Re: FORMERR for wikipedia...
On Mar 16 2011, Jay Ford wrote: [...] To me it looks like BIND is doing the right thing (as usual ;^), Yes (or *a* right thing, anyway). but the wikipedia... servers are returning bogus responses. Yes. Specifically the response is neither a valid nodata response, nor a valid referral. Distinguishing these is a sensitive business, as RFC 2308 section 2.2 explains. -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FORMERR for wikipedia...
On Thu, 17 Mar 2011, Mark Andrews wrote: The nameservers for wikipedia.org are broken. They put the wrong SOA record in the negative response, wikipedia.org != wikimedia.org. M vs P Exactly. The adminstrators of wikimedia.org were informed about this months ago but they don't seem to care. They fail to acknowledge the problem or to fix the problem. wikimedia.org are not alone in this. There are thousands on web sites that return the wrong answers to lookups. Meanwhile everyone wants resolver vendors to make the lookups work. We can't when the authoritative servers are broken. It time the users complained. That's where I'm going with this, but specific information with a suggested fix is usually better than just pointing out that it's broken. Is it known what software and/or config causes this broken behavior? Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Need help to know about ROOT DNS query
Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it. ; DiG 9.3.3rc2 . NS @10.0.0.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 49842 IN NS j.root-servers.net. . 49842 IN NS k.root-servers.net. . 49842 IN NS l.root-servers.net. . 49842 IN NS m.root-servers.net. . 49842 IN NS a.root-servers.net. . 49842 IN NS b.root-servers.net. . 49842 IN NS c.root-servers.net. . 49842 IN NS d.root-servers.net. . 49842 IN NS e.root-servers.net. . 49842 IN NS f.root-servers.net. . 49842 IN NS g.root-servers.net. . 49842 IN NS h.root-servers.net. . 49842 IN NS i.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 49842 IN A 192.58.128.30 a.root-servers.net. 49842 IN A 198.41.0.4 b.root-servers.net. 49842 IN A 192.228.79.201 c.root-servers.net. 49842 IN A 192.33.4.12 d.root-servers.net. 49842 IN A 128.8.10.90 e.root-servers.net. 49842 IN A 192.203.230.10 f.root-servers.net. 49842 IN A 192.5.5.241 g.root-servers.net. 49842 IN A 192.112.36.4 h.root-servers.net. 49842 IN A 128.63.2.53 i.root-servers.net. 49842 IN A 192.36.148.17 ;; Query time: 34 msec ;; SERVER: 10.0.0.1#53(10.132.1.13) ;; WHEN: Thu Mar 17 17:16:18 2011 ;; MSG SIZE rcvd: 401 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: FORMERR for wikipedia...
On Thu, 17 Mar 2011, Mark Bergsma wrote: On Mar 17, 2011, at 6:48 AM, Jay Ford wrote: On Thu, 17 Mar 2011, Mark Andrews wrote: The nameservers for wikipedia.org are broken. They put the wrong SOA record in the negative response, wikipedia.org != wikimedia.org. The adminstrators of wikimedia.org were informed about this months ago but they don't seem to care. They fail to acknowledge the problem or to fix the problem. wikimedia.org are not alone in this. There are thousands on web sites that return the wrong answers to lookups. Meanwhile everyone wants resolver vendors to make the lookups work. We can't when the authoritative servers are broken. It time the users complained. That's where I'm going with this, but specific information with a suggested fix is usually better than just pointing out that it's broken. Is it known what software and/or config causes this broken behavior? It's PowerDNS 2.9.22 that is breaking this, and it will be fixed by PowerDNS 3.0 once that's released, and we get around to deploying it. HTH! Indeed it helps. Thanks for the info good luck with the upgrade. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help to know about ROOT DNS query
Zitat von babu dheen babudh...@yahoo.co.in: Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. I guess it does not mean your internal servers should deliver results for query . NS because this is the default and no security risk at all. I suspect that the demand is for not using the forwarders but do DNS queries from within the network at its own by asking the root servers and the whole chain like dig +trace? Regards Andreas ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help to know about ROOT DNS query
Nah, that's fine (and normal). BIND comes configured with the roots so that it can start resolution. I guess I don't fully understand your concern here -- is it that you are worried that the root might see queries and so know your internal hostnames? W Warren Kumari -- Please excuse typing, etc -- This was sent from a device with a tiny keyboard. On Mar 17, 2011, at 7:20 AM, babu dheen babudh...@yahoo.co.in wrote: Hi, We have two internal Windows DNS servers which answer all DNS query by forwarding it to gateway DNS server running in Redhat BIND. But i have a query regarding allowing ROOT DNS query on internal DNS server. Can anyone let me know whether company Internal DNS server should respond to ROOT DNS query. When i execute # dig . NS @my-company-name-server query I am getting complete response Let me know whether enabling ROOT DNS query is a security threat. For more informaton can you read and help us to securely configure our company internal Windows DNS server and its impact of disabling it. ; DiG 9.3.3rc2 . NS @10.0.0.1 ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 34899 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 10 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 49842 IN NS j.root-servers.net. . 49842 IN NS k.root-servers.net. . 49842 IN NS l.root-servers.net. . 49842 IN NS m.root-servers.net. . 49842 IN NS a.root-servers.net. . 49842 IN NS b.root-servers.net. . 49842 IN NS c.root-servers.net. . 49842 IN NS d.root-servers.net. . 49842 IN NS e.root-servers.net. . 49842 IN NS f.root-servers.net. . 49842 IN NS g.root-servers.net. . 49842 IN NS h.root-servers.net. . 49842 IN NS i.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 49842 IN A 192.58.128.30 a.root-servers.net. 49842 IN A 198.41.0.4 b.root-servers.net. 49842 IN A 192.228.79.201 c.root-servers.net. 49842 IN A 192.33.4.12 d.root-servers.net. 49842 IN A 128.8.10.90 e.root-servers.net. 49842 IN A192.203.230.10 f.root-servers.net. 49842 IN A 192.5.5.241 g.root-servers.net. 49842 IN A 192.112.36.4 h.root-servers.net. 49842 IN A 128.63.2.53 i.root-servers.net. 49842 IN A 192.36.148.17 ;; Query time: 34 msec ;; SERVER: 10.0.0.1#53(10.132.1.13) ;; WHEN: Thu Mar 17 17:16:18 2011 ;; MSG SIZE rcvd: 401 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users