Re: Problem with ACL in named.conf
On 30/08/12 03:19, GS Bryan wrote: My BIND version, as shown by 'named -v' is BIND 9.9.1-P1-RedHat-9.9.1-2.P1.el6. 'named-checkconf /etc/named.conf' doesn't throw any error messages whatsoever. -- Bryan S.G. You're correct - named-checkconf doesn't see the problem, but named errors during start-up. I'm opening a bug ticket for you. Cathy ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with ACL in named.conf
On 30/08/12 03:17, GS Bryan wrote: hmm... that explains it. Damn, DNSMadeEasy needs to have notify notices sent to a different IP set than their nameserver service. This means that I have to hardcode this myself. Another question then, if zone 'example.net' has the NS records of 'ns1.example.net' (its IP address is 101.1.1.1) and 'ns2.example.net' (its IP address is 101.1.2.1), then if I put the 'also-notify { 22.22.22.222; 22.22.22.223; 22.22.22.224; };' in the zone clause, when the zone file is modified, notify messages will be sen to 101.1.1.1, 101.1.2.1, 2.22.22.222, 22.22.22.223, and 22.22.22.224 right? Yes (except for the master listed in the SOA record), and unless you have 'notify explicit;' set. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
ho to filter hundeds of domains ?
Hello, I need to implement a bind filter for many hundreds of domains which are considered outlaw and illegal by italian government about gamble games. If I create a named zone for each illegal domain and configure my nameserver as authoritative for those zones, I can catch the DNS resolutions and I can resolve with a local LAN IP with a message for users. But it is really complicate to manage such a high number of domains. Is there another way I could achieve this ? thank you Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 30 Aug 2012, at 13:14, fddi wrote: I need to implement a bind filter for many hundreds of domains which are considered outlaw and illegal by italian government about gamble games. If I create a named zone for each illegal domain and configure my nameserver as authoritative for those zones, I can catch the DNS resolutions and I can resolve with a local LAN IP with a message for users. But it is really complicate to manage such a high number of domains. Is there another way I could achieve this ? Don't waste your time. This approach is superficial. It doesn't actually prevent access to the target sites, and is likely to be a nuisance for intending users of legitimate services (web sites or others) which fall in the shadow of the intervention you suggest. Besides, if you take this approach, you will have to commit resources to chasing a moving target. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 2:32 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 02:14:38PM +0200, fddi f...@gmx.it wrote a message of 23 lines which said: I need to implement a bind filter for many hundreds of domains which are considered outlaw and illegal See http://pwd.io/guide/. Very good ebook. thank you for your hint. Actually many telephone companies in the world are doing this, I was just doing a question expecting a technical point of view related to bind in the answer. Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 3:14 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-) Often it is not you who have to decide what to do, but you receive orders. It is never a good thing to mock people. Thank you again for your hints Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) I know but usually people does not work for the internet they work for a company and have to do what companies asks if you care to have a job... no problems anyway, I agree with your view. Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time -- Sent from my Android phone with K-9 Mail. fddi f...@gmx.it wrote: On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) I know but usually people does not work for the internet they work for a company and have to do what companies asks if you care to have a job... no problems anyway, I agree with your view. Rick _ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Russell Jones wrote on 08/30/2012 09:39:17 AM: Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time There are several sources of RPZ data such as Spamhaus and SURBL. Both are respected sources of spam filtering data. (Disclosure: My employer subscribes to both for spam filtering, I have no financial stake) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/2012 8:46 AM, wbr...@e1b.org wrote: Russell Jones wrote on 08/30/2012 09:39:17 AM: Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time There are several sources of RPZ data such as Spamhaus and SURBL. Both are respected sources of spam filtering data. (Disclosure: My employer subscribes to both for spam filtering, I have no financial stake) Oh I know, I use spamhaus myself for spam filtering - catches a ridiculous amount of spam. It is my understanding though the OP wants to filter domains for NSFW web browsing, not spam - specifically gambling sites. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
add this line to /etc/named.conf include locallyblockeddomains.zones; contents of locallyblockeddomains.zones: // This bind zone is intended to be included in a running dns server for a local net // // It will return a 127.0.0.1 for the domains listed as malware // // This is for locally determined domains we want blocked // // zone r.im {type master; file /etc/namedb/blockeddomain.hosts;}; snipped many more out zone emailupgrader.clan.su {type master;file /etc/named/blockeddomain.hosts;}; this is the /etc/namedb/blockeddomain.hosts file: $TTL86400 ; one day @ IN SOA ns1.geneseo.edu coloccia.geneseo.edu ( 2007112601 ; serial 28800 ; refresh 8 hours 7200; retry2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day IN NS ns1.geneseo.edu. A 127.0.0.1 * IN A 127.0.0.1 * IN ::1 ; This zone will kill all traffic to a listed domain Done. Add domains you want blocked to the locallyblockeddomains.zones file. -Rick On 8/30/2012 10:28 AM, Russell Jones wrote: On 8/30/2012 8:46 AM, wbr...@e1b.org wrote: Russell Jones wrote on 08/30/2012 09:39:17 AM: Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time There are several sources of RPZ data such as Spamhaus and SURBL. Both are respected sources of spam filtering data. (Disclosure: My employer subscribes to both for spam filtering, I have no financial stake) Oh I know, I use spamhaus myself for spam filtering - catches a ridiculous amount of spam. It is my understanding though the OP wants to filter domains for NSFW web browsing, not spam - specifically gambling sites. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Rick Coloccia, Jr. Network Manager State University of NY College at Geneseo 1 College Circle, 119 South Hall Geneseo, NY 14454 V: 585-245-5577 F: 585-245-5579 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dhcp error messages
I have started getting error sending response: not enough free resources on my dhcp server during random times during the day. Google isnt providing much other than it could be an issue with the switch, or a network card issue. top on the server doesnt show it using hardly any resources at all. Are there settings in dhcp that I can set that will give it more resources to use? -- Dwayne Hottinger Network Administrator Harrisonburg City Public Schools ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Russell Jones russ...@jonesmail.me wrote on 08/30/2012 10:28:07 AM: Oh I know, I use spamhaus myself for spam filtering - catches a ridiculous amount of spam. It is my understanding though the OP wants to filter domains for NSFW web browsing, not spam - specifically gambling sites. Spamhaus describes it this way: The DBL is managed as a zero false-positive list, safe to use by production mail systems to reject emails that are flagged by it. The DBL includes URIs (domains/hostnames) which are used in spam including phishing, fraud/'419' or domains sending or hosting malware/viruses. Sounds like what I would want in an RPZ, but may not include the gambling sites the OP was looking to block. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) Still, that kind of setup is *mandatory* for ISPs in Italy :-\ -- Paranoia is a disease unto itself. And may I add: the person standing next to you may not be who they appear to be, so take precaution. - http://bofhskull.wordpress.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote: On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote a message of 15 lines which said: Actually many telephone companies in the world are doing this, They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). Copying telephone companies is not a good idea for the Internet :-) Still, that kind of setup is *mandatory* for ISPs in Italy :-\ Is the mandatory setup to actually use 'DNS' to block access to gambling sites? Its easy enough to script an automatic update if someone central and with the necessary authority decides what it not allowed (eg a governmental man). Could even stick the 'bad' names in DNS to do the distribution. Suggestion: Don't listen to Niall O'Reilly - although he may be right. (tongue firmly stuck in cheek) Note to self, run own recursive DNS resolver on my laptop whilst travelling in Italy. 8.8.8.8 ? -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 smime.p7s Description: S/MIME cryptographic signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Rick Colocciacoloc...@geneseo.edu wrote: add this line to /etc/named.conf include locallyblockeddomains.zones; contents of locallyblockeddomains.zones: // This bind zone is intended to be included in a running dns server f a local net // // It will return a 127.0.0.1 for the domains listed as malware // // This is for locally determined domains we want blocked // // zone r.im {type master; file /etc/namedb/blockeddomain.hosts;}; snipped many more out zone emailupgrader.clan.su {type master;file /etc/named/blockeddomain.hosts;}; this is the /etc/namedb/blockeddomain.hosts file: $TTL86400 ; one day @ IN SOA ns1.geneseo.edu coloccia.geneseo.edu ( 2007112601 ; serial 28800 ; refresh 8 hours 7200; retry2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day IN NS ns1.geneseo.edu. A 127.0.0.1 * IN A 127.0.0.1 * IN ::1 ; This zone will kill all traffic to a listed domain Done. Add domains you want blocked to the locallyblockeddomains.zones file. In my previous job, the cyber-security created a list of domains from various sources. They tested the file on a test BIND server before loading the file into the AFS shared file system. I had a cron on my DNS servers that ran every 10 minutes that checked for a new file, and if it saw one, it copied the file to the local disk and ran rndc to reload the new config file. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On Thu, Aug 30, 2012 at 03:18:25PM +0200, fddi wrote: On 8/30/12 3:14 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 01:34:07PM +0100, Niall O'Reilly niall.orei...@ucd.ie wrote a message of 32 lines which said: Don't waste your time. This approach is superficial. http://www.bortzmeyer.org/images/please-close-gate.jpg :-) Often it is not you who have to decide what to do, but you receive orders. People who don't fully understand an issue really do not have any business managing it. This is a basic law of nature. It is never a good thing to mock people. People who have made bad decisions based on ignorance of the subject matter certainly do deserve criticism for what they have done, no? I think they do. The emperor is wearing no clothes! Sometimes, humor is a good way to get the point across. The proper thing to do, if in a position of authority, is to educate oneself on the matter at hand, and if unable for some reason, to pass authority to someone who DOES understand it. DNS is not simple, but I bet I could spend a day or so with some non- technical person of reasonable intelligence and get him/her up to speed as to why ideas like this are bad. No, it's not practical for every ignorant politician to hire a DNS- capable geek to help learn the basics, but lack of practicality does not make wrong any less wrong. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if /dev/rob0 is in the Subject: ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dhcp error messages
I have started getting error sending response: not enough free resources on my dhcp server during random times during the day. Google isnt providing much other than it could be an issue with the switch, or a network card issue. top on the server doesnt show it using hardly any resources at all. Are there settings in dhcp that I can set that will give it more resources to use? If you are using ISC DHCP, I would stronglu recommend the dhcp-users mailing list instead of the bind-users mailing list. Also, some more information would be useful, for instance what OS you are using. The message is *presumably* because your OS is low on some resource. If you don't find out *which* resource it is kind of hard to get any further... Steinar Haug, Nethelp consulting, sth...@nethelp.no ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
On 8/30/2012 10:33 AM, Rick Coloