Re: Split DNS Configuration in BIND
On Tuesday 31 May 2011 00:56, the following was written: Its very simple, If you know basic firewall concept, we will configure source NATing from public IP address to original website private address in firewall. So when any users from internet access my company website, they should obviously get public IP of my company website and once they get the IP address from DNS, it can contact the website using source NATing in firewall. Here my concern is not with NATing or firewall. My basic requirement is how can i configure split DNS to maintain two different Ip address for a same website. I think you are getting your terminology mixed up here. Split DNS is when you have 2 DNS servers, one internal and the other external. Internal server serves the clients internally and the External services the people on the Internet. This setup is very easy as both server hold the same records with the proper ip addresses. The other would be VIEWS. This is when you have a single DNS server serving both internal and external requests but you want to supply different ip address for the same host name depending on where the request is coming from. If you are thinking/talking VIEWS then give this website a look: http://www.howtoforge.com/two_in_one_dns_bind9_views http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/ -- Regards Robert Linux The adventure of a lifetime. Linux User #296285 Get Counted http://counter.li.org/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/31/2011 01:35 AM, Robert Spangler wrote: On Tuesday 31 May 2011 00:56, the following was written: Its very simple, If you know basic firewall concept, we will configure source NATing from public IP address to original website private address in firewall. So when any users from internet access my company website, they should obviously get public IP of my company website and once they get the IP address from DNS, it can contact the website using source NATing in firewall. Here my concern is not with NATing or firewall. My basic requirement is how can i configure split DNS to maintain two different Ip address for a same website. I think you are getting your terminology mixed up here. Split DNS is when you have 2 DNS servers, one internal and the other external. Internal server serves the clients internally and the External services the people on the Internet. This setup is very easy as both server hold the same records with the proper ip addresses. The other would be VIEWS. This is when you have a single DNS server serving both internal and external requests but you want to supply different ip address for the same host name depending on where the request is coming from. If you are thinking/talking VIEWS then give this website a look: http://www.howtoforge.com/two_in_one_dns_bind9_views http://www.cyberciti.biz/faq/linux-unix-bind9-named-configure-views/ ...the end result of which (just to check my own knowledge) is the same as a split DNS, just without needing a second set of servers, right? - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3kicIACgkQmb+gadEcsb7CJgCgpTdt2fLAuS2CP0fWSwbPwLAC GiYAoMmvqby9arWsCcHERNc0t4NOFzp2 =xE7n -END PGP SIGNATURE- attachment: novosirj.vcf___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
In message 4de43e3e.2040...@chrysler.com, Kevin Darcy writes: Normally I'd defer to your vastly greater knowledge and experience in DNSSEC, but here in the U.S. we have a saying I'm from Missouri, which is a roundabout way of expressing show me (Show Me being the unofficial slogan of the state of Missouri). Maybe it *should* work, but when it comes to nifty technical hacks, until co-existence is actually demonstrated, I still think there might be a gotcha somewhere... On 31.05.11 11:33, Mark Andrews wrote: This happens all the time whenever a signed zone content changes. You have different servers returning different answers for the same query all of which can be validated as secure. DNSSEC requires that the data and signature pass through the system as a atomic unit. DNSSEC aware servers and resolvers keep this data together. If you don't things break. DNS Race just keeps the answers permanently out of sync instead of the temporary condition that happens with normal updates. This problem could be avoided by providing the same data, but differently sorted, correct? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. (R)etry, (A)bort, (C)ancer ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
allowing queries from all IPv4 addresses but only a range of IPv6 addresses
Hello community, I have a requirement to configure BIND 9.7.3 to allow queries from any IPv4 address and only a specific IPv6 prefix. The allow-query statement takes an address match list as argument, but I'm not sure how I can specify 'any IPv4 host' without having to use the 'any' keyword (which matches on ALL IPv4 and IPv6 addresses). Hoping you can help, Dennis ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Racing -Multi ISP load balancing with failover using DNS.
On 31/05/11 09:28, Matus UHLAR - fantomas wrote: This problem could be avoided by providing the same data, but differently sorted, correct? Not really. Client side sorting may take place (e.g. to comply with RFC 3484 policies in calls to getaddrinfo) and destroy any server-side sorting. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hosting my company DNS server in Internet
On Mon, May 30, 2011 at 06:14:25PM +0530, babu dheen babudh...@yahoo.co.in wrote a message of 83 lines which said: please note that i am not going to host my website in DNS server You said the opposite before: I am not sure why i do need to pay money to my ISP for hosting my website on my company DNS server. In short, i can say that we just want to host authorative DNS server for my company website(company.com). Then, you already have all the answers in the thread. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Split DNS Configuration in BIND
On Tuesday 31 May 2011 02:25, the following was written: Split DNS is when you have 2 DNS servers, one internal and the other external. Internal server serves the clients internally and the External services the people on the Internet. This setup is very easy as both server hold the same records with the proper ip addresses. The other would be VIEWS. This is when you have a single DNS server serving both internal and external requests but you want to supply different ip address for the same host name depending on where the request is coming from. ...the end result of which (just to check my own knowledge) is the same as a split DNS, just without needing a second set of servers, right? Thje end result is the same. -- Regards Robert Linux The adventure of a lifetime. Linux User #296285 Get Counted http://counter.li.org/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Compromised BIND?
