ate Requirement Levels)
So if you feel like adding them to your RPZ file go right ahead :)
Regards,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www
On Tue, Apr 30, 2024 at 2:40 AM Mark Andrews wrote:
>
> And it has been fixed.
Yay! No more error messages in the log because of them :-)
Thanks for your help
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the devel
On Mon, Apr 29, 2024 at 11:40 PM Walter H. wrote:
>
> On 29.04.2024 22:19, Lee wrote:
> > On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users
> > wrote:
> >
> > something that I replied to and got this in response:
> >
> > Error Icon
> > Mess
On Mon, Apr 29, 2024 at 5:13 PM Mark Andrews wrote:
>
> I prefer to only name and shame when I’m 100% sure of the target.
I was only trying to understand why I was getting a SERVFAIL, there
was no intention to name & shame.
Regards,
Lee
"name & shame" was not my inten
t; and the only results I got
were for F5 support pages - eg.
The fix in BIG-IP DNS 14.1.0 introduces a new setting,
wideip-zone-nameserver, which defaults the WideIP zone nameserver to
this.name.is.invalid.
Wouldn't a badly configured F5 server be a better explanation?
Thanks
Lee
--
Visit http
On Sun, Apr 28, 2024 at 2:18 AM Walter H. via bind-users
wrote:
something that I replied to and got this in response:
Error Icon
Message blocked
Your message to Walter.H@[..snip..] has been blocked. See technical
details below for more information.
The response from the remote server was:
554
On Sun, Apr 28, 2024 at 2:18 AM Walter H. wrote:
>
> On 27.04.2024 16:54, Lee wrote:
> > On Sat, Apr 27, 2024 at 9:50 AM Walter H. via bind-users
> > wrote:
> >> # host dnssec-analyzer.verisignlabs.com
> >> dnssec-analyzer.verisignlabs.com
wer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 60491
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid sup
uery failed
(failure) for dnssec-analyzer.verisignlabs.com/IN/ at query.c:7471
Is that because of the insecure delegation shown at
https://dnsviz.net/d/dnssec-analyzer.verisignlabs.com/dnssec/
and me having "dnssec-validation auto;" in named.conf?
Thanks
Lee
(still struggling
support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Regards,
Lee
>
> I use CentOS7 with BIND9.16.41
>
>
>
> grep antlauncher db.rpz
>
> antlauncher.com CNAME .
>
> *.antlauncher.com CNAME .
>
original zone (not the response policy zone).
# This default can be changed for all response policy zones in a view with a
# break-dnssec yes clause. In that case, RPZ actions are applied regardless
# of DNSSEC.
Regards,
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to uns
cs-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; };
seems wrong, shouldn't that be
allow-query{ httnets; };
Lee
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software wi
line in hostname
# where the consensus is to not do this check on resolvers
Regards,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscri
st CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3
All my other host names that used to return 127.0.0.1 answers don't
a
not sure is
even possible)
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
how did you do the packet capture - as in, is
it possible you didn't capture everything to/from the server?
Lee
>
> From: Ondrej Surý
> Sent: Friday, January 17, 2020 3:27 PM
> To: Steve Farr
> Cc: bind-users@lists.isc.org
> Subject: Re: Slow recursive query performance on Window
t it wrote. I
> would expect the log file to say something like:
>
> Nov 27 07:36:28 DNA-DNS1 named[20035]: dumpdb output to: /var/lib/bind/
> cache_dump.db
>
> It doesn't. Could we get that added to the logging information?
Yes, it would be nice if that was added
Lee
On 8/27/19, Tony Finch wrote:
> Lee wrote:
>>
>> Can someone please explain why using this as my rpz zone does NOT
>> block everything for *.2o7.net?
>>
>> 2o7.net CNAME .
>> *.2o7.net CNAME .
>> bcbsks.com.102.112.2o7.net CNAME .
>
> I sus
11.9 (from
ftp://ftp.isc.org/isc/bind9/9.11.9/BIND9.11.9.x64.zip)
TIA
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
ZE rcvd: 308
%
That said you can set "tcp-only yes”; in an appropriate server clause.
Mark
> On 8 Apr 2019, at 2:26 pm, Sukmoon Lee wrote:
>
> Hello.
>
> My Test DNS is not response for "*.tk".
> I looked around then my server not work connect using udp for tk's tld
.
Thanks in Advance.
Regards,
Sukmoon Lee
-
$ dig @194.0.38.1 sukmoonlee.tk
; <<>> DiG 9.11.2-P1 <<>> @194.0.38.1 sukmoonlee.tk
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
$ dig @194.0.3
'd go with
mg.gov.br IN CNAME rpz-passthru.
-- it's your domain so hopefully you can trust whatever answers it gives
18.0.0.198.200.rpz-nsip IN CNAME .
-- nobody else gets to answer with your address space
Regards,
Lee
> and its NS Servers are zeus.prodemge.gov.br
> (
bly be a fingerprint. It seems
to me there's a requirement to reject the user supplied data since it
can't possibly be a fingerprint.
Regards,
Lee
>
> --
>The RDATA of the presentation format of the SSHFP resource record
>consists of two numbers (algorithm and fingerprint type)
On 11/16/18, Evan Hunt wrote:
> On Fri, Nov 16, 2018 at 11:44:11AM -0500, Lee wrote:
>> > It's an interaction between RPZ and aggressive negative caching (i.e.
>> > "synth-from-dnssec"). It's fixed in the upcoming release.
>>
>> I should have asked wh
On 9/29/18, Evan Hunt wrote:
> On Sat, Sep 29, 2018 at 05:48:55PM -0400, Lee wrote:
>> Can someone tell me what can cause
>> stop on unrecognized qresult in rpz_rewrite()failed:
>> or how to fix whatever it was?
>
> It's an interaction between RPZ and aggressive nega
quent A-Record (ex. mail.othercompany.com) that we are able to send
> mail to othercompany.com?
mail.othercompany.com CNAME rpz-passthru.
*.othercompany.com CNAME .
in your rpz zone file doesn't do what you want?
Lee
>
>
>
>
> On 09.11.18 14:39, Lightner, Jeffrey wrote:
&g
On 10/25/18, Grant Taylor via bind-users wrote:
> On 10/25/2018 03:25 PM, Lee wrote:
>
>> I'm missing what filtering out things like benchmarking & documentation
>> network addrs gets you beyond maybe saving some bandwidth?
>
> I do use all sorts of IP ranges (test
On 10/24/18, Grant Taylor via bind-users wrote:
> On 08/09/2018 01:01 AM, Lee wrote:
>> it does, so you have to flag your local zones as rpz-passthru.
>
> Thank you again Lee. You gave me exactly what I needed and wanted to know.
you're welcome :)
> I finally got around to
ource code file.
It'd be nice if ISC made no response to a query a separate error vs.
lumping it in with all the other "Something has gone wrong."
possibilities.
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
zone" log yes; } break-dnssec yes
recursive-only no qname-wait-recurse no;
Can someone tell me what can cause
stop on unrecognized qresult in rpz_rewrite()failed:
or how to fix whatever it was?
Thanks
Lee
___
Please visit https://lists.isc.org
On 9/28/18, Alex wrote:
> Hi,
>
> On Fri, Sep 28, 2018 at 12:18 AM Lee wrote:
>>
>> On 9/27/18, Alex wrote:
>> > Hi,
>> >
>> >> Just a wild thought:
>> >> It works with a lower speed line (at least I read it that way) but has
>
no response to a query result in SERVFAIL? Is there a way to tell the
difference between no response & getting a response indicating a
failure?
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ng inefficient"
than violating a standard - right?
> Now, I don't really have a fundamental problem with Akamai, as a company;
Just as I don't have a fundamental problem with newegg :) But they're
the first site I couldn't get to because I have check-names enabled
and I'm not inclined to
ames and mail domains are derived from
RFC 952 and RFC 821 as modified by RFC 1123.
which seems to be why I can't resolve www.newegg.com but 1.1.1.1 and 8.8.8.8 can
C:\Users\Lee>dig www.newegg.com.
; <<>> DiG 9.11.4 <<>> www.newegg.com.
;; global options: +cmd
;; Got
s
supposed to do the same thing.
'set debug' and 'set d2' displays lots, but I never checked to see if
it was the entire response or no
So... it seems like the bottom line is that dig is better but nslookup
ain't all that bad
Thanks
Lee
>> On 20 Aug 2018, at 12:28 pm, Lee wrote:
>>
&
On 8/19/18, Doug Barton wrote:
> On 08/19/2018 12:11 PM, Lee wrote:
>> On 8/18/18, Doug Barton wrote:
>
>>> nslookup uses the local resolver stub. That's fine, if that's what you
>>> want/need to test. If you want to test specific servers, or what is
>>&
as the answers
> you get from nslookup cannot be guaranteed to be directly related to the
> question you asked.
Could you expand on that a bit please? I thought
nslookup
was pretty much equivalent to
dig @
the exception being that nslookup looks for a & records and dig
just looks for a records
Thanks,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
0.rpz-ip CNAME . ; 10.0.0.0/8
12.0.0.16.172.rpz-ipCNAME . ; 172.16.0.0/12
16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16
Regards,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
e bls.gov server gets a different answer than a
server outside the bls.gov (or .gov?) domain.
> sso.gslb.dol.gov. 15 IN A 10.49.1.80
you can't get there from here if >>here<< is on the internet
Regards,
Lee
> Both dig commands below are run from the
> sa
Just realized I forgot to include a link:
https://www.nospaceships.com/products/dns-logger.html
Mick
On Wed, Apr 11, 2018 at 10:37 PM, Mick Lee <lmick5...@gmail.com> wrote:
> Hi All,
>
> Sometime ago I posted about capturing DNS activity (queries and responses)
> for both BI
.
; check:
; localhost 127.0.0.1
; onea.net-snmp.org 127.0.0.1
; twoa.net-snmp.org 127.0.0.2 127.0.0.3
; 7f01.c7f11de3.rbndr.us
; should alternate between 199.241.29.227 (allowed) and
127.0.0.1 (NXDOMAIN)
; ref:
https://bugs.chromium.org/p
since I
am finding it quite useful.
Hopefully someone will find this useful.
Mick
On Tue, Aug 15, 2017 at 5:29 PM, Mick Lee <lmick5...@gmail.com> wrote:
> Forgot to CC the list.
>
> -- Forwarded message --
> From: Mick Lee <lmick5...@gmail.com>
> Date: S
ytrax.com/books/dns/ch7/rpz.html
& I just added this bit to ZONES/rpz.zone:
; kill the whole domain
*.cmCNAME .
; except for
*.cnn.cmCNAME rpz-passthru.
C:\Users\Lee>nslookup
> www.aol.cm.
Server: 127.0.0.1
Address:127.0.0.1#53
** server can
On 1/27/18, PGNet Dev <pgnet@gmail.com> wrote:
> On 1/27/18 11:33 AM, Lee wrote:
>> On 1/27/18, PGNet Dev <pgnet@gmail.com> wrote:
>>> I've a local bind 9.12.0 server. Works for virtually all domains.
>>>
>>> For "irs.gov",
x2PWPww0H+YAtiB8XYdGzwLM+Uxv
Bv2Ui1EhZdVZrn7BhLZeztbg/YetYOYG8OXWS6FBrcdYaQ6trnmhL9hm
1e5ik3hYWTBo0TSDN7UgdHpGQEvDF5A/f8fHg+MRvZp9RzmXs9/toIm8
TVGm8mcFZPY04AhKU6YE+uzAn4Bfc716qiBebB1XTwrz5XKpvNYEY3i1 2BaXvw==
;; Received 2955 bytes from 152.216.7.164#53(ns1.irs.gov) in 15 ms
$
Regards,
Lee
>
>
On 12/24/17, Grant Taylor via bind-users <bind-users@lists.isc.org> wrote:
> On 12/24/2017 01:25 PM, Lee wrote:
>> So it looks like I'm upgrading to 9.11 before giving RPZ a try.
>
> If the version of BIND that you're running supports what you want out of
>
On 12/24/17, Reindl Harald <h.rei...@thelounge.net> wrote:
>
> Am 24.12.2017 um 20:59 schrieb Grant Taylor via bind-users:
>> On 12/24/2017 12:42 PM, Lee wrote:
>>> Is there a minimum version of bind one should be running before trying
>>> to use RPZ?
>>&
a zone file
> in an effort to black hole them.
>
> I would strongly advise you look at Response Policy Zones as I suspect
> this is a better way to accomplish this goal.
Is there a minimum version of bind one should be running before trying
to use RPZ?
in other words, v9.9.latest
I want.
dns64 64:ff9b::/96 {
...
mapped { !127/8; any; };
}
Thanks.
>
> > On 29 Nov 2017, at 7:32 pm, Sukmoon Lee <sm...@sk.com> wrote:
> >
> > Hello.
> >
> > I testing DNS64 using 64:ff9b::/96(prefix).
&g
Hello.
I testing DNS64 using 64:ff9b::/96(prefix).
Some domain(IN/A) is responses to 127.0.0.1/IN/A.
Under DNS64, this domain(IN/) is working 64:ff9b::7f00:1.
I want to response ::1 under DNS64.
Is there any way?
Thanks.
___
Please visit
On 9/1/17, Mark Andrews <ma...@isc.org> wrote:
>
> Use server clauses. Most specific wins.
>
> server ::/0 { bogus yes; }; // all of IPv6
Cool - that did it. Thank you!
Lee
<.. snip ..>
> In message
>
es while still logging everything
else?
Thanks,
Lee
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Forgot to CC the list.
-- Forwarded message --
From: Mick Lee <lmick5...@gmail.com>
Date: Sat, Aug 12, 2017 at 6:55 PM
Subject: Re: BIND and Windows DNS logging and archiving
To: Phil Mayers <p.may...@imperial.ac.uk>
Thanks,
I checked and it doesn't look like dnsca
2017 07:33, Mick Lee wrote:
> Hi Guys,
>
> Can anyone offer any advice based on their experience?
>
Well, if I understand correctly, your main problem is the windows boxes
running windows DNS, so this is not a bind problem. You might be better
asking elsewhere.
However, hone
Hi Guys,
Can anyone offer any advice based on their experience?
Thanks
Mick
On 19 Jul 2017 2:16 p.m., "Mick Lee" <lmick5...@gmail.com> wrote:
Hi All,
I wonder if I could get some advice and guidance based on everyones
experience.
I have a mix of pre-compiled versions of BIND
Hi All,
I wonder if I could get some advice and guidance based on everyones
experience.
I have a mix of pre-compiled versions of BIND on Linux (can't change or
re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS
queries from about 100 or so of these types of servers, to
Hello.
I found the slow response query at dns server. This query is server fail
response.
In reality, this query gets to response a server fail for foreign dns server.
For example, maincastad.com’s glue record has 3 name server, 5 ip address.
All glue record dns is not response. So, this query
Hello.
Our DNS Server has services on IPv6 network.
Clients queries on ipv6 network. But recursive client query is only to use on
ipv4 network.
(DNS Server has not ipv6 network for foreign network.)
So DNS server performs unnecessary a recursive client query for ipv6.
How can limit recursive
> On 17/11/2016 10:20, LEE SUKMOON wrote:
>
> > I want to response NXDOMAIN.
> > Is it a solution this case?
>
> You'd usually get SERVFAIL from the recursor because the domain is
> misconfigured with a lame delegation, and either way the client won't
> get an answ
Hi all.
I am using RPZ zone.
Below line is rpz zone file. But jifr.net is not working.
jifr.netCNAME .
*.jifr.net CNAME .
Unusual, this domain is responding with refused rcode. (from authority name
server)
$ dig @173.245.58.51 jifr.net
IE-FACEBOOK-201100822
> country:IE
> org:ORG-FIL7-RIPE
> admin-c:RD4299-RIPE
> tech-c: RD4299-RIPE
> status: ALLOCATED-BY-RIR
> mnt-by: RIPE-NCC-HM-MNT
> mnt-lower: fb-neteng
> mnt-routes: fb-neteng
> created:
Facebook
>};
> };
>
> In message <389ab5475d0a441a9cc175f0326e5...@skt-tnetpmx2.skt.ad>, LEE
> SUKMOON
> writes:
> >
> > Thanks for reply.
> >
> > But a client's network is ipv6 network.
> > Client obtains a ipv6 address. Then cli
nt to force browsers to use IPv4 then send back RST to the
> connection attempts to reach the facebook servers. They should fail over
> to using IPv4. This should only require configuring the firewall on your
> router appropriately.
>
> Mark
>
> In message <aac4f429ca6d4d1e86a98d8057
Hello, All.
Many clients queries to IPv6(IN/) domain.
But IPv6 network is so far, then slow then IPv4 network.
I want to forced dns64 for special domain.
Example, 'm.facebook.com' IN/ address is
'2a03:2880:f115:83:face:b00c:0:25de'.
But I don't want to use IPv6 address. So I want to
e renewed and desyncronise down stream caches. Or both.
Thanks for answer.
I think that a prefetch cache is a good idea.
A prefetch cache will be update a cache TTL.
So it is split to a client query.
But I find a prefetch option over BIND 9.10. BIND 9.9 is not found prefetch
Hello Sirs,
I am Sukmoon Lee, a software developer and network engineer in South Korea.
Recently, most clients(smart phone) have a local DNS cache.
The Cache DNS TTL affects the client cache expiration time domain. So many
clients have caused a burst DNS traffic.
In order to solve this issue
Hi,
This is probably a dummy question.
My understand of bind in handling non-authoritative queries is:
1) forward mode. It just forward the client queries to an upstream DNS
server, which is defined in "forwarders" directive.
2) recursive mode. It actually start asking from root DNS server, then
-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd f: +44 871 433 8922
Scotland, UK w: http://www.maui
a thought - but generally I agree that multiple writers to
a file is just asking for trouble…
-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd f: +44 871 433 8922
Scotland, UK
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845
can play with all of this on a test network and it’s 100%
repeatable.
Cheers
marty
On 27 Mar 2014, at 19:13, Evan Hunt e...@isc.org wrote:
On Thu, Mar 27, 2014 at 06:58:35PM +, Marty Lee wrote:
BTW, doing a manual Dynamic DNS update using nsupdate works fine - the A
and TXT records
On 1 Apr 2014, at 09:52, Marty Lee ma...@maui-systems.co.uk wrote:
Ok, finally managed to get a test rig set up with wireshark and have
now seen more about what’s going on can see the pre-requisites going
over the wire.
Versions: ISC DHCPD 4.2.6, Bind 9.9.5
DHCPD sends a dynamic
and the A record isn’t then deleted, so it’s something to
do with the DHCP server
and it’s interaction with Bind.
Cheers
marty
-
Marty Lee e: ma...@maui-systems.co.uk
Technical Directorv: +44 845 869 2661
Maui Systems Ltd f: +44 871 433 8922
Hi John,
Perhaps you could try to chown directory /var/named to named
drwxrwx--- 3 named named
Edwin Lee
- Original Message -
From: jo...@primebuchholz.com
To: bind-users@lists.isc.org
Sent: Wednesday, August 28, 2013 2:38:11 AM
Subject: chroot /var/run permissions
Greetings,
I'm
So I've got some IPv6-only VMs set up that need to talk to the
general internet for things like downloading packages. As you can
imagine, this requires that they have NAT64 and DNS64, because lots
and lots of things are IPv4 only.
The problem is that many things do *stupid shit* when given both
On Fri, Dec 28, 2012 at 07:57:24PM +, Phil Mayers wrote:
Robin Lee Powell rlpow...@cytobank.org wrote:
So I've got some IPv6-only VMs set up that need to talk to the
general internet for things like downloading packages. As you
can imagine, this requires that they have NAT64 and DNS64
Here's the digging my ISP did:
[root@dvs-node01 ~]# node
var dns = require('dns')
undefined
dns.resolve('github.com', function(e, h) { console.log(JSON.stringify(h)) } )
{ oncomplete: [Function: onanswer] }
[207.97.227.239]
undefined
dns.resolve6('github.com', function(e, h) {
Ah, it's ... a lot worse than I thought; here's the relevant node.js
bug:
https://github.com/joyent/node/issues/4168
I knew node.js was made by twelve year olds, but even so... Words
fail me.
-Robin
On Sat, Dec 29, 2012 at 12:53:51AM +, Phil Mayers wrote:
[Grumble stupid mobile devices
78 matches
Mail list logo