Hello,
I have a basic question regarding RPZ on Bind 9.11.x.
Is it possible to re-write a response on a reverse lookup ? For instance, if I
considered example.com a “bad domain”, can I write a RPZ policy so that a
reverse lookup of IP’s that map to example.com fails or is blocked ?
I know I
NS is...
>
> On Sun, 25 Aug 2019, m3047 wrote:
>> On Sat, 24 Aug 2019, J Doe wrote:
>>> [...] Is it possible to re-write a response on a reverse lookup ? For
>>> instance, if I considered example.com a “bad domain”, can I write a RPZ
>>&g
On 2021-02-10 3:05 a.m., Alessandro Vesely wrote:
Hi Havard,
That's what I've been doing. For an incoming message, a temporary
failure means replying a 4xx code. The sender keeps the message in its
queue, and eventually gives up. Once upon a time, MTAs used to retry
sending for five
Hello,
I have a question about the bind.keys file and what happens when it is
not available.
According to the ARM:
dnssec-validation This option enables DNSSEC validation in named.
. . .
(To prevent problems if bind.keys is not found, the current trust
anchor is also
On 2022-03-30 02:23, Evan Hunt wrote:
On Wed, Mar 30, 2022 at 12:16:05AM -0400, J Doe wrote:
I have a question about the bind.keys file and what happens when it is
not available.
[...]
** If I don't have bind.keys in my BIND directory but have:
dnssec-validation auto in my named.conf
Hello,
I have a basic recursive resolver configuration with Bind 9.18.19 that
acts as the resolver for some VPN roadwarrior clients (a mix of Apple
iOS and macOS clients).
Periodically I will see the following in my logs:
02-Nov-2023 15:06:27.658 resolver: info: loop detected resolving
Hello,
On a Bind 9.18.19 server configured as a recursive resolver, I sometimes
see URL's being noted in the log files.
One such example is:
02-Nov-2023 23:32:19.435 lame-servers: info: success resolving
'https://app-measurement.com/sdk-exp/A' after disabling qname
minimization due to
nssec clientnon dnssec
client
You don’t want the second recursive server to spend all its time re-asking
queries that will fail validation
On 29 Apr 2022, at 11:24, J Doe wrote:
Hi,
I am configuring an RPZ for a validating resolver. I read in the BIND 9.18.2
ARM that there is a boolean op
Hi,
I am configuring an RPZ for a validating resolver. I read in the BIND
9.18.2 ARM that there is a boolean option for RPZ zones called:
break-dnssec.
The ARM states:
...In that case, RPZ actions are applied regardless of DNSSEC.
The name of the clause option reflects the fact
Hello,
I was wondering if anyone could provide feedback on whether the
following: newsyslog.conf file is correct to allow for daily log
rotation for my Bind 9.16.30 logs ?
My currently logging settings in: named.conf are:
...
logging {
channel chn_file_queries {
On 2022-08-25 18:04, Greg Choules wrote:
Hi again J.
If I understand correctly, you want to enable querylog on a busy
recursive server permanently, rotate the files once a day and don't care
if you lose some logs because the number of queries on a busy day
generates more data than the
On 2022-08-25 03:05, Greg Choules wrote:
Hello J
What is it you're actually trying to achieve here?
Cheers, Greg
Hi Greg,
I'm looking to have my: queries.log (which logs all the queries my Bind
9.16.30 recursive resolver resolves), rotated at the end of the day and
I'd like to keep 7 days
On 2022-08-25 04:52, Anand Buddhdev wrote:
On 25/08/2022 05:23, J Doe wrote:
Hello J Doe,
I was wondering if anyone could provide feedback on whether the
following: newsyslog.conf file is correct to allow for daily log
rotation for my Bind 9.16.30 logs ?
My currently logging settings
On 2022-08-25 16:46, Richard T.A. Neal wrote:
Hi J,
I'm coming a little late to the party on this one and I think you might
struggle to do rotation based on both date/time *and* file size, but I use
logrotate to rotate all of my BIND logs daily, keeping 31 days of logs. And
you'll see that
On 2024-04-25 08:55, Josh Kuo wrote:
DS = Delegation Signer, it is the record type that a signed child upload
to the parent zone. It's difficult to say for sure without more
information such as which domain name you are trying to resolve, but
looks like it is probably due to a mis-matching DS
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
22-Apr-2024 19:25:59.614 lame-servers: info: chase DS servers
resolving '180.96.34.in-addr.arpa/DS/IN': 216.239.34.102#53
What does "chase DS servers" mean ?
Thanks,
- J
--
Visit
On 2024-04-26 16:45, Josh Kuo wrote:
In this particular case, isn't the resolver attempting to do a reverse
lookup of the IP address that's listed ?
You are right, I missed that this is a reverse-mapping zone. In that
case, run DNSSEC analyzer on the domain "180.96.34.in-addr.arpa"
On 2024-04-26 16:28, Mark Andrews wrote:
DS records live in the parent zone and the RFC 1034 rules for serving zone
break down when a grandparent zone and child zone are served by the same
server. This is corrected be the client by looking for intermediate NS records
to find the hidden
On 2024-05-05 20:47, Mark Andrews wrote:
On 6 May 2024, at 07:38, J Doe wrote:
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
01-May-2024 00:52:49.689 lame-servers: info: truncated TCP response
resolving 'www.ipfire.org
Hello,
I run BIND 9.18.26 as a recursive, validating resolver. In my logs, I
noticed the following:
01-May-2024 00:52:49.689 lame-servers: info: truncated TCP response
resolving 'www.ipfire.org/A/IN': 74.113.60.134#53
I am aware that there are issues with DNS UDP traffic being
Hi list,
I run a validating recursive resolver with BIND 9.18.27. Over the
course of many days, I have noted the following warning about a missing
cookie from a particular server:
09-May-2024 20:09:22.277 resolver: info: missing expected cookie
from 192.5.5.241#53
This server runs
Hello,
When using RPZ with BIND 9.18.27 and rpz-ip, can any CIDR prefix be used
or must they be either: /8, /16, /24, /32 for IPv4 ?
For example, if I want to block records with an A address of
192.168.10.1, I know I can write:
32.1.10.168.192.rpz-ipINCNAME .
... and records
On 2024-05-17 19:37, Nick Tait via bind-users wrote:
On 18/05/2024 09:11, J Doe wrote:
Hello,
When using RPZ with BIND 9.18.27 and rpz-ip, can any CIDR prefix be used
or must they be either: /8, /16, /24, /32 for IPv4 ?
For example, if I want to block records with an A address
23 matches
Mail list logo
