Re: to route specific dns query to specific dns server
Hopefully the microsoft domain is a name that is not availible on the internet, like mymsdomain.local. Then your microsoft server is known as domaincontroller.mymsdomain.local. Of course ! In that case you would setup a forwarder in BIND for mymsdomain.local that points to the microsoft dns servers. Ok, but I'd like understanding if: 1- for every query to BIND there is always a forwarding to microsoft dns servers or if there is only a forwarding for queries containing 'mymsdomain.local' domain ? 2- If I configure BIND how you suggest me, can I not permit Internet queries for ''mymsdomain.local' ? 3- Can you show me sample example of forwarding configure file for specific domain, please ? - Original Message - From: Lyle Giese To: Riccardo Castellani Sent: Tuesday, December 28, 2010 11:12 PM Subject: Re: to route specific dns query to specific dns server Riccardo Castellani wrote: I'm using Bind9 for my name server (SERVER EXT) and to give name resolution for who access from Internet to my domain (e.g. to access to my Web site or to write to my email addresses). My domain is example.com: www.Example.com test.h...@example.com This dns server maps only my pubblic addresses. This server has 2 nics: internal + external ip address. Some internal servers, as proxy or mail servers, send dns requests to this dns server to solve names. I have also internal MS domain (dns server is SERVER INT) which is different from the other, it's created by Domain Controllers + AD (activedirectory.com) and it's used to map machines into internal network. Now I my email server or proxy server (which are in internal network) need to synchronize time so they have to use my internal NTP server; these Linux machines use 'SERVER EXT' in /etc/resolv.conf, so how I can indicate to send request for specific internal name (ntp.activedirectory.com) to dns server INT ? I could insert it inot /etc/hosts but it's not dnss service !!! Hopefully the microsoft domain is a name that is not availible on the internet, like mymsdomain.local. Then your microsoft server is known as domaincontroller.mymsdomain.local. In that case you would setup a forwarder in BIND for mymsdomain.local that points to the microsoft dns servers. Then when the linux boxes want domaincontroller.mymsdomain.local, your Bind name server will ask the microsoft dns servers for the answer. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind9 cache
On man 27 dec 2010 15:09:15 CET, Mark Andrews wrote You are falling foul of out of date filters. 2/8 was only allocated 2009-09 so you will still find sites that are blocking packets from / route for 2/8. post to bind-users@lists.isc.org not to bind-us...@isc.org well is there anything i can do to solve it in named.conf other then just add forward zone to use google public dns for the failing domains with non working dns setups ? if nameserver admins is danish i will call them, but if outside of danmark i get a big phonebill for things that is not my fault in the first place -- xpoint ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC - mismatch between algorithm and type of NSEC
Hello, And my best whishes for the new year 2011 ! May we have lots of interesting questions, where we all can learn from ;-) (hope my question is also in that category ...) As .eu top level domain we try to avoid inserting DS records in our zone where corresponding DNSKEY information is missing from the customers' zone file, thus avoiding to activated DNSSEC with an already broken chain-of-trust. However, we now found the following case : 1) registrar offers us DNSKEY information with algorithm 7 : RSASHA1-NSEC3-SHA1 2) in the zone file, there are NSEC (and not NSEC3) records Public DNSSEC verification tools (dnsviz, verisignlabs) don't seem to make a problem out of this (they do signal an insecure delegation, obviously : we don't publish a DS record). ((there must be a wildcard in the zone file, So I can enter a domain name where the verification tools get NSEC records)) I can simulate the case in a test environment, of course, But then I only see the behaviour of a specific name server implementation. But what is the list's interpretation of this situation : erronous or not ? Does any DNSSEC RFC mention this case and prescribe a reaction to this ? (I didn't find any - RFC5155 states the new algorithms - 6 and 7 - *must* be used when NSEC3 is used, But not a word - unless I overlooked it - about using algorithm 7 and yet, NSEC ...) Looking forward to your comments. Kind regards, Marc Lampo Security Officer EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 3030 MOB.:+32 (0)476 984 391 marc.la...@eurid.eu http://www.eurid.eu Want a .eu web address in your own language? Find out how so you dont miss out! Register your .eu domain name and win an iPod touch this X-Mas http://www.winwith.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: auto update signatures dnssec
