs are clean. Unix logs also.
#trustTheBitsOnTheWire
#useTheSniffer
I'd start by capturing w/ tcpdump using the `-s 0` and `-w
/path/to/capture.pcapng` options. Then use Wireshark to analyze the
On 5/23/22 4:30 AM, Nux wrote:
Hi,
Does anyone know whether it's possible to generate with Bind these kind
of A records automatically on the authoritative side, similar to
services like xip.io or nip.io? Eg:
127.0.0.1.nip.io -> 127.0.0.1
name.127.0.0.1.nip.io -> 127.0.0.1
and so on.
Does
On 5/15/22 7:28 AM, Angus Clarke wrote:
Hi Grant
Hi Angus,
maybe, I'm reading up ...
poking around the manual, are you alluding to the "sortlist" directive?
Yes, that's what I was referring to.
So the concern with returning an ordered RRset is that the set could be
large:
Okay.
I
On 5/12/22 2:41 PM, Nick Tait via bind-users wrote:
This sounds like exactly the sort of use case for Response Policy Zones:
How are you going to have RPZ return different addresses for different
clients? Are you suggesting use different RPZs with different contents
for different clients?
On 5/12/22 6:30 AM, Angus Clarke wrote:
Hello
Hi,
With bind (and others) it seems that DNS views are the way to go,
Before stepping up to views I'd stop to ask the question, would
returning multiple IPs in a preferred sort order suffice?
BIND has the ability to sort RRs differently
On 5/11/22 2:19 PM, Bob Harold wrote:
Not sure who set it up, but my DHCP servers have for some zones:
zone x.y.z.in-addr.arpa
{
primary 10.2.3.4;
}
I'm assuming that is BIND's named.conf syntax.
Which I believe overrides the MNAME lookup.
Doesn't that just tell BIND where to
On 5/11/22 11:24 AM, Bob McDonald wrote:
It would seem that using an anycast cloud name (An anycast cloud
of the NS device IPs) for the MNAME might provide the same level of
distribution as per Windows. However, again, you run into the issues
of forwarded updates.
Another thing that I've
On 5/8/22 5:58 AM, Tony Finch wrote:
Regarding anycast, it isn't necessary for internal authoritative
servers unless your organization is really huge (and probably not
even then): it is simpler to just use the DNS's standard reliabilty
features. All you need to do is have more than one
On 5/5/22 1:35 PM, Maurà cio Penteado via bind-users wrote:
Hi folks,
Hi,
Thank you for the reply.
:-)
Unfortunately, I did not understand how I am supposed to add multiple
A-records for the same name to the zone-file to fix this issue.
Based on your first message, you already have
On 5/5/22 9:01 AM, Reindl Harald wrote:
by not add multiple A-records for the same name to the zone-file
BIND don't know about docker on it's own
Another option would be to leverage BIND's ability to sort A records
based on configured preference (in the config file, not the zone file)
based
On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
We are dropping this configuration and looking at doing something else.
I'm sorry to hear that.
We have had intermittent issues with Slack, Microsoft, and a growing
list of domains. Even have one that consistently fails.
Are you
On 3/24/22 4:34 PM, Carl Byington via bind-users wrote:
Yes, the disconnect was my brain. I will try to plug that back in.
;-)
We've all had those days. Most of us will have them again.
How do you do that in /etc/hosts?
It's been a while, so I'm relying on memory, a.k.a. lossy media.
On 3/24/22 3:50 PM, Carl Byington via bind-users wrote:
In general, the domain exists with a bunch of existing names - www,
mail, etc. We just need to add one more (outbound) and tie it to the
ip address of their outbound mail server. I don't want to take over
their entire domain.
Fair
On 3/24/22 10:02 AM, Carl Byington via bind-users wrote:
I think so.
Agreed.
Presumably to create those domains locally. Of course the rest of
the world won't see them.
1.0.0.127.in-addr.arpaPTR outbound.example.com.
outbound.example.com A 127.0.0.1
What advantage does
On 3/1/22 5:35 AM, Matus UHLAR - fantomas wrote:
you are right, forwarding queries requires recursion.
Thank you for the confirmation Matus. :-)
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
On 2/28/22 1:47 PM, Gregory Sloop wrote:
I figured before I beat my head against the wall for too long, I'd ask
the real experts! :)
I'm definitely not an expert. I don't even pretend to be one on T.V.
