Re: Disable Refused answer
Search in arm by keyword blackhole will save father of russian democracy :-) 2009/12/3 Dmitry Rybin kirg...@corbina.net Barry Margolin wrote: In article mailman.1159.1259764844.14796.bind-us...@lists.isc.org, Dmitry Rybin kirg...@corbina.net wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? What do you expect it to do instead? Not respond at all? Drop not allowed request. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
Give me parabellum :) This is not answer. I wont to disable Refused answers for not allowed client in recursion. Peter Andreev wrote: Search in arm by keyword blackhole will save father of russian democracy :-) 2009/12/3 Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net Barry Margolin wrote: In article mailman.1159.1259764844.14796.bind-us...@lists.isc.org mailto:mailman.1159.1259764844.14796.bind-us...@lists.isc.org, Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? What do you expect it to do instead? Not respond at all? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
Are you want to disable refused answers for recursion and allow any answers for authoritative information in the same time? 2009/12/3 Dmitry Rybin kirg...@corbina.net Give me parabellum :) This is not answer. I wont to disable Refused answers for not allowed client in recursion. Peter Andreev wrote: Search in arm by keyword blackhole will save father of russian democracy :-) 2009/12/3 Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net Barry Margolin wrote: In article mailman.1159.1259764844.14796.bind-us...@lists.isc.org mailto:mailman.1159.1259764844.14796.bind-us...@lists.isc.org, Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? What do you expect it to do instead? Not respond at all? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
Dmitry Rybin wrote: Barry Margolin wrote: In article mailman.1159.1259764844.14796.bind-us...@lists.isc.org, Dmitry Rybin kirg...@corbina.net wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? What do you expect it to do instead? Not respond at all? Drop not allowed request. This is not compatible with the DNS protocol, as defined: RFC 1034, Section 4.3.1: --- If recursive service is requested and available, the recursive response to a query will be one of the following: - The answer to the query, possibly preface by one or more CNAME RRs that specify aliases encountered on the way to an answer. - A name error indicating that the name does not exist. This may include CNAME RRs that indicate that the original query name was an alias for a name which does not exist. - A temporary error indication. If recursive service is not requested or is not available, the non- recursive response will be one of the following: - An authoritative name error indicating that the name does not exist. - A temporary error indication. - Some combination of: RRs that answer the question, together with an indication whether the data comes from a zone or is cached. A referral to name servers which have zones which are closer ancestors to the name than the server sending the reply. - RRs that the name server thinks will prove useful to the requester. --- Note that no response is not one of the options. You should probably implement this outside of DNS and BIND, e.g. a stateful firewall which would, by policy, drop incoming DNS query packets from certain source-address ranges, which have the RD bit set in the DNS query packet header. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: parent dns answers the ARR of child dns
On Dec 3, 2009, at 3:38 AM, Tech W. wrote: # dig smartip.gduf.edu.cn ns +short dtone1.gduf.edu.cn. # dig www.smartip.gduf.edu.cn +short 121.8.235.88 # dig www.smartip.gduf.edu.cn +trace [...] www.smartip.gduf.edu.cn. 8 IN A 218.192.12.4 www.smartip.gduf.edu.cn. 8 IN A 218.192.12.10 www.smartip.gduf.edu.cn. 8 IN A 218.192.12.3 ;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms DNS.gduf.edu.cn is open to recursive queries from anyone. Is it possible you were seeing a cached answer? A DNS server that is authoritative for a zone that has subzones that are delegated to other DNS servers should not be performing recursion. Not for anyone. It leads to confusing results. $ dig www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn ; DiG 9.6.0-APPLE-P2 www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22315 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.smartip.gduf.edu.cn. IN A ;; AUTHORITY SECTION: smartip.gduf.edu.cn.3600IN NS dtone1.gduf.edu.cn. ;; ADDITIONAL SECTION: dtone1.gduf.edu.cn. 3600IN A 218.192.12.233 ;; Query time: 398 msec ;; SERVER: 218.192.12.6#53(218.192.12.6) ;; WHEN: Thu Dec 3 08:43:50 2009 ;; MSG SIZE rcvd: 97 $ dig www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn ; DiG 9.6.0-APPLE-P2 www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 47739 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.smartip.gduf.edu.cn. IN A ;; ANSWER SECTION: www.smartip.gduf.edu.cn. 30 IN A 121.8.235.88 ;; AUTHORITY SECTION: smartip.gduf.edu.cn.3600IN NS dtone1.gduf.edu.cn. ;; Query time: 396 msec ;; SERVER: 218.192.12.233#53(218.192.12.233) ;; WHEN: Thu Dec 3 08:44:17 2009 ;; MSG SIZE rcvd: 78 Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? Something like this should work: _ options { directory /var/named; }; acl authorized-clients { 192.0.2.1; }; view caching-server { match-recursive-only yes; blackhole { ! authorized-clients; any; }; // any other resolution configuration goes here }; view auth-server { // zones go here }; _ Note that there is no need to use the allow-query-cache, allow-query, allow-recursion, or recursion statements in either view. All recursive queries will be caught by the first view, which will drop queries by unauthorized clients - no refusal will be sent. If an authorized client sends a recursive query to the server for local authoritative data, as long as the NS records are configured correctly (possibly along with stub zone statements in the caching-server view), the server will query itself (iteratively, so hitting the auth-server view) and find the data. The only way in which this differs from what you want is, if someone sends a recursive query for your authoritative zone data from an unauthorized IP, the query will be dropped. But this will probably only happen in testing with dig or nslookup, and it can be worked around (by the user) by turning off the RD flag in the request. Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: parent dns answers the ARR of child dns
Not only that, but DNS.gduf.edu.cn is performing recursion, while not setting RA in, and not copying RD into, the header of the response. % dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn ; DiG 9.3.0 www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 593 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.smartip.gduf.edu.cn. IN A ;; ANSWER SECTION: www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3 www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4 www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10 I suspect this is YABDLBD (Yet Another Brain-Damaged Load-Balancer Device). Or a defective DNS proxy. While the cache is populated with these records, even *non-recursive* queries will be given this answer directly, instead of a referral. Once the records time out, referrals are given again. But, why do you (the original poster) care? If the caching of these records by this server is a problem, surely it's a more *general* problem of the records being cached by resolvers everywhere. Either set the TTLs accordingly, or abandon whatever plans you have to make the responses completely dynamic, or ordered in any particular way... DNS isn't, and never was intended to be, a comprehensive load-balancing or failover mechanism. Maybe it can become that, if SRV records were used as a matter of course, but we haven't achieved that yet. Not by a long shot. Since the addresses all appear to be in the same subnet, you might want to look into front-ending them with some sort of dedicated local load-balancer, either implemented in hardware or software. - Kevin Chris Buxton wrote: On Dec 3, 2009, at 3:38 AM, Tech W. wrote: # dig smartip.gduf.edu.cn ns +short dtone1.gduf.edu.cn. # dig www.smartip.gduf.edu.cn +short 121.8.235.88 # dig www.smartip.gduf.edu.cn +trace [...] www.smartip.gduf.edu.cn. 8 IN A 218.192.12.4 www.smartip.gduf.edu.cn. 8 IN A 218.192.12.10 www.smartip.gduf.edu.cn. 8 IN A 218.192.12.3 ;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms DNS.gduf.edu.cn is open to recursive queries from anyone. Is it possible you were seeing a cached answer? A DNS server that is authoritative for a zone that has subzones that are delegated to other DNS servers should not be performing recursion. Not for anyone. It leads to confusing results. $ dig www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn ; DiG 9.6.0-APPLE-P2 www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 22315 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;www.smartip.gduf.edu.cn. IN A ;; AUTHORITY SECTION: smartip.gduf.edu.cn.3600IN NS dtone1.gduf.edu.cn. ;; ADDITIONAL SECTION: dtone1.gduf.edu.cn. 3600IN A 218.192.12.233 ;; Query time: 398 msec ;; SERVER: 218.192.12.6#53(218.192.12.6) ;; WHEN: Thu Dec 3 08:43:50 2009 ;; MSG SIZE rcvd: 97 $ dig www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn ; DiG 9.6.0-APPLE-P2 www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 47739 ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.smartip.gduf.edu.cn. IN A ;; ANSWER SECTION: www.smartip.gduf.edu.cn. 30 IN A 121.8.235.88 ;; AUTHORITY SECTION: smartip.gduf.edu.cn.3600IN NS dtone1.gduf.edu.cn. ;; Query time: 396 msec ;; SERVER: 218.192.12.233#53(218.192.12.233) ;; WHEN: Thu Dec 3 08:44:17 2009 ;; MSG SIZE rcvd: 78 Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
Chris Buxton wrote: On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? Something like this should work: _ options { directory /var/named; }; acl authorized-clients { 192.0.2.1; }; view caching-server { match-recursive-only yes; blackhole { ! authorized-clients; any; }; // any other resolution configuration goes here }; view auth-server { // zones go here }; This should work --- one of the scariest phrases in the computing field :-) Unfortunately, blackhole can only appear the (global) options clause: % cat /tmp/buxton.example options { directory /tmp; }; acl authorized-clients { 192.0.2.1; }; view caching-server { match-recursive-only yes; // any other resolution configuration goes here blackhole { ! authorized-clients; any; }; }; % ./named-checkconf /tmp/buxton.example /tmp/buxton.example:12: unknown option 'blackhole' % ed /tmp/buxton.example 218 12m2 1,$p options { directory /tmp; blackhole { ! authorized-clients; any; }; }; acl authorized-clients { 192.0.2.1; }; view caching-server { match-recursive-only yes; // any other resolution configuration goes here }; w 218 q % ./named-checkconf /tmp/buxton.example % - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote: Chris Buxton wrote: On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? Something like this should work: _ view caching-server { match-recursive-only yes; blackhole { ! authorized-clients; any; }; // any other resolution configuration goes here }; This should work --- one of the scariest phrases in the computing field :-) True, true. It means, of course, The docs suggest this will work, but I haven't actually tested it. Unfortunately, blackhole can only appear the (global) options clause: I'm happy to be corrected. You'd never know this from reading the BIND ARM. From the description of the view statement: Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. There is no definitive list of the options that can or can not be used in a view. Likewise, the description of the blackhole statement makes no mention of the fact that it's not valid inside a view. So, to the original poster, we're back to it can't be done with BIND configuration. Of course, you could hack the BIND source code... Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
In message dcf41a2c-d461-4e78-82cd-0add12051...@menandmice.com, Chris Buxton writes: On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote: Chris Buxton wrote: On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote: Hello! I can't find in docs how disable answer (Refused), if recursion for IP is not allowed? Something like this should work: _ view caching-server { match-recursive-only yes; blackhole { ! authorized-clients; any; }; // any other resolution configuration goes here }; This should work --- one of the scariest phrases in the computing field :-) True, true. It means, of course, The docs suggest this will work, but I have n't actually tested it. Unfortunately, blackhole can only appear the (global) options clause: I'm happy to be corrected. You'd never know this from reading the BIND ARM. From the description of the view statement: Many of the options given in the options statement can also be used within a view statement, and then apply only when resolving queries with that view. There is no definitive list of the options that can or can not be used in a v iew. Likewise, the description of the blackhole statement makes no mention of the fact that it's not valid inside a view. doc/misc/options gives a definitive list. It is built from the parser. So, to the original poster, we're back to it can't be done with BIND configu ration. Of course, you could hack the BIND source code... Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable Refused answer
Chris Buxton cbux...@menandmice.com said: There is no definitive list of the options that can or can not be used in a view. Likewise, the description of the blackhole statement makes no mention of the fact that it's not valid inside a view. There is the doc/misc/options file in the BIND sources that lists the many possible items that can be inside a view, along with the options, server, zone, etc. There is the doc/misc/options file in the BIND sources that lists the many possible configuration items available and what section of the configuration that can be used. The view section can include many different items, but blackhole isn't one of them. This also identifies blackhole as only being part of the options clause. Also, the ARM mentions blackhole as part of the options section and not in the view section. So, to the original poster, we're back to it can't be done with BIND configuration. Of course, you could hack the BIND source code... Yes, we are back to that. Another can't get there from here. Then again, I've never been sure what the original requester was asking for. If he didn't want to give an answer out to someone on a particular network, then the blackhole option would seem to be a perfect solution in the first place. Thanks for your help on this list, Bill Larson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: parent dns answers the ARR of child dns
--- On Fri, 4/12/09, Kevin Darcy k...@chrysler.com wrote: From: Kevin Darcy k...@chrysler.com Subject: Re: parent dns answers the ARR of child dns To: bind-users@lists.isc.org Received: Friday, 4 December, 2009, 1:56 AM Not only that, but DNS.gduf.edu.cn is performing recursion, while not setting RA in, and not copying RD into, the header of the response. % dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn ; DiG 9.3.0 www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 593 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.smartip.gduf.edu.cn. IN A ;; ANSWER SECTION: www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3 www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4 www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10 I suspect this is YABDLBD (Yet Another Brain-Damaged Load-Balancer Device). Or a defective DNS proxy. Thanks for your answers. But DNS.gduf.edu.cn is a Windows DNS Server running on MS Advanced Server, not a proxy or load-balancer. While the cache is populated with these records, even *non-recursive* queries will be given this answer directly, instead of a referral. Once the records time out, referrals are given again. Yes I am also confused by this behavior. So do you have any suggestion how to resolve it? I want, any query to the subzone should be answered by subzone's NS server, not by the parent one. Thanks again. Regards. __ Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7. Enter now: http://au.docs.yahoo.com/homepageset/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users