Hi there, On Wed, 29 Dec 2010 Alan Clegg wrote: In your named.conf, you should have key-directory ...; defined. The keys should be there (and readable by the named process). If you don't have a key-directory statement, then named will look in the working directory from which the process was started (which is normally a bad idea...) Perhaps named-checkconf should issue a warning if it finds that this option is not defined? -- 73, Ged. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - mismatch between algorithm and type of NSEC
What was the observed behaviour in your test system? From a sanity point of view and if you are checking the zone prior to accepting the DNSKEY, then I see nothing wrong in rejecting it. There are already other restrictions on domains in .EU that establish a precedent for being more demanding on DNSSEC signed zones. On 29/12/10 9:37 AM, Marc Lampo marc.la...@eurid.eu wrote: Hello, And my best whishes for the new year 2011 ! May we have lots of interesting questions, where we all can learn from ;-) (hope my question is also in that category ...) As .eu top level domain we try to avoid inserting DS records in our zone where corresponding DNSKEY information is missing from the customers' zone file, thus avoiding to activated DNSSEC with an already broken chain-of-trust. However, we now found the following case : 1) registrar offers us DNSKEY information with algorithm 7 : RSASHA1-NSEC3-SHA1 2) in the zone file, there are NSEC (and not NSEC3) records Public DNSSEC verification tools (dnsviz, verisignlabs) don't seem to make a problem out of this (they do signal an insecure delegation, obviously : we don't publish a DS record). ((there must be a wildcard in the zone file, So I can enter a domain name where the verification tools get NSEC records)) I can simulate the case in a test environment, of course, But then I only see the behaviour of a specific name server implementation. But what is the list's interpretation of this situation : erronous or not ? Does any DNSSEC RFC mention this case and prescribe a reaction to this ? (I didn't find any - RFC5155 states the new algorithms - 6 and 7 - *must* be used when NSEC3 is used, But not a word - unless I overlooked it - about using algorithm 7 and yet, NSEC ...) Looking forward to your comments. Kind regards, Marc Lampo Security Officer EURid Woluwelaan 150 1831 Diegem - Belgium TEL.: +32 (0) 2 401 3030 MOB.:+32 (0)476 984 391 marc.la...@eurid.eu http://www.eurid.eu Want a .eu web address in your own language? Find out how so you don¹t miss out! Register your .eu domain name and win an iPod touch this X-Mas http://www.winwith.eu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Kal Feher ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7.2-P3 does not resolve www.microsoft.com
Thanks a lot for all your suggestions. I haven't found a solution yet, but found something which got my attention: Have a look at the TTL of the following CNAME entries. What happens when the lookup lasts longer than those 57 seconds? Maybe named will get in trouble then? AND what do the RFC say about those CNAME chains? CNAME points to a CNAME? As I wrote, my DNS server is quite busy and the trouble does not happen when it has no load at all (copied VM). Thanks Thilo PS: I circumvented the trouble with a forward of microsoft.com to my other nameserver (bind 9.3.2 btw) which is able to resolve it without a problem. --- dig www.microsoft.com @localhost ; DiG 9.7.2-P3 www.microsoft.com @localhost ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 18589 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 11, ADDITIONAL: 4 ;; QUESTION SECTION: ;www.microsoft.com. IN A ;; ANSWER SECTION: www.microsoft.com. 3582IN CNAME toggle.www.ms.akadns.net. toggle.www.ms.akadns.net. 57IN CNAME g.www.ms.akadns.net. g.www.ms.akadns.net.57 IN CNAME lb1.www.ms.akadns.net. lb1.www.ms.akadns.net. 282 IN A 65.55.12.249 ;; AUTHORITY SECTION: akadns.net. 172782 IN NS zd.akadns.org. akadns.net. 172782 IN NS ze.akadns.net. akadns.net. 172782 IN NS zf.akadns.net. akadns.net. 172782 IN NS eur1.akadns.net. akadns.net. 172782 IN NS use3.akadns.net. akadns.net. 172782 IN NS use4.akadns.net. akadns.net. 172782 IN NS usw2.akadns.net. akadns.net. 172782 IN NS asia9.akadns.net. akadns.net. 172782 IN NS za.akadns.org. akadns.net. 172782 IN NS zb.akadns.org. akadns.net. 172782 IN NS zc.akadns.org. ;; ADDITIONAL SECTION: za.akadns.org. 21582 IN A 96.6.112.198 zb.akadns.org. 21582 IN A 64.211.42.194 zc.akadns.org. 21582 IN A 124.40.52.133 zd.akadns.org. 21583 IN A 72.246.46.4 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Dec 29 13:38:06 2010 ;; MSG SIZE rcvd: 395 -- EUROIMMUN AG Thilo Wunderlich IT-Technik Werkstrasse 2-22 23942 Dassow Tel: +49 451 58 55-40614 Fax: +49 451 58 55-24359 www.euroimmun.de -- Das Impressum der EUROIMMUN AG Deutschland finden Sie unter www.euroimmun.de/impressum.htm ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: to route specific dns query to specific dns server