But I do wonder what, if any, sort of restrictions you are placing on
recursion on your
On 2/16/22 9:24 AM, G.W. Haywood via bind-users wrote:
FWIW I've been using DNSSEC with HE slaves since October 2017. I'm
happy to report that I've never had any problem with the service.
Please clarify if you are talking about DNSSEC for your own zone that
they are doing secondary transfers
On 2/16/22 7:35 AM, Mark Tinka wrote:
I was assuming Linux has something similar, where in userland, you have
the option to install which train of BIND you want, regardless of OS
version.
Most of the -- what I'll call -- binary distributions of Linux tend to
have a fairly small range of any
On 2/15/22 1:07 AM, Bjørn Mork wrote:
You'll normally get a few update queries to the SOA MNAME if you
leave the real master there.
This was going through my mind as I read the thread.
Aside: BIND secondaries can be configured to forward such updates to
the hidden primary.
Whether you
On 1/4/22 4:37 AM, Ray Bellis wrote:
Better yet, use BIND's mirror zones feature so that the zone is also
DNSSEC validated.
Completely agreed. I think the type of authoritative information is
somewhat independent of the fact that any authoritative information exists.
IMHO, the strictures
On 1/3/22 10:57 AM, John Thurston wrote:
It must have a 'forward' zone defined on it for each of those stupid
domains. And yes, you are right . . at that point it is no longer only
performing recursion.
;-)
But there is no other way to do it. Even in a combined
recursive/authoritative
On 1/3/22 12:15 AM, Borja Marcos wrote:
If you separate the roles it is much simpler to implement an effective
access control.
The problem I have with separating recursive and authoritative servers
has to do with internal LANs and things like Microsoft Active Directory
on
On 12/15/21 4:51 AM, Danilo Godec via bind-users wrote:
Hello,
Hi,
I'm noticing some unusual activity where 48 external IPs generated over
2M queries that have all been denied (just today):
15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
194.48.217.14#59698 (.): view
On 12/9/21 12:18 AM, Harshith Mulky wrote:
Hello Experts
Hi,
I'm fairly certain that I'm not an expert, but I've dealt with BIND in
chroot recently.
I need some help with bind-chroot
We are running below version of bind and bind-chroot
bind-9.11.2-lp151.10.1.x86_64
On 12/2/21 9:59 AM, Fred Morris wrote:
Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
generally available: turn your local BIND resolver into a network
investigation enabler with locally generated PTR records.
Would you please elaborate on what Rear View RPZ does?
It
On 11/18/21 3:14 AM, Mark Elkins wrote:
With IPv6 - you might want to use NSEC3 - as there can be huge holes in
the reverse zone. Make the bad guy work at guessing what is in the zone.
Be mindful of current efforts for minimizing NSEC3 rounds / iterations
which purportedly have a diminishing
On 11/13/21 9:07 AM, Reindl Harald wrote:
but you have to deal with it
And? So?
We have to deal with all sorts of things. The need to do our job is not
a reason in and of itself a reason to not do it.
you missed my second post!
No, order of reply vs reading.
* he needs the
On 11/13/21 7:29 AM, Tony Finch wrote:
You should make sure that your public nameservers return a definite
nodata or NXDOMAIN reply for your private names, not REFUSED, nor a
referral to an RFC 1918 address. The latter two will cause resolvers
to retry, and the retries can become a large
On 11/13/21 12:59 AM, Reindl Harald wrote:
i doubt that any ISP out there would delegate to a private address and
when your bind is asked over it's public IP a view won't work
ISP's willingness to do something is a policy decision and that's
completely different than their capability to do
On 11/4/21 1:27 PM, Bruce Johnson via bind-users wrote:
named-checkconf -z revealed a name had been entered with underscores.
The person responsible has been sacked. (not really, merely reminded no
underscores are allowed in A records :-)
You might want to apologize to them.
Underscores are
On 10/21/21 1:33 AM, Edwardo Garcia wrote:
Hai all,
Hi,
One of these is we have a number of reverse zones, a /19 in fact, they
are mostly GENERATE'd for regions with fixed gw and a few other local
custom PTRs
So 32 x /24s. Annoying, but not terrible to work with.
In our examples I
On 9/9/21 10:29 AM, Ondřej Surý wrote:
I think the rndc reconfig should pick the new cert/key, but I am not
sure if we have actually implemented this.
Drive by comment:
Should BIND /need/ to take any action for a /reconfig/ if it's
configuration hasn't change? -- To me the configuration is
Tony's statements surprised me enough that I shaved them for later deep
read and pondering. That time has now come.
On 6/21/21 11:00 AM, Tony Finch wrote:
That advice is out of date: nowadays you should not put any localhost
entries in the DNS, because it can cause problems for web browser
On 5/30/21 9:24 AM, Richard T.A. Neal wrote:
I spent a little time this weekend setting-up BIND 9.17.13 on Ubuntu
21.04 and configuring the system as a recursive resolver offering DNS
over HTTPS using a LetsEncrypt certificate.
Nice work.
Is there any interest in me writing this up as a web
On 5/23/21 9:27 AM, Ondřej Surý wrote:
Nope, that’s how you enter email to SOA with dot in user part as
the first dot gets converted to @.
#TodayIlearned
I agree with Ondřej. I think it's the missing $ in front of ORIGIN.
Remember the $ lines are directives to BIND and not zone data.
On 4/27/21 10:24 AM, Kevin A. McGrail wrote:
Agreed on the OT and good subject change.
:-)
For me, I wouldn't bind DNS to the eth0, just another attack surface
hence I would use local loopback.
I think the main reason to bind to eth0 / LAN is for when there are
multiple (mail) servers
BIND-Users on topic content first:
#1 bind for a local caching DNS query server
I absolutely agree.
and change resolve.conf to 127.0.0.1 for the best RBL performance.
How much effective performance difference does the loopback interface
(lo) vs the local LAN interface (eth0) make?
On 4/26/21 2:45 PM, bamberg2000 via bind-users wrote:
Hi!
Hi,
BIND 9.11.5, I forward the request ("forward zone" or global "forward
first") to another server and I get NXDOMAIN. Is it possible to process
NXDOMAIN other than "redirect zone"? I just want to repeat the request
to another
On 4/12/21 1:41 PM, Peter Coghlan wrote:
As far as I can see providing no response at all in any instance when
a code 5 refused response would normally be returned would be the
appropriate thing for my nameserver to do here and doing this would
cause no difficulties at all with any legitimate
On 3/31/21 10:00 AM, Tony Finch wrote:
Because of this, if it's important for you to avoid multi-second
DNS lookup times ... you need to design your system so that the libc
resolver never tries to talk to a DNS server that isn't available.
I've seen various client OSs fail in really weird
On 3/25/21 9:19 AM, Olivier wrote:
Hello,
Hi,
I would like to implement a 3 hosts cluster with the following features:
I don't see anything conceptually wrong with what you've outlined.
Though I wouldn't call it a "cluster". To me a cluster is something
that is (as largely as possible)
On 3/5/21 1:41 PM, Bruce Johnson wrote:
Turne out to be a dumdum mistake on my part. SELinux was set to
enforce…set it to permissive and voila! the .jnl file was created.
Ah.
That sounds like an SELinux policy problem. SELinux /should/ allow
named to create journal files.
A non-default
On 3/5/21 12:07 PM, Bruce Johnson wrote:
Fixing the permissions and restarting named got dynamic updating
working again, but new systems (ie names that are NOT already in
the Zone file ) are throwing errors about the journal file: error:
journal open failed: unexpected error
It seems like
On 2/16/21 11:54 PM, Dario García Díaz-Miguel via bind-users wrote:
Hi everybody,
Hi,
Since I'm a little bit desperate with this issue, and after asking
this on reddit (r/sysadmin) and serverfault with low or none responses,
I think it would be worth half an hour or so to test stunnel. It
On 2/12/21 4:49 AM, Ted Mittelstaedt wrote:
If you are not familiar with stunnel you should have looked up what
it was before responding. It's not going to be applicable here and
I would not have suggested it if I had known both programs were on
the same machine.
What does being on the same
On 12/24/20 3:05 PM, Mark Andrews wrote:
TSIG, GSS-TSIG and SIG(0) are all secure mechanisms to update DNS
zones.
Thank you for the follow up Mark.
