Re: Disable Refused answer

2009-12-03 Thread Peter Andreev 
Search in arm by keyword blackhole will save father of russian democracy
:-)

2009/12/3 Dmitry Rybin kirg...@corbina.net

 Barry Margolin wrote:

 In article mailman.1159.1259764844.14796.bind-us...@lists.isc.org,
  Dmitry Rybin kirg...@corbina.net wrote:

  Hello!

 I can't find in docs how disable answer (Refused), if recursion for IP is
 not allowed?


 What do you expect it to do instead? Not respond at all?


 Drop not allowed request.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Dmitry Rybin 

Give me parabellum :)

This is not answer. I wont to disable Refused answers for not allowed 
client in recursion.


Peter Andreev wrote:
Search in arm by keyword blackhole will save father of russian 
democracy :-)


2009/12/3 Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net

Barry Margolin wrote:

In article
mailman.1159.1259764844.14796.bind-us...@lists.isc.org
mailto:mailman.1159.1259764844.14796.bind-us...@lists.isc.org,
 Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net
wrote:

Hello!

I can't find in docs how disable answer (Refused), if
recursion for IP is not allowed?


What do you expect it to do instead? Not respond at all?


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Peter Andreev 
Are you want to disable refused answers for recursion and allow any answers
for authoritative information in the same time?

2009/12/3 Dmitry Rybin kirg...@corbina.net

 Give me parabellum :)

 This is not answer. I wont to disable Refused answers for not allowed
 client in recursion.

 Peter Andreev wrote:

 Search in arm by keyword blackhole will save father of russian democracy
 :-)

 2009/12/3 Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net


Barry Margolin wrote:

In article
mailman.1159.1259764844.14796.bind-us...@lists.isc.org
mailto:mailman.1159.1259764844.14796.bind-us...@lists.isc.org,
 Dmitry Rybin kirg...@corbina.net mailto:kirg...@corbina.net

wrote:

Hello!

I can't find in docs how disable answer (Refused), if
recursion for IP is not allowed?


What do you expect it to do instead? Not respond at all?


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Kevin Darcy 

Dmitry Rybin wrote:

Barry Margolin wrote:

In article mailman.1159.1259764844.14796.bind-us...@lists.isc.org,
Dmitry Rybin kirg...@corbina.net wrote:


Hello!

I can't find in docs how disable answer (Refused), if recursion for 
IP is not allowed?


What do you expect it to do instead? Not respond at all?



Drop not allowed request.

This is not compatible with the DNS protocol, as defined:

RFC 1034, Section 4.3.1:

---

If recursive service is requested and available, the recursive response
to a query will be one of the following:

  - The answer to the query, possibly preface by one or more CNAME
RRs that specify aliases encountered on the way to an answer.

  - A name error indicating that the name does not exist.  This
may include CNAME RRs that indicate that the original query
name was an alias for a name which does not exist.

  - A temporary error indication.

If recursive service is not requested or is not available, the non-
recursive response will be one of the following:

  - An authoritative name error indicating that the name does not
exist.

  - A temporary error indication.

  - Some combination of:

RRs that answer the question, together with an indication
whether the data comes from a zone or is cached.

A referral to name servers which have zones which are closer
ancestors to the name than the server sending the reply.

  - RRs that the name server thinks will prove useful to the
requester.

---

Note that no response is not one of the options.

You should probably implement this outside of DNS and BIND, e.g. a stateful 
firewall which would, by policy, drop incoming DNS query packets from certain 
source-address ranges, which have the RD bit set in the DNS query packet header.

- Kevin






___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: parent dns answers the ARR of child dns

2009-12-03 Thread Chris Buxton 
On Dec 3, 2009, at 3:38 AM, Tech W. wrote:
 # dig smartip.gduf.edu.cn ns +short
 dtone1.gduf.edu.cn.
 
 # dig www.smartip.gduf.edu.cn  +short
 121.8.235.88
 
 # dig www.smartip.gduf.edu.cn +trace 

[...]

 www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.4
 www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.10
 www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.3
 ;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms

DNS.gduf.edu.cn is open to recursive queries from anyone. Is it possible you 
were seeing a cached answer?

