On 01/20/2017 05:24 PM, Ray Van Dolson wrote:
So I have domain.com, controlled by AD, but want to delegate
subdomain.domain.com to an external DNS server on the Internet (Amazon
Route53).
Okay...
This is easy to do for my external version of domain.com as I can just
add
subdomain.domain.com
On 01/21/2017 08:28 PM, Reindl Harald wrote:
you can - the second one is a rbldnsd hosting our honeypot DNSBL
I thought you could. But since I've not tried to do so myself, I wasn't
100% sure.
Thank you for the confirmation.
I also half way expect that Ray's network may have something
On 02/08/2017 11:09 AM, Cuttler, Brian R (HEALTH) wrote:
DHCP:
I know DHCP will remove the info when the old lease expires, will it
remove this information for me in the case of the device falling off
line, and how can I accelerate that process so that I can reassign
the printer tag to a new IP
On 01/16/2017 08:17 AM, Luis Felipe Dominguez Vega wrote:
Hello, i was searching into google to find my problem, but i think that is
better write to the list. I am using Bind with Samba 4 (with BIND_DLZ) serving
the domain mtz.example.com, but i need resolv throw another server the querys
to
On 01/10/2017 03:40 AM, Michelle Konzack wrote:
Hello experts,
/me looks over his shoulders wondering who's being addressed.
I do not want to querry the world, but only my own Name Server for CNAME
configured (or not).
Okay. ONLY use local data. Check.
Currently I am updating my web
On 04/19/2017 03:37 AM, Tony Finch wrote:
This is what the EDNS client subnet option is about. You can use it in
BIND by adding "ecs" clauses to your address match lists for views or
acls. However it isn't documented in the ARM and it has significant
problems. See
On 04/19/2017 09:49 AM, Nico CARTRON wrote:
Of course I meant +subnet / +nosubnet
;-)
Thank you for the pointers Nico & Tony. I'm sure I'll find a way to get
myself into trouble with what you've provided.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic
On 04/19/2017 10:58 AM, Victoria Risk wrote:
We have implemented ECS for recursive queries in 9.10.5-S, the
subscriber preview edition of BIND, which will be released today. For
now, ECS recursion is available only to users with a support contract
with ISC. Development of this feature was a
On 08/10/2017 10:18 PM, /dev/rob0 wrote:
Note that this still work for dig(1) and host(1) as per the OP's
examples. But things like ping(1) and browsers will work with a
search domain.
Do you mean to say that the search / domain entry in /etc/resolv.conf do
/not/ work for dig / host? (Or am
On 08/10/2017 06:21 PM, toddandmargo wrote:
> Fedora 26
Fedora = Linux (vs Windows vs other)
> I am stumped. I need to be able to look up short names on my local
> network.
...
> What am I missing?
domain and / or search configuration in /etc/resolv.conf
man resolv.conf
--
Grant. . . .
On 07/18/2017 09:09 AM, Abi Askushi wrote:
I am trying to figure out how could I account the DNS traffic generated
from clients in terms of bytes. My setup is a simple caching DNS with
several clients querying the DNS server. I can measure the DNS traffic
that is generated from the DNS server
On 07/12/2017 03:21 PM, b...@zq3q.org wrote:
OK, I'm ready to consider other registrars, any suggestions
would be appreciated.
$Dynadot++ has been good to me. I can pay them via PayPal and they
support DS records for DNSSEC if you eventually want to mess with that.
- I think they were
On 05/22/2017 01:36 PM, Elias Pereira wrote:
I was provisioning the AD in the wrong way. As we have our main DNS and
it is authoritative for our domain "example.com" I
needed to create a subdomain "sandom.example.com"
so that AD DNS would be authoritative only
for "samdom".
