Thanks Fred -
Though really all I am trying to do is ensure I can access
all public DNS names, which my experience shows me I
cannot, using my ISP's name-servers.
It seems there is a Hidden Google Internet that I cannot access
unless I use Google's DNS servers, giving Google data
about me to sell - this is what I am trying to avoid .
RE:
> Can't you do the auth lookups directly? Have you tried?
You mean add topsectechnology.net's DNS servers to
my Forwarders list ?
How do I find out what they are, when the domain
cannot be looked up by ICANN's WHOIS service ?
And really this would not be a solution, every time I get an
NXDOMAIN error, I'd have to access multiple web-sites
to find the authoritative nameserver for the domain
(which fails for topsectechnology.net anyway), and
then add them to my Forwarders list ?
Is this the way the DNS is meant to work these days ?
I thought the DNS was meant to be public and global.
I see that nowadays it is not . What a shame !
How did we let this happen ?
And this is meant to be a vital public information service !
Why choose to hide the domain name that allows the public
to make a Covid Booster booking, unless the intent is
to exclude a section of society from accessing it ?
> the BIND mailing list is were I should direct my ire.
Isn't this the BIND mailing list we are discussing this on?
Is there another one I should be using ? If so, please let
me know .
> Any response you get here is going to involve changing your
> BIND server's configuration and behavior, probably to convert
> it from forwarding to caching...
Fine ! I am just using a slightly modified Red Hat
caching nameserver example named.conf, enclosed .
Why isn't this a caching nameserver ?
If anyone could suggest how to turn my config into one
that is able to query the Google Hidden Internet, without
accessing a Google Server, please let me know.
Thanks & Best Regards,
Jason
On 08/01/2022, Fred Morris <m3...@m3047.net> wrote:
> Wow.
>
> 1) You're using BIND as a caching nameserver.
>
> So you say. Does the nameserver do its own upstream (authoritative)
> lookups? If yes, then the term of art is "recursive / caching"; otherwise
> the term is "forwarding".
>
> Looks like you're configuring your ISP's nameservers as forwarders.
> Therefore the proper term is "forwarding".
>
> 2) Your ISP's nameservers fail to resolve $FQDN.
>
> These are other people's caching nameservers.
>
> 3) Google's nameservers resolve $FQDN.
>
> These are other people's caching nameservers.
>
> 4) Looks like the nameservers for healthservice.ie belong to
> topsectechnology.net.
>
> 5) Looks like those nameservers resolve $FQDN.
>
> At least that's what dig +trace tells me.
>
>
> Can't you do the auth lookups directly? Have you tried?
>
>
> So your logic in coming here is that:
>
> a) $A's caching nameservers don't resolve $FQDN.
>
> b) $B's caching nameservers do resolve $FQDN.
>
> c) You use BIND to connect to one of those entities' caching nameservers
> instead of running your own.
>
> d) Therefore, the BIND mailing list is were I should direct my ire.
>
> Did I miss anything?
>
>
> Any response you get here is going to involve changing your BIND server's
> configuration and behavior, probably to convert it from forwarding to
> caching... although grizzled veterans may tell you horror stories about
> hotels and other public wifi.
>
> --
>
> Fred Morris
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
//
// named.caching-nameserver.conf
//
// Provided by Red Hat caching-nameserver package to configure the
// ISC BIND named(8) DNS server as a caching only nameserver
// (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// DO NOT EDIT THIS FILE - use system-config-bind or an editor
// to create named.conf - edits to this file will be lost on
// caching-nameserver package upgrade.
//
options {
listen-on port 53 { 127.0.0.1; 192.168.122.1; 192.168.4.1;
192.168.42.10; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
secroots-file "/var/named/data/named.secroots";
recursing-file "/var/named/data/named.recursing";
dnssec-enable no;
dnssec-validation no;
resolver-query-timeout 64;
resolver-retry-interval 8;
max-retry-time 64;
managed-keys-directory "/var/named/dynamic";
geoip-directory "/usr/share/GeoIP";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
/* https://fedoraproject.org/wiki/Changes/CryptoPolicy */
include "/etc/crypto-policies/back-ends/bind.config";
//query-source port 53;
//query-source-v6 port 53;
allow-query { localhost; 192.168.122.0/24; 192.168.4.0/24;
192.168.42.0/24; };
};
include "/etc/named.root.key";
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
view localhost_resolver {
match-clients { localhost; 192.168.122.0/24; 192.168.4.0/24;
192.168.42.0/24; };
match-destinations { localhost; 192.168.122.0/24; 192.168.4.0/24;
192.168.42.0/24; };
zone "." IN {
type hint;
file "named.ca";
};
zone "jvdspc" { // my fake TLD localhost nickname
type master;
file "jvdspc.zone";
};
include "/etc/named.rfc1912.zones";
zone "jvds.net" { // my local "domain"
type master;
file "jvds.net.zone";
};
zone "1.168.192.in-addr.arpa" { // my local "domain"
type master;
file "1.168.192.zone";
};
zone "jvdsph.net" { // my local "domain"
type master;
file "jvdsph.net.zone";
};
zone "4.168.192.in-addr.arpa" { // my local "domain"
type master;
file "4.168.192.zone";
};
zone "jvdsvm.net" { // my local "domain"
type master;
file "jvdsvm.zone";
};
zone "122.168.192.in-addr.arpa" { // my local VMs "domain"
type master;
file "122.168.192.zone";
};
response-policy { zone "nasty"; };
zone "nasty" { // blacklist from http://someonewhocares.org,
converted to RPZ zone!
type master;
file "internet.nasty.zone";
allow-query {none;};
};
forwarders {
// 172.16.15.254;
// 212.36.35.18; 212.36.35.17;
159.134.0.11; 159.134.0.12; // 192.168.1.1; 8.8.8.8;
// 192.168.5.1;
// 192.168.1.1;
// 192.168.117.22; // Ludgate LAN
// 192.168.12.22;// Ludgate WiFi
// 192.168.0.254; // Pa's
// 192.168.43.1; // my default router (phone)
};
recursion yes;
};
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