I have a BIND 9.8.0-P2 server instance running on a production server. My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC versus multiple views
What problems do sites have that deploy both multiple views and DNSSEC? I read the Split-View DNSSEC Operation Practices draft, which outlines a number of set-ups, generally citing disadvantages in the area of administration, troubleshooting, and added complexity. But it says these set-ups are workable. Our site serves thousands of mobile users with many types of consumer mobile devices used onsite and elsewhere. Our site also has independent departments running their own caching servers. Both these make me nervous. I could imagine a future where mobile devices both cache and validate DNS and could imagine the combination of multiple views and DNSSEC creating problems for them. Perhaps future end-user caching/validation procedures will be driven by the existence of multiple-views/DNSSEC sites. All this is from reading and thinking. Can anyone tell me about real-world problem cases? John Wobus Cornell University ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On Tue, May 31, 2011 at 11:38:13AM -0700, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? No, that doesn't sound good at all. You could sniff the traffic and verify, but sounds like you've been compromised. Ray ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On Tue, May 31, 2011 at 02:38:13PM -0400, Supersonic wbpfs...@gmail.com wrote a message of 38 lines which said: My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 Not enough information to decide. For instance, what was the source port of these packets? If it is 53, it may simply be BIND answering to requests having the source port . ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
I have a BIND 9.8.0-P2 server instance running on a production server. My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Sounds like you're running an IRC bot... -JP ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On 05/31/11 20:38, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? Looks bad. Guessing by named.exe you're running windows. Try checking if it's the same named.exe that you think - I've seen worms disguising themselves as same name only different folder, or as named .exe with space appended to base name. Looks great if you have hidded extensions, as it seems you have two files with name named. Torinthiel signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Compromised BIND?
Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 + - webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 + Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC versus multiple views
In message bf6f24e4-bb5c-4160-84df-baf591bed...@cornell.edu, John Wobus write s: What problems do sites have that deploy both multiple views and DNSSEC? Sign all views. You can decide whether to use the same keying material or use differing keying material. If you use differing keying material you will need to distribute it. Different key material will catch leaks between views. I read the Split-View DNSSEC Operation Practices draft, which outlines a number of set-ups, generally citing disadvantages in the area of administration, troubleshooting, and added complexity. But it says these set-ups are workable. Our site serves thousands of mobile users with many types of consumer mobile devices used onsite and elsewhere. Our site also has independent departments running their own caching servers. Both these make me nervous. I could imagine a future where mobile devices both cache and validate DNS and could imagine the combination of multiple views and DNSSEC creating problems for them. Perhaps future end-user caching/validation procedures will be driven by the existence of multiple-views/DNSSEC sites. All this is from reading and thinking. Can anyone tell me about real-world problem cases? John Wobus Cornell University ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Compromised BIND?
Yes, this message arrived in my Inbox 44 minutes after it was sent. Frank -Original Message- From: bind-users-bounces+frnkblk=iname@lists.isc.org [mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of Warren Kumari Sent: Tuesday, May 31, 2011 4:59 PM To: Warren Kumari Cc: bind-users@lists.isc.org Subject: Re: Compromised BIND? Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 + - webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 + Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Compromised BIND?
Yes, this message arrived in my Inbox 44 minutes after it was sent. Frank -Original Message- From: bind-users-bounces+frnkblk=iname@lists.isc.org [mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of Warren Kumari Sent: Tuesday, May 31, 2011 4:59 PM To: Warren Kumari Cc: bind-users@lists.isc.org Subject: Re: Compromised BIND? Does anyone else find the bind-users list to be very slow? webster.isc.org (localhost [IPv6:::1]) Tue, 31 May 2011 19:48:30 + - webster.isc.org (webster.isc.org) Tue, 31 May 2011 20:52:09 + Or is it just me seeing this? W On May 31, 2011, at 4:17 PM, Warren Kumari wrote: On May 31, 2011, at 3:22 PM, Kevin Darcy wrote: On 5/31/2011 2:38 PM, Supersonic wrote: I have a BIND 9.8.0-P2 server instance running on a production server. Doing what, exactly? Resolving internal names only? Resolving Internet names? Acting as an authoritative server for internal clients? Internet clients? Some combination of the above? My firewall is showing repeated attempts by named.exe to connect to IP addresses in foreign countries on ports , 6667 and 6669 - common IRC ports used by worms/trojans/zombies. Checking my named.exe file, it shows that it is unchanged from the installation source. Is this connection normal? Should I be allowing it? TCP connections or UDP packets? If you're serving authoritative data to Internet clients, then my guess is your firewall simply isn't stateful enough to realize that these are responses to DNS queries that originally came in from Internet clients using those port numbers. Just because they are common IRC ports used by worms/trojans/zombies doesn't preclude them from also being chosen at random as the source ports of incoming queries to your nameserver. Responses go back to the same port from which the query was received. Can you make a distribution of ports and see if it contacts other port numbers with approximately the same frequency? I'm guessing this is just the FW / IDS being helpful W If they're outgoing TCP connections, I'd be worried. Offhand, I can't think of any legitimate reason why named would be trying to TCP-connect to any port other than 53. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