You don't have
On 06/07/2017 02:18 PM, kevin martin wrote:
I have tried to setup a reverse zone as 10.10.in-addr.arpa and perform
'update add' commands sending addresses like 22.22.10.10.in-addr.arpa
and 2.5.10.10.in-addr.arpa and, in all cases, the update fails with
NOTZONE. bind complains "update failed:
On 08/23/2017 01:58 PM, John Miller wrote:
Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with. What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail
On 08/23/2017 01:28 PM, Tom Browder wrote:
Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:
# For each domain X.TLD:
X.TLD. INA 142.54.186.2.
*.X.TLD.IN CNAME X.TLD.
On 11/30/2017 12:04 AM, Daniel Stirnimann wrote:
I doubt you can use RPZ for that.
The testing that I did made me think that RPZ wouldn't be able to do it.
I wonder if Response Policy Service (DNSRPS) can do it.
We use https://dnsdist.org/ for that, our rule:
-- WPAD Name Collission
Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into
Response Policy Service and try to filter that way?
I've used RPZ for various different things over the years, but I don't
quite know how to match a wild card on the right hand side.
Context: I'd like to prevent
On 12/18/2017 12:24 PM, Bob McDonald wrote:
I've seen cases where folks have added all of the Domain Controller
addresses for an AD forest to the NS list for a domain.
I believe that DCs do this by themselves if they are using MS-DNS. (I
think the netlogon service does a dynamic DNS update
On 12/15/2017 08:10 AM, Timothe Litt wrote:
I use an 19xLVC too (On Raspbian == Debian). But I also have an RTC.
GPS does have outages, can take a while to get a fix, and NTP wants
consensus. So I use my GPS receiver as a local clock source
(preferred), but also configure several servers
On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote:
I don't remember the specifics, but there is a way built into BIND to do
what you are wanting.
Well, my GoogleFu seems to working today:
Link - DNS Dynamic Update (DNS and BIND, 4th Edition)
- https://docstore.mik.ua/orelly
On 12/20/2017 06:27 AM, MAYER Hans wrote:
And I don’t wont that this static names can by changed by someone out
of an IP range, where it is allowed. I didn’t find any hint to block
certain IP ranges to be updated within a dynamic zone.
I don't remember the specifics, but there is a way built
On 05/05/2018 11:35 AM, Blason R wrote:
> BTW on the slave dumped zones are not in a readable format I believe
> those are kinda of mapping?
There is a config option for the zone file format. I believe you want
what's below. Try it and / or check the man page to confirm / refine to
your
On 05/18/2018 08:02 AM, Matus UHLAR - fantomas wrote:
why? is there any logic in this?
I can see a case where a hidden / internal master is used and only
accessible by direct slaves in a DMZ.
So the slaves in the DMZ act as a contact point for the world.
--
Grant. . . .
unix || die
On 06/17/2018 11:18 AM, Vadim Pavlov via bind-users wrote:
Just to be more clear. DNSSEC records can contain any content and can
be used for infiltration/tunneling.
Ah. I think I see.
E.g. If you request DNSKEY record (you can encode your request in fqdn)
you will get it exactly "as is".
On 06/17/2018 09:43 AM, Blason R wrote:
Can someone please guide if DNS exfiltration techniques can be
identified using DNS RPZ?
I don't think that Response Policy *Zone* can do what you want to do.
(I've often wondered about this my self and have spent some time
thinking about it.)
Or do
On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote:
DNSSEC can be used for infiltration/tunneling (when you get data from a
DNS servers) but there is a catch that such requests can be easily dropped.
Will you please elaborate and provide a high level overview of how
DNSSEC can be used
On 06/17/2018 11:48 AM, Blason R wrote:
Excellent Inputs guys and thanks a ton for your feedbacks.
You're welcome.
RPS is quite interesting and which one is commercial offering for
the same?
The best (read: quick) I have is Paul Vixie's email to OARC's
DNS-Operations mailing list.
Link
On 06/25/2018 11:08 PM, Dale Mahalko wrote:
* The secondary program looks up the domain in a database, which also
includes the multihome destination for each domain. If a match is found,
a route is created to that multihome destination. Aliased acceleration
domains such as Akamai will be
On 06/26/2018 06:21 PM, Elias Pereira wrote:
yes. :)
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters
Hum.
After reading that section of the page you linked to, I'm not convinced
that the DNS /must/ be on the Samba server.
How would this work in the scenario
On 06/26/2018 05:20 PM, Elias Pereira wrote:
since the samba needs to be authoritative on its own dns.
Is that truly a requirement?
I've not messed with AD on Samba. But I know that Windows servers just
need the ability to update DNS. They do not need to be authoritative
for it.
Is this
On 06/26/2018 10:21 PM, Mark Andrews wrote:
And if you are not using AD you can use SIG(0) and KEY records to allow
hosts to authenticate updates to the DNS for their own records.
I'm not quite following. Do you mean that you can allow hosts to update
their own RRs without requiring AD and
On 05/02/2018 12:23 PM, Blason R wrote:
I would really appreciate if someone can shed light; if DNS based
advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels
or Data Exfiltration through DNS queries.
If you know fixed aspects of the queries / responses, you can very
On 05/02/2018 12:59 PM, Blason R wrote:
Well, challenge is not implementing RPZ that part is done but now
wondering as a advanced part if such attacks can be detected as well
blocked by using RPZ? I guess one option I see if to deploy HIDS on BIND
server like suricata which will detect such
On 05/03/2018 12:42 PM, Darcy Kevin (FCA) wrote:
As far as I know, Domain Controllers still only maintain SRV records
DCs, likely all member servers, and possibly all workstations (or the
DHCP server on their behalf) will try to register A / and PTR
records too.
Also, updates to the
On 12/23/2017 11:07 PM, Michelle Konzack wrote:
I have just discovered several entries of
Dec 24 06:26:49 dns1 named[16591]: update-security: error: client
+37.157.109.77#2936: update 'tdnet.eu/IN' denied
Which is realy bizzar, because this is the 4G/LTE IP of my ThinkPad T400
with Windows
On 12/23/2017 09:19 PM, Michelle Konzack wrote:
> Now I have removed a third time the jourmal files and oh wonder,
> it seems to work again. How can it be, that 3 journals out of sync
> can block more then 2000 domains?
Hum. I bet that there were log entries about the journal(s) being
On 12/23/2017 08:22 PM, Michelle Konzack wrote:
> So, whats going on here?
I get timeouts while trying to talk to dns2.tamay-dogan.net. and
dns1.tamay-dogan.net returns a SERVFAIL when I query for the SOA of
tamay-dogan.net.
I don't see dns3.tamay-dogan.net listed in the ADDITIONAL SECTION when
On 12/23/2017 02:11 PM, Michelle Konzack wrote:
I try to blackhole several 1000 domains and try to redirect them to the
host
It looks like you're trying to load zones that are sharing a zone file
in an effort to black hole them.
I would strongly advise you look at Response Policy Zones as
On 12/24/2017 01:25 PM, Lee wrote:
So it looks like I'm upgrading to 9.11 before giving RPZ a try.
If the version of BIND that you're running supports what you want out of
RPZ, you can try it now. It will continue to work the same in newer
versions.
My understanding is that newer versions
On 12/24/2017 12:42 PM, Lee wrote:
Is there a minimum version of bind one should be running before trying
to use RPZ?
in other words, v9.9.latest is OK or 9.10.latest or ???
I don't know when RPZ was introduced (I'd have to check release notes)
but I've been using it for years. So I'd say
On 01/18/2018 03:44 AM, Matus UHLAR - fantomas wrote:
what you search for is the Classless IN-ADDR.ARPA delegation, described
in RFC2317
Classless IN-ADDR.ARPA delegation likely won't work if all IPs involved
are not configured for it.