A DNS server that is authoritative for a zone that has subzones that are 
delegated to other DNS servers should not be performing recursion. Not for 
anyone. It leads to confusing results.

$ dig www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn

;  DiG 9.6.0-APPLE-P2  www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 22315
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; ADDITIONAL SECTION:
dtone1.gduf.edu.cn. 3600IN  A   218.192.12.233

;; Query time: 398 msec
;; SERVER: 218.192.12.6#53(218.192.12.6)
;; WHEN: Thu Dec  3 08:43:50 2009
;; MSG SIZE  rcvd: 97

$ dig www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn

;  DiG 9.6.0-APPLE-P2  www.smartip.gduf.edu.cn +norec 
@dtone1.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 47739
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN  A   121.8.235.88

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; Query time: 396 msec
;; SERVER: 218.192.12.233#53(218.192.12.233)
;; WHEN: Thu Dec  3 08:44:17 2009
;; MSG SIZE  rcvd: 78

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Chris Buxton 
On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:

 Hello!
 
 I can't find in docs how disable answer (Refused), if recursion for IP is not 
 allowed?

Something like this should work:
_

options {
directory /var/named;
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
blackhole { ! authorized-clients; any; };
// any other resolution configuration goes here
};

view auth-server {
// zones go here
};
_

Note that there is no need to use the allow-query-cache, allow-query, 
allow-recursion, or recursion statements in either view. All recursive queries 
will be caught by the first view, which will drop queries by unauthorized 
clients - no refusal will be sent.

If an authorized client sends a recursive query to the server for local 
authoritative data, as long as the NS records are configured correctly 
(possibly along with stub zone statements in the caching-server view), the 
server will query itself (iteratively, so hitting the auth-server view) and 
find the data.

The only way in which this differs from what you want is, if someone sends a 
recursive query for your authoritative zone data from an unauthorized IP, the 
query will be dropped. But this will probably only happen in testing with dig 
or nslookup, and it can be worked around (by the user) by turning off the RD 
flag in the request.

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: parent dns answers the ARR of child dns

2009-12-03 Thread Kevin Darcy 
Not only that, but DNS.gduf.edu.cn is performing recursion, while not 
setting RA in, and not copying RD into, the header of the response.


% dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn

;  DiG 9.3.0  www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 593
;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn. IN A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4
www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10

I suspect this is YABDLBD (Yet Another Brain-Damaged Load-Balancer 
Device). Or a defective DNS proxy.


While the cache is populated with these records, even *non-recursive* 
queries will be given this answer directly, instead of a referral. Once 
the records time out, referrals are given again.


But, why do you (the original poster) care? If the caching of these 
records by this server is a problem, surely it's a more *general* 
problem of the records being cached by resolvers everywhere. Either set 
the TTLs accordingly, or abandon whatever plans you have to make the 
responses completely dynamic, or ordered in any particular way...


DNS isn't, and never was intended to be, a comprehensive load-balancing 
or failover mechanism. Maybe it can become that, if SRV records were 
used as a matter of course, but we haven't achieved that yet. Not by a 
long shot.


Since the addresses all appear to be in the same subnet, you might want 
to look into front-ending them with some sort of dedicated local 
load-balancer, either implemented in hardware or software.


- Kevin



Chris Buxton wrote:

On Dec 3, 2009, at 3:38 AM, Tech W. wrote:
  

# dig smartip.gduf.edu.cn ns +short
dtone1.gduf.edu.cn.

# dig www.smartip.gduf.edu.cn  +short
121.8.235.88

# dig www.smartip.gduf.edu.cn +trace 



[...]

  

www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.4
www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.10
www.smartip.gduf.edu.cn. 8  IN  A   218.192.12.3
;; Received 89 bytes from 218.192.12.6#53(DNS.gduf.edu.cn) in 106 ms



DNS.gduf.edu.cn is open to recursive queries from anyone. Is it possible you 
were seeing a cached answer?

A DNS server that is authoritative for a zone that has subzones that are 
delegated to other DNS servers should not be performing recursion. Not for 
anyone. It leads to confusing results.