May I suggest the book DNS and Bind 5th edition. Availible from Amazon: http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=sr_1_1?ie=UTF8qid=1293629633sr=8-1 All of these things can be done. Do some reading! Yes you setup forwarding only for the microsoft domain name. And yes you can setup BIND to not answer questions from the Internet about your Microsoft domain, but in my opinion that is not necessary. You do want to disable recursive queries from the Internet and there are no pointers out on the Internet pointing your microsoft domain to you BIND server, so noone outside your internal network will know about the microsoft domain. The book has examples plus syntax and examples that will cover the rest of your questions. Lyle Giese LCR Computer Services, Inc. Riccardo Castellani wrote: Hopefully the microsoft domain is a name that is not availible on the internet, like mymsdomain.local. Then your microsoft server is known as domaincontroller.mymsdomain.local. Of course ! In that case you would setup a forwarder in BIND for mymsdomain.local that points to the microsoft dns servers. Ok, but I'd like understanding if: 1- for every query to BIND there is always a forwarding to microsoft dns servers or if there is only a forwarding for queries containing 'mymsdomain.local' domain ? 2- If I configure BIND how you suggest me, can I not permit Internet queries for ''mymsdomain.local' ? 3- Can you show me sample example of forwarding configure file for specific domain, please ? - Original Message - *From:* Lyle Giese mailto:l...@lcrcomputer.net *To:* Riccardo Castellani mailto:ric.castell...@alice.it *Sent:* Tuesday, December 28, 2010 11:12 PM *Subject:* Re: to route specific dns query to specific dns server Riccardo Castellani wrote: I'm using Bind9 for my name server (SERVER EXT) and to give name resolution for who access from Internet to my domain (e.g. to access to my Web site or to write to my email addresses). My domain is example.com: www.Example.com http://www.Example.com test.h...@example.com mailto:test.h...@example.com This dns server maps only my pubblic addresses. This server has 2 nics: internal + external ip address. Some internal servers, as proxy or mail servers, send dns requests to this dns server to solve names. I have also internal MS domain (dns server is SERVER INT) which is different from the other, it's created by Domain Controllers + AD (activedirectory.com) and it's used to map machines into internal network. Now I my email server or proxy server (which are in internal network) need to synchronize time so they have to use my internal NTP server; these Linux machines use 'SERVER EXT' in /etc/resolv.conf, so how I can indicate to send request for specific internal name (ntp.activedirectory.com) to dns server INT ? I could insert it inot /etc/hosts but it's not dnss service !!! Hopefully the microsoft domain is a name that is not availible on the internet, like mymsdomain.local. Then your microsoft server is known as domaincontroller.mymsdomain.local. In that case you would setup a forwarder in BIND for mymsdomain.local that points to the microsoft dns servers. Then when the linux boxes want domaincontroller.mymsdomain.local, your Bind name server will ask the microsoft dns servers for the answer. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC - mismatch between algorithm and type of NSEC
On 12/29/2010 3:37 AM, Marc Lampo wrote: However, we now found the following case : 1) registrar offers us DNSKEY information with algorithm 7 : RSASHA1-NSEC3-SHA1 2) in the zone file, there are NSEC (and not NSEC3) records This is not an error. The only reason for there being different algorithm numbers within RSASHA1 was to keep older systems that don't know about NSEC3 from dealing with NSEC3 responses incorrectly. All newer algorithms can be used for both NSEC and NSEC3. AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about multiple queries in a single dns packet
On 12/29/2010 2:17 PM, Federico Barbieri wrote: Not sure if this is the right place to ask but I've been trying to dig around and found nothing... reading the dns specification it would seems possible to send multiple request in a single packet. I'm not sure what the actual reference is, but don't do that. Nobody supports it (what would the answer section contain? what does the RCODE actually mean?)... AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: question about multiple queries in a single dns packet
On 12/29/10 14:06, Alan Clegg wrote: On 12/29/2010 2:17 PM, Federico Barbieri wrote: Not sure if this is the right place to ask but I've been trying to dig around and found nothing... reading the dns specification it would seems possible to send multiple request in a single packet. I'm not sure what the actual reference is, but don't do that. Nobody supports it (what would the answer section contain? what does the RCODE actually mean?)... I believe it's in the EDNS1 specification that Paul did a while back, after EDNS0. I don't think it ever got advanced to RFC: http://tools.ietf.org/html/draft-ietf-dnsext-edns1-03 See especially section 4. The answer to your question on RCODE: 4.2. RCODE and AA apply to all RRs in the answer section having the QNAME that is shared by all questions in the question section. AA applies to all matching answers, and will not be set unless the exact original request was processed by an authoritative server and the response forwarded in its entirety. michael ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ignoring incorrect nameservers in authority section