I would suggest adding NS records to (re)delegate the
On 01/18/2018 12:08 PM, Matus UHLAR - fantomas wrote:
you can create something very similar, not necessarily classless.
simply redirect reverse names via CNAME to other zone. very standard.
Yes. But that requires that something is done in the authoritative /
parent zone.
what's the point
On 01/17/2018 07:57 AM, Tony Finch wrote:
I'm currently at UKNOF39 where we have just had a couple of talks about
RPZ. One of the speakers talked about algorithmically generated malware
domains: if you know the algorithm, you can pre-generate the malicious
domains and add them to your RPZ in
On 01/25/2018 07:29 AM, Matus UHLAR - fantomas wrote:
so, in fact you want the whole zone locally, override anything you like,
but forward some records to other servers?
Yes.
DNS does not work that way.
I have successfully used this technique many times, including for
resolvers in the
On 01/29/2018 02:51 PM, Reineman, Rick wrote:
This happens all the time. Bang head against problem, give up and ask
for help, figure it out thirty minutes later.
Yep.
I learned a long time ago that it's more expedient to ask the question
so that you can find the solution on my own 30
On 02/08/2018 08:51 AM, Mukund Sivaraman wrote:
Also, just for argument's sake, one user wants to extend TTLs to
5s. Another wants 60s TTLs. What is OK and what is going too far?
I think what is "OK" is up to each administrator.
Obviously the zone administrators have decided that they want
On 02/10/2018 12:15 PM, Barry Margolin wrote:
Just because you have the right to do something doesn't mean it's a
reasonable thing to do.
I never meant to imply that it was the reasonable thing to do.
I meant to imply that it is my choice how I run my servers.
And if you're offering a
On 02/09/2018 09:37 AM, Barry Margolin wrote:
As long as you understand the implications of what you're doing?
I don't think my level of understanding has any impact of my ability to
override what the zone publisher sets the desired TTL (or any value) to be.
I have the right to run my
On 02/09/2018 05:26 PM, @lbutlr wrote:
But to answer your question, off-hand, I'd say that any TTL under 60s
is suspicious and any TTL under 10s is almost certainly intentionally
abusive.
I thought there was a lower recommended boundary, particularly to detect
and avoid things like fast
On 07/30/2018 04:54 PM, Elias Pereira wrote:
Thanks to everyone that help me!!!
You're welcome.
The Grant Taylor tuto works like a charm!!! :)
I'm glad that it worked for you.
Note: I call this technique "Apex Override".
I believe the Apex Override technique can be used anywhere you
On 07/30/2018 08:01 PM, Browne, Stuart via bind-users wrote:
Be wary of DNAME's; they can be quite limited.
ACK
Here's an example from our old system:
internal. 3600 IN SOA mgmt1.mel.internal.local.
sysadmin.external.com.au. 2014051201 28800 14400 360 86400
internal.
On 08/03/2018 12:00 PM, Petr Menšík wrote:
Hi!
Hi,
Our internal support reached to me with question, why are some queries
bound to low ports silently dropped.
Please clarify if you're saying "bound to" as in the code that
originated the query came from said port or if you mean queries
On 07/27/2018 09:59 AM, Elias Pereira wrote:
hello,
Hi,
Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname,
example, wordpress.mydomain.tdl with a private IP?
Yes, an authoritative DNS server can have a private
(non-globally-routed) IP address in the zone data.
On 08/08/2018 10:02 PM, Blason R wrote:
Due to the architecture since I have my internal DNS RPZ built I wanted
my other internal DNS servers should send traffic to RPZ server and
then RPZ would resolve on behalf of client.
Speaking of PRZ and forwarding…
Does anyone know off hand if BIND,
On 08/06/2018 08:29 PM, A wrote:
I have a VPS and requested my webhost to fix reverse DNS for my domain &
IP. They responded by telling me to provide them with the records I want.
