Re: Bind open to query from anyone

[John Wobus]

As you suspect, this is a bad idea.

Those who cannot query the server cannot poison the cache
using the loopholes in the DNS protocol, i.e. put false data in
your nameserver for names like www.google.com, www.yahoo.com, etc.
There can be other impediments to poisoning the cache in this manner,
but simply blocking such queries is an extremely effective way to
to totally eliminate a huge number of potential poisoners.

On Jan 5, 2009, at 6:15 AM, Chris Henderson wrote:


I've setup a secondary name server which works as a secondary or slave
name server for my zone or domain name. However, I have tested and
noticed that I can query for non-authoritative answers from my
secondary or slave name server from outside my network. That is, any
one can use my name server to query any host name, eg. www.google.com,
www.yahoo.com etc. Is this a bad idea? How can I stop this?

Thanks for any suggestions.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using bind 9.5.0 with Active directory

[Rob Austein]

No obvious reason why it shouldn't work with ms-subdomain.

Next step is probably a protocol trace to see what's happening on the
wire.  wireshark/tshark is pretty good for this kind of analysis.

Probably best to run named with -g while you're doing the trace and
capture the output as well (if you're not doing that already), since
there may be clues in the log that aren't obvious with your normal
logging configuration.

If possible, do the trace on the same machine that's running named, so
that timestamps in packet trace and log will match up.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: split view dns, with a shared dynamic zone?

[Paul B. Henson]

On Mon, 5 Jan 2009, Adam Tkac wrote:

> Btw setup with slave zone in second view is described in FAQ as well:
> - https://www.isc.org/faq/bind
> - Configuration and Setup Questions -> "How do I share a dynamic zone
> between multiple views?"

Cool, thanks for the pointer. I searched with google and on the mailing
list archives, but never ran across the FAQ. I had tried something similar,
but the slave would do a zone transfer the first time the slave zone
existed, it would never update. I did not have an also-notify option on the
master though, maybe that would fix that problem. I will give it another
try.


-- 
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  hen...@csupomona.edu
California State Polytechnic University  |  Pomona CA 91768
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: error compiling bind 9.5.1 with static

[mingdawang]

Thank you for your reply! I installed libcap 1.97 with source code, and
copied libcap.a to the /lib directory. Then reinstalled bind9.5.1 with
configure. Everything seems OK.

On 1/6/09, JINMEI Tatuya / 神明達哉  wrote:
>
> At Mon, 5 Jan 2009 19:52:54 +0800,
> mingdawang  wrote:
> >
> > [1.1  ]
>
> > I'm trying to install bind 9.5.1 on redhat as 4.5, but am having problems
> > with the configure statement:
> >
> > STD_CDEFINES='-DISC_MEM_USE_INTERNAL_MALLOC=1' ./configure
> > --prefix=/home/named --enable-epoll --disable-threads --enable-largefile
> > --disable-ipv6 --with-openssl=yes CFLAGS='-static -march=pentium4 -O2
> -pipe'
>
>
> [snip]
>
> > why?
>
> Can you show the content of config.log?
>
> ---
> JINMEI, Tatuya
> Internet Systems Consortium, Inc.
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: General performance

[Sam Wilson]

In article ,
 Stephane Bortzmeyer  wrote:

> On Tue, Dec 23, 2008 at 08:36:36PM -0800,
>  Scott Haneda  wrote 
>  a message of 35 lines which said:
> 
> > First, if I learn it is in fact true that all 50K zones will be
> > identical, is there any reason to make 50K zone files?
> 
> No.
> 
> > Is it ok to point different domains to the same zone file?
> 
> Yes. 
> 
> http://www.bortzmeyer.org/identical-domains-with-bind.html

... whilst remembering that any slave server(s) will need to have 
separate files defined for each zone, though the creation is up to the 
nameserver - they don't have to be done manually.

Sam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind open to query from anyone

[Stephane Bortzmeyer]

On Mon, Jan 05, 2009 at 03:15:36AM -0800,
 Chris Henderson  wrote 
 a message of 12 lines which said:

> That is, any one can use my name server to query any host name,
> eg. www.google.com, www.yahoo.com etc. Is this a bad idea?

Yes, very bad. See RFC 5358 
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dnsperf and BIND memory consumption

[Doug Barton]

Danny Mayer wrote:
> Doug Barton wrote:
>> You'd have to dig into the source and really understand what's happening
>> now vs. what was happening before in order for me to answer this
>> question, and by the time you had done that work I would not need to
>> answer this question for you. :)
> 
> You would have a very hard time finding it just using code inspection

...


I think one of us is talking about something different that what the
other person is talking about. :) I was referring to the different
defaults (and the subsequent decisions for include files, etc.) that
come when configure picks the right architecture.


Good work on finding that bug though. :)

Doug
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users