What's the difference between these two flags in the response of dig? ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 --- ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 Thanks in advance. Sunil Shetye writes: Quoting from David Sparro's mail on Tue, Dec 28, 2010: Here, I can see that the nameserver is giving the right replies to all queries except the NS queries. How can an authoritative server give wrong answers? Due to misconfiguration of the NS records. My guess is that the domain was transferred from one nameserver to another without updating the NS records and the domain registration was updated. Another reason could be that some ill-informed DNS administrators are replacing their NS records with 'blackhole' or 'fake' nameservers to avoid DNS attacks on their actual servers. I was hoping that either bind should catch such cases automatically or allow some workaround which need not be monitored later. You're asking BIND to deduce the intent of the domain owner. It is hard to say whether it is intentional or due to a misconfiguration. Note that my aim is to ensure that dig +trace (or a non-caching nameserver) should give the same answer as named (ignoring TTL). If dig +trace is always landing at the right server while named is always landing at the wrong server (till the cached NS records expire) (see case 3 below), it is very hard to debug the problem. Here are the detailed cases which are applicable here. When bind queries a nameserver, the following types of answers are expected (apart from referrals, refused replies, and other errors): Case 1: Authoritative Server Reply === $ dig +norecurse @a.iana-servers.net. example.org. ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.org. IN A ;; ANSWER SECTION: example.org. 172800 IN A 192.0.32.10 ;; AUTHORITY SECTION: example.org.172800 IN NS a.iana-servers.net. example.org.172800 IN NS b.iana-servers.net. === This is the answer in the correct format. Both the A and NS records are cached. bind will give a similar reply back to the client. Case 2: Lame Server Reply === $ dig +norecurse @a.iana-servers.net. example.org. ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.org. IN A ;; ANSWER SECTION: example.org. 172800 IN A 192.0.32.10 ;; AUTHORITY SECTION: example.org.172800 IN NS ns1.example.org. example.org.172800 IN NS ns2.example.org. === This is a lame server reply. bind ignores this reply. bind will give a server fail reply to the client. Case 3: Authoritative Server Reply with Lame NS Records === $ dig +norecurse @a.iana-servers.net. example.org. ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.org. IN A ;; ANSWER SECTION: example.org. 172800 IN A 192.0.32.10 ;; AUTHORITY SECTION: example.org.172800 IN NS ns1.example.org. example.org.172800 IN NS ns2.example.org. === Here, we are getting an authoritative reply. This means that the A record can be cached. However, note that NS section here does not list a.iana-servers.net. Should bind cache this authority section? If ns[12].example.org. were the real nameservers, we should have got a referral from a.iana-servers.net. and not an authoritative answer. If bind does cache this (as it currently does), the next query for example.org will go to ns[12].example.org. directly. However, here we can see that a.iana-servers.net. is actually the authoritative nameserver, which means that it is ready to answer all example.org queries. If bind does not cache the NS records, it will land via referrals back to a.iana-servers.net. for the next query and get the correct authoritative answer. What should bind reply back to the client? It would be safe to drop the authority section in the reply. === $ dig example.org. ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;example.org. IN A ;; ANSWER SECTION: example.org.172800 IN A 192.0.32.10 === Hope that this elaborate example clears the picture of what I am trying to convey. Note that querying of NS records will also have to be handled in a consistent manner. However, some more thought may be required there. -- Sunil Shetye.
Re: ignoring incorrect nameservers in authority section
Quoting from p...@mail.nsbeta.info's mail on Thu, Dec 30, 2010: What's the difference between these two flags in the response of dig? ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 ra : recursion available The nameserver is ready to ask other nameservers for the record we queried. As the 'aa' flag is also missing above, the answer is not authoritative. ;; flags: qr aa; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0 aa : authoritative answer The nameserver is authoritative for the zone of the record that we queried. As the 'ra' flag is also missing above, the nameserver will not do a lookup for you for records it does not know about. -- Sunil Shetye. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