I found the following response to someone's question on the *Net*:
Many ISPs will put in CNAME records
On 08/09/2018 01:01 AM, Lee wrote:
yes, it works just fine
Good.
it does, so you have to flag your local zones as rpz-passthru. eg:
*.home.net CNAME rpz-passthru.
localhost CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
On 08/06/2018 07:40 AM, Leroy Tennison wrote:
If there is already an ISC document I didn't find it, please provide
the URL.
I'm not aware of any such best practices type document. I too would be
interested in reading it is it exists.
I just added a slave of a master for disaster recovery
On 08/06/2018 08:14 AM, Leroy Tennison wrote:
As previously posted, I just added a slave of a master for disaster
recovery and now need to know how to promote it should the master be
offline too long.
Please see the reply that I just sent for details about how I handled
this problem in the
On 08/20/2018 05:23 AM, Tony Finch wrote:
If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream. The normal resolver / validator algorithm is
more robust.
The new mirror zone
On 08/23/2018 01:20 PM, Barry S. Finkel wrote:
Somehow, under the covers, AD synchronizes the zones so that they have
the same content.
It's my understanding that MS-DNS servers hosting AD Integrated zones
are actually functioning as application layer gateways between DNS and
data that's
On 08/23/2018 02:15 PM, Grant Taylor via bind-users wrote:
It's my understanding that MS-DNS servers hosting AD Integrated zones
are actually functioning as application layer gateways between DNS and
data that's stored in LDAP.
My AD Guy confirms that the DNS data for Active Directory
On 08/22/2018 01:15 AM, Zhengyu Pan wrote:
In my application scenario, I have two master. Each master connect
several slave dns. When users update zone, i update these two master
respectively in a for loop. However, when any master update fails, i
will roll bock. you know, whenever any
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the root,
is "dangerous." If slaving zones is dangerous, the DNS is way more
fragile than it already is.
Sorry, poor chose of words.
The last time I read the RFC discussing slaving the
On 08/18/2018 07:25 AM, Bob McDonald wrote:
I don't think anyone hates nslookup (well maybe a few do ) I
suppose the immense dislike stems from the fact that it's the default
utility under Windows. Folks who use dig as their default realize that
when used properly, dig provides much more
On 08/29/2018 04:05 AM, John Miller wrote:
Does anyone know of a good intro-level book that explains how DNS works
and gives an current overview of the different DNS servers out there?
I'll argue that the basics have not changed.
Get a good foundation of the basics and then add new deltas /
On 09/08/2018 07:58 AM, @lbutlr wrote:
what do I need to do for other DNS servers?
I don't think you need to do anything special.
The zone signatures come form and are managed by the master name server.
The secondary name server(s) is (are) just additional servers with
copies of the zone.
On 01/22/2018 09:21 AM, Warren Kumari wrote:
http://www.sss.gov works OK, but http://sss.gov always seems to return
"The requested service is temporarily unavailable. It is either overloaded
or under maintenance. Please try later.".
Inconsistency between related things is annoying.
I guess
On 01/23/2018 05:25 AM, Brian J. Murrell wrote:
It would be an interesting experiment to isolate the zone that receives
DDNS updates for the DHCP clients onto a separate server to see if that
makes this problem go away for the main server, but I don't have another
machine to run another BIND
On 04/03/2018 05:24 PM, Browne, Stuart via bind-users wrote:
A number of places use a 'stealth' (or 'hidden') master as a bit of
protection from potential bad actors. It's a network domain barrier
between the master (usually on an internal-only network) from a public
network with potential bad
On 04/18/2018 12:56 PM, Blason R wrote:
Will the performance be same, considering the number of zones I have or
will have??
Multiple zones (read: classic non-RPZ method) will require more
resources than a single zone (read: RPZ method).
I typically view needing fewer resources as being
On 04/18/2018 11:52 AM, Blason R wrote:
Pertaining to my other thread since I am building sinkhole server which
will eventually have around 0.5 million zones or may be 1 Million which
one would you think will perform better?