$ dig www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn

;  DiG 9.6.0-APPLE-P2  www.smartip.gduf.edu.cn +norec @DNS.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 22315
;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; ADDITIONAL SECTION:
dtone1.gduf.edu.cn. 3600IN  A   218.192.12.233

;; Query time: 398 msec
;; SERVER: 218.192.12.6#53(218.192.12.6)
;; WHEN: Thu Dec  3 08:43:50 2009
;; MSG SIZE  rcvd: 97

$ dig www.smartip.gduf.edu.cn +norec @dtone1.gduf.edu.cn

;  DiG 9.6.0-APPLE-P2  www.smartip.gduf.edu.cn +norec 
@dtone1.gduf.edu.cn
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 47739
;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.smartip.gduf.edu.cn.   IN  A

;; ANSWER SECTION:
www.smartip.gduf.edu.cn. 30 IN  A   121.8.235.88

;; AUTHORITY SECTION:
smartip.gduf.edu.cn.3600IN  NS  dtone1.gduf.edu.cn.

;; Query time: 396 msec
;; SERVER: 218.192.12.233#53(218.192.12.233)
;; WHEN: Thu Dec  3 08:44:17 2009
;; MSG SIZE  rcvd: 78

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


  


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Kevin Darcy 

Chris Buxton wrote:

On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:

  

Hello!

I can't find in docs how disable answer (Refused), if recursion for IP is not 
allowed?



Something like this should work:
_

options {
directory /var/named;
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
blackhole { ! authorized-clients; any; };
// any other resolution configuration goes here
};

view auth-server {
// zones go here
};
  
This should work --- one of the scariest phrases in the computing 
field :-)


Unfortunately, blackhole can only appear the (global) options clause:

% cat /tmp/buxton.example
options {
directory /tmp;
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
// any other resolution configuration goes here
blackhole { ! authorized-clients; any; };
};

% ./named-checkconf /tmp/buxton.example
/tmp/buxton.example:12: unknown option 'blackhole'
% ed /tmp/buxton.example
218
12m2
1,$p
options {
directory /tmp;
blackhole { ! authorized-clients; any; };
};

acl authorized-clients {
192.0.2.1;
};

view caching-server {
match-recursive-only yes;
// any other resolution configuration goes here
};
w
218
q
% ./named-checkconf /tmp/buxton.example
%

- Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Chris Buxton 
On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote:
 Chris Buxton wrote:
 On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:
 Hello!
 
 I can't find in docs how disable answer (Refused), if recursion for IP is 
 not allowed?
 
 
 Something like this should work:
 _
 
 view caching-server {
  match-recursive-only yes;
  blackhole { ! authorized-clients; any; };
  // any other resolution configuration goes here
 };
 
 
 This should work --- one of the scariest phrases in the computing field :-)

True, true. It means, of course, The docs suggest this will work, but I 
haven't actually tested it.

 Unfortunately, blackhole can only appear the (global) options clause:

I'm happy to be corrected. You'd never know this from reading the BIND ARM.

From the description of the view statement:

Many of the options given in the options statement can also be used
within a view statement, and then apply only when resolving queries
with that view.

There is no definitive list of the options that can or can not be used in a 
view. Likewise, the description of the blackhole statement makes no mention of 
the fact that it's not valid inside a view.

So, to the original poster, we're back to it can't be done with BIND 
configuration. Of course, you could hack the BIND source code...

Chris Buxton
Professional Services
Men  Mice

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Mark Andrews 

In message dcf41a2c-d461-4e78-82cd-0add12051...@menandmice.com, Chris Buxton 
writes:
 On Dec 3, 2009, at 10:16 AM, Kevin Darcy wrote:
  Chris Buxton wrote:
  On Dec 2, 2009, at 6:40 AM, Dmitry Rybin wrote:
  Hello!
  
  I can't find in docs how disable answer (Refused), if recursion for IP is
  not allowed?
  
