Give each instance of named a unique name:
A-named, b-named, etc
----- Original Message -----
From: bind-users-requ...@lists.isc.org [mailto:bind-users-requ...@lists.isc.org]
Sent: Tuesday, July 02, 2013 08:00 AM
To: bind-users@lists.isc.org <bind-users@lists.isc.org>
Subject: bind-users Digest, Vol 1560, Issue 1
Send bind-users mailing list submissions to
bind-users@lists.isc.org
To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org
You can reach the person managing the list at
bind-users-ow...@lists.isc.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."
Today's Topics:
1. Re: Reverse address entries (Sam Wilson)
2. Re: Reverse address entries (Matus UHLAR - fantomas)
3. Re: How to suppress ADDITIONAL SECTION per zone
(Matus UHLAR - fantomas)
4. configure syslog prefix (Klaus Darilion)
----------------------------------------------------------------------
Message: 1
Date: Mon, 01 Jul 2013 14:11:00 +0100
From: Sam Wilson <sam.wil...@ed.ac.uk>
To: comp-protocols-dns-b...@isc.org
Subject: Re: Reverse address entries
Message-ID:
<sam.wilson-e707d1.14110001072...@news.eternal-september.org>
In article <mailman.718.1372672345.20661.bind-us...@lists.isc.org>,
Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
> >> On Jun 28, 2013, at 10:54 AM, "Ward, Mike S" <mw...@ssfcu.org> wrote:
> >> > Hello all, is there any reason to setup reverse address entries for a
> >> > zone?
>
> >In article <mailman.710.1372442831.20661.bind-us...@lists.isc.org>,
> > Charles Swiger <cswi...@mac.com> wrote:
> >> Certainly. Various software performs what's called a double-reverse
> >> lookup
> >> to confirm that the A and PTR records match.
>
> On 01.07.13 10:48, Sam Wilson wrote:
> >Isn't that paranoid reverse lookup? Since reverse lookups can be faked
> >(I'll spare the details here) some uses of in-addr.arpa also require a
> >subsequent forward lookup. If there is no PTR record then the double
> >lookup doesn't happen. I don't know of anything to be gained by
> >requiring a reverse lookup after a forward lookup.
>
> He apparently meant exactly the same. Also calles FcRDNS - "forward
> confirmed" or "full circle" reverse DNS.
OK. So what Mr. Swiger refers to is not relevant - it's no reason to
add PTR records.
Sam
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
------------------------------
Message: 2
Date: Mon, 1 Jul 2013 15:14:10 +0200
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
To: bind-users@lists.isc.org
Subject: Re: Reverse address entries
Message-ID: <20130701131410.ga14...@fantomas.sk>
Content-Type: text/plain; charset=us-ascii; format=flowed
>> >In article <mailman.710.1372442831.20661.bind-us...@lists.isc.org>,
>> > Charles Swiger <cswi...@mac.com> wrote:
>> >> Certainly. Various software performs what's called a double-reverse
>> >> lookup
>> >> to confirm that the A and PTR records match.
>In article <mailman.718.1372672345.20661.bind-us...@lists.isc.org>,
> Matus UHLAR - fantomas <uh...@fantomas.sk> wrote:
>> He apparently meant exactly the same. Also calles FcRDNS - "forward
>> confirmed" or "full circle" reverse DNS.
On 01.07.13 14:11, Sam Wilson wrote:
>OK. So what Mr. Swiger refers to is not relevant - it's no reason to
>add PTR records.
Yes, it is.
"Various software performs what's called a double-reverse lookup to confirm
that the A and PTR records match."
It means that various software checks your PTR and then A (or maybe
AAAA) records, and can fail if eny of them is not found ot rhe latter result
doesn't match the original IP address.
Now that IS a reason to add PTR for IP address, and they must point to
hostnames that point to the same IP.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
------------------------------
Message: 3
Date: Mon, 1 Jul 2013 16:07:05 +0200
From: Matus UHLAR - fantomas <uh...@fantomas.sk>
To: bind-users@lists.isc.org
Subject: Re: How to suppress ADDITIONAL SECTION per zone
Message-ID: <20130701140704.gb14...@fantomas.sk>
Content-Type: text/plain; charset=us-ascii; format=flowed
On 01.07.13 04:02, blrmaani wrote:
>We are noticing that a handful of our domains are being used for
> amplification attacks and we would like to reduce outgoing (DNS response)
> packet size.
>
>One solution is to reduce the additional sections in the response for these
> handful zones and I would like to know if there is any way to add
> something similar to "additional-from-auth no" per zone basis and achieve
It would be much better if you presented your problem in the beginning, not
just tell us what you want to do.
In this case you should set "minimal-responses yes" globally, otherwise all
your other domains can get used for such attacks too.
Do you have separate servers for resolving and for domains?
Resolving servers could send all possible info to your own clients, while
authoritative servers would provide as low informations as needed.
Other possibility is to implement packet rate limiting - a patch was
discussed here a few days/weeks ago.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
------------------------------
Message: 4
Date: Tue, 02 Jul 2013 13:49:35 +0200
From: Klaus Darilion <klaus.mailingli...@pernau.at>
To: bind-us...@isc.org
Subject: configure syslog prefix
Message-ID: <51d2be4f.6060...@pernau.at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi!
I have several bind instances running on the same host. All of them use
the same logging prefix, e.g:
named[11926]: zone mydomain/IN: Transfer started.
named[11926]: transfer of 'mydomain/IN' from 2.3.4.5#53: connected using
2.3.4.5#44224
named[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN':
AXFR-style IXFR started: TSIG mydomain
named[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN':
AXFR-style IXFR ended
So I only have the PID to separate the different bind processes.
Some software allows to configure the syslog prefix, but I couldn't find
that for bind.
Is there a workaround to get something like that?
named-incoming[11926]: zone mydomain/IN: Transfer started.
named-incoming[11926]: transfer of 'mydomain/IN' from 2.3.4.5#53:
connected using 2.3.4.5#44224
named-outgoing[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN':
AXFR-style IXFR started: TSIG mydomain
named-outgoing[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN':
AXFR-style IXFR ended
Thanks
Klaus
------------------------------
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
End of bind-users Digest, Vol 1560, Issue 1
*******************************************
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