It's good to know that they are secure mechanisms.
With all the churn in the TLS space, I can't keep up with it, much less
have any idea how
On 12/24/20 8:48 AM, @lbutlr wrote:
That is what example.com always is, yes.
Sorry. I'm so used to people not using documentation domains that I
double check that they aren't actually trying to literally use
documentation domains internally.
It's a refreshing change to see documentation
On 12/23/20 6:53 PM, @lbutlr wrote:
Give that I have a authoritative bind9 server for example.com and
given that I have a home connection that is (technically) dynamic
home.example.com what is the easiest way for me to automatically
update the DNS on the rare occasions that it changes?
I
On 12/14/20 9:50 PM, Mark Andrews wrote:
In theory all that should be needed is "ip vrf exec [ NAME ] named …"
What I've done with l3mdev makes me think that if BIND is run in the
master network namespace, it should be able to bind (no pun intended) to
IPs across VRFs if the l3mdev allows
On 8/25/20 8:43 PM, John Levine wrote:
These SRV records say that the service is on ports 31024, 31852,
and 31790 on the respective servers. CNAME does not give you a
port number. There is no way to fake SRV using CNAME.
Agreed.
I've had some off-line conversations with Marc about some
On 8/21/20 4:26 PM, Marc Roos wrote:
Is it possible to use srv lookups, like eg cname. I do not want to
create SRV record, I just want to 'get' the ip addresses, that I
would get vai srv lookup.
I don't know of any over the counter - if you will - way to do what - I
think - you want to do.
On 7/14/20 12:08 AM, MEjaz wrote:
Thanks for every one’s contribution. I use RPZ and listed 5000 forged
domain to block it in a particular zone without having addiotnal
zones, I hope that’s the feature of RPZ, Seems good.
You might want to look through those domains and see if there are
On 7/13/20 12:44 AM, MEjaz wrote:
Hell all,
Hi,
I have an requirement from our national Cyber security to block several
thousand forged domains from our recursive servers, Is there any way we
can add clause in named.conf to scan such bogus domain list without
impacting the performance of
On 7/9/20 6:43 AM, Anand Buddhdev wrote:
If you don't have an A record at the zone apex, the browser will not
get back any address and display an error message for the user.
There was a point in time when the big web browsers would try connecting
to www.. if connecting to . failed.
I don't
On 7/6/20 10:42 PM, ShubhamGoyal wrote:
i am working in Centos 8 with bind version 9.17.2 and i am install
from source package
It sounds like you're missing some dependencies.
Read the documents that come with BIND source code and make sure you
have all the dependencies.
Seeing as how you
On 7/6/20 10:00 PM, ShubhamGoyal wrote:
I am installing bind latest version with additional feature , it gave
me "configure: error librpz.so and dlopen needed for dnsrps" error.
I am searching for that error but i did not find the solution.
please help me!
Are you compiling from source? Or
On 5/13/20 6:29 AM, Bob Harold wrote:
Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
not regular TSIG. Not sure how or if that can be solved.
I would bet someone a coffee and doughnut that it can.
Check out Jan-Piet Mens' article:
Link - RFC 2136 Dynamic DNS Updates
On 5/6/20 6:56 PM, John Levine wrote:
Oh, in that case, why don't you just put some adjusted NS entries in
your stub .net zone pointing at your internal name servers? Seems a
lot easier than fooling around with routing.
Because that is a hack at best.
I figured that there was something I
On 5/6/20 4:12 PM, John Levine wrote:
Since they can't access the root servers, how do you expect them to
do DNS lookups at all?
There is a copy of the root zone in the environment.
There is also enough net zone for the needed tests.
DNSSEC is obviously not in play with doctored zones in the
On 5/6/20 3:38 PM, John Levine wrote:
The DNS server sends different answers depending on the client IP,
so on your internal network it sees the private subdomain,
everywhere else sees a ENT or NXDOMAIN.
Thank you for confirming. That is indeed what I /thought/ we were
talking about. But
On 5/6/20 3:40 PM, John Levine wrote:
Can clients on the internal network contact hosts in the outside
world, or is it really disconnected?
It depends on which particular lab is being used and what is being tested.
I can guarantee that some of the labs will NOT have access to other
networks,
1 - 100 of 276 matches
Mail list logo