RPZ or include statements? I have 8 Core Processor and 32 GB of RAM
On 04/18/2018 11:37 PM, Blason R wrote:
I need to wall garden the malicious Domain request and instead route to
that server itself.
I assume that you are saying that you need to 1) filter malicious
domains and 2) you want requests for them to be resolved to your (DNS?)
server.
e.g. my DNS
On 03/27/2018 08:54 PM, Blason R wrote:
Is there any DNS sizing guide available? I have created a sinkhole
server which is catering around 25 - 30 zones loaded with 4 CPU
and 8 GB RAM. I am daily adding around 1-5k of zones.
I don't have an answer to your question. But I do wonder
On 03/28/2018 08:31 PM, Blason R wrote:
Right now I have around 27 zones added in DNS but that is with
direct zones NO RPZ. And my config is 4 vCPU 8Gb RAM its running well
and around 700 users
:-)
The only concern thing for me is I may need to re-write all my scripts
to load those
On 03/28/2018 12:51 AM, Blason R wrote:
Interesting I didn't know that. Let me dig in..can I have few examples
please?
RPZ zones are effectively standard zones. The only difference is that
the CNAME record is used to convey information to the RPZ engine (? is
that an accurate description ?)
On Jun 27, 2018, at 11:59 AM, Dale Mahalko wrote:
> Guessing the potential background domains used by Microsoft / Steam, etc and
> monitoring bandwidth used by those domains is unfortunately the only option
> available.
If you can get information on the IP addresses associated with their
On Jun 27, 2018, at 12:27 PM, Darcy Kevin (FCA)
wrote:
> I’m not convinced DNS has any valuable role to play here.
I can see the value for services that have FQDNs that resolve to IP addresses
outside of their ASN(s) like Google / YouTube.
--
Grant. . . .
unix || die
smime.p7s
I think we may be talking past each other. I was referring to (client) machine
trust accounts inside of AD, not hostnames in DNS.
I now think you are referring to the latter. I can see how that can work.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME cryptographic signature
On 10/24/2018 03:58 AM, Matus UHLAR - fantomas wrote:
It uses routing tables to decide this, so you can force it to use
alternative route.
It's also possible to use the routing table to specify which source IP
is used for a given route.
This is handy to specify the source IP to use if you
On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote:
A server on a non-standard port is often neglected. Its security may
be less well maintained than one that is intentionally public.
Why and how do you make that correlation?
Are you implying that some people think that because
On 10/24/2018 07:24 AM, Timothy Metzinger wrote:
There's no security in obscurity.
Obscurity by itself is not security.
Obscurity can be one many layers of security.
Automated port scanners will sweep your system in a couple of seconds.
Yes, automated scanners can scan all the ports on a
On 08/09/2018 01:01 AM, Lee wrote:
it does, so you have to flag your local zones as rpz-passthru.
Thank you again Lee. You gave me exactly what I needed and wanted to know.
I finally got around to configuring my RPZ to filter IPv4
Special-Purpose Address Registry as per IANA's definition.
On 10/23/2018 04:21 PM, Timothy Metzinger wrote:
At this point I’m stumped and welcome any suggestions.
Trust the bits on the wire.
What sort of outgoing DNS queries do you see when you run dig on the
problematic system without specifying the DNS server?
Can you find that server listed
On 10/26/2018 01:23 AM, Matus UHLAR - fantomas wrote:
there is not.
Thank you, Matus and Tony, for the direct answer.
using short TTLs is very risky, and forcing minimum TTL is apparently
not way to work around.