  
  Something like this should work:
  _
  
  view caching-server {
 match-recursive-only yes;
 blackhole { ! authorized-clients; any; };
 // any other resolution configuration goes here
  };
  
  
  This should work --- one of the scariest phrases in the computing field 
 :-)
 
 True, true. It means, of course, The docs suggest this will work, but I have
 n't actually tested it.
 
  Unfortunately, blackhole can only appear the (global) options clause:
 
 I'm happy to be corrected. You'd never know this from reading the BIND ARM.
 
 From the description of the view statement:
 
   Many of the options given in the options statement can also be used
   within a view statement, and then apply only when resolving queries
   with that view.
 
 There is no definitive list of the options that can or can not be used in a v
 iew. Likewise, the description of the blackhole statement makes no mention of
  the fact that it's not valid inside a view.

doc/misc/options gives a definitive list.  It is built from the parser.

 So, to the original poster, we're back to it can't be done with BIND configu
 ration. Of course, you could hack the BIND source code...
 
 Chris Buxton
 Professional Services
 Men  Mice
 
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Disable Refused answer

2009-12-03 Thread Bill Larson 
Chris Buxton cbux...@menandmice.com said:

 There is no definitive list of the options that can or can not be used in 
a view. Likewise, the description of the blackhole statement makes no 
mention of the fact that it's not valid inside a view.

There is the doc/misc/options file in the BIND sources that lists the many 
possible items that can be inside a view, along with 
the options, server, zone, etc.

There is the doc/misc/options file in the BIND sources that lists the many 
possible configuration items available and what section of the configuration 
that can be used.  The view section can include many different items, 
but blackhole isn't one of them.

This also identifies blackhole as only being part of the options 
clause.  Also, the ARM mentions blackhole as part of the options section 
and not in the view section.

 So, to the original poster, we're back to it can't be done with BIND 
configuration. Of course, you could hack the BIND source code...

Yes, we are back to that.  Another can't get there from here.

Then again, I've never been sure what the original requester was asking 
for.  If he didn't want to give an answer out to someone on a particular 
network, then the blackhole option would seem to be a perfect solution in 
the first place.

Thanks for your help on this list,

Bill Larson
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: parent dns answers the ARR of child dns

2009-12-03 Thread Tech W. 


--- On Fri, 4/12/09, Kevin Darcy k...@chrysler.com wrote:

 From: Kevin Darcy k...@chrysler.com
 Subject: Re: parent dns answers the ARR of child dns
 To: bind-users@lists.isc.org
 Received: Friday, 4 December, 2009, 1:56 AM
 Not only that, but DNS.gduf.edu.cn is
 performing recursion, while not 
 setting RA in, and not copying RD into, the header of the
 response.
 
 % dig www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
 
 ;  DiG 9.3.0 
 www.smartip.gduf.edu.cn. @DNS.gduf.edu.cn
 ;; global options: printcmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: NOERROR,
 id: 593
 ;; flags: qr aa; QUERY: 1, ANSWER: 3, AUTHORITY: 1,
 ADDITIONAL: 0
 
 ;; QUESTION SECTION:
 ;www.smartip.gduf.edu.cn. IN A
 
 ;; ANSWER SECTION:
 www.smartip.gduf.edu.cn. 30 IN A 218.192.12.3
 www.smartip.gduf.edu.cn. 30 IN A 218.192.12.4
 www.smartip.gduf.edu.cn. 30 IN A 218.192.12.10
 
 I suspect this is YABDLBD (Yet Another Brain-Damaged
 Load-Balancer 
 Device). Or a defective DNS proxy.

Thanks for your answers.
But DNS.gduf.edu.cn is a Windows DNS Server running on MS Advanced Server,
not a proxy or load-balancer.

 
 While the cache is populated with these records, even
 *non-recursive* 
 queries will be given this answer directly, instead of a
 referral. Once 
 the records time out, referrals are given again.
 

Yes I am also confused by this behavior.
So do you have any suggestion how to resolve it?
I want, any query to the subzone should be answered by subzone's NS server, not 
by the parent one.


Thanks again.
Regards.



  
__
Win 1 of 4 Sony home entertainment packs thanks to Yahoo!7.
Enter now: http://au.docs.yahoo.com/homepageset/
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users