Understood. - I /think/ that I'm somewhat (dangerously?) informed and
On 10/26/2018 08:52 AM, Kevin Darcy wrote:
My basic rule of thumb is: use forwarding when connectivity constraints
require it. Those constraints may be architectural, e.g. a multi-tiered,
multi-layer network for security purposes, or may be the result of
screwups or unintended consequences,
On 10/26/2018 01:08 AM, N6Ghost wrote:
maybe its just old habits,
Fair enough. I know that I have plenty of my own old (¿bad?) habits too.
i think its a bad idea to build your infrastructure in a way the needs
forward zones to work. not when you can build it with proper delegation.
i just
On 10/26/2018 11:11 AM, Brian Greer wrote:
You could setup a DNSMASQ / Unbound service as a front end, which then
queried bind. Both of those allow the setting of a minimum TTL (max of
3600 seconds in DNSMASQ). It cannot be done with bind by itself.
*nod*
I was aware that there were other
On 10/25/18 2:34 PM, N6Ghost wrote:
I want to move a core namespace to the load balancer but i want them to
let me assign them a new zone thats internally authoritative and use it
as the LB domain.
which would be:
cname name.domain.com -> newname.newzone.domain.com
they want:
cname
On 10/25/2018 03:25 PM, Lee wrote:
I feel like I'm missing something :(
I'll see if I can fill in below.
I read this
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
and used RPZ to block anything coming from outside that might
On 10/25/2018 09:27 PM, Mark Andrews wrote:
Use a browser that maintains its own address cache tied to the HTTP
session. That is the only way to safely deal with rebinding attacks.
Rebinding attacks have been known about for years. There is zero excuse
for not using a browser with such
Is there a way to enforce a minimum TTL?
My initial searching indicated that ISC / BIND developers don't include
a way to do so on a matter of principle.
I'd like to enforce a minimum TTL of 5 minutes (300 seconds) on my
private BIND server at home. I'm wanting to use this as a method to
On 10/25/2018 06:26 PM, Lee wrote:
If you're using those addresses internally it makes sense to filter them
from 'outside'.
That's what I thought.
I play those games at times also :) So it sounds like what I was
missing is that you like a challenge & are using more address space that
I
On 10/29/2018 04:17 AM, Michał Kępień wrote:
Hi Grant,
Hi Michał,
You might want to keep an eye on:
https://gitlab.isc.org/isc-projects/bind9/issues/613
Indeed.
Thank you for bringing that to my attention.
I do appreciate the tools that I use having the options to do the things
On 11/12/2018 04:57 AM, Sabri MJAHED (VINC) wrote:
Hi all,
Hi,
I want to have the same zone on multiple views, but i didn't find any
solution that ease the use of this.
I would think that the zone's "in-view" statement would do what you want.
I don't want to make 3 file of zone conf with
On 12/27/18 9:01 AM, Barry Margolin wrote:
The alternative is to have a separate zone for each address, and delegate
each of them to your server. So the parent zone would have:
It does not require a separate zone for each address. But it does
require some creative zone work.
;
On 12/27/18 11:24 AM, John Levine wrote:
Well, there's those pesky old DNS standards, but we're used to software
working around screwed up zones.
Agreed. Which standard(s) does this run afoul of?
If the parent delegates a name to a child server, the child server must
have an SOA at that
On 12/27/18 12:14 PM, John Levine wrote:
Well, yeah, like I said it's wrong but you can often get away with it.
}:-)
I'll admit that it's not 100% proper.
The DNS specs are a mess and the SOA at the top is poorly described in
1034 and 1035 (as is a lot of other stuff.) You'll definitely
It has come to my attention that my answer to the following question
might not have been clear. So I'll try again.
First I want to be clear that I was discussing what the records should
be, RFC 2317 Classless IN-ADDR.ARPA Delegation (read: CNAME) or standard
NS delegation. I don't care how
On 1/21/19 1:39 AM, ObNox wrote:
Hi,
Hi,
I'm trying to find a viable solution to my use case. Here is the context :
- Site 1 : ISC DHCP + ISC Bind and dynamic updates for example.net
Here, example.net is authoritative with views for different query sources.
There are plans to add a new
1 - 100 of 276 matches
Mail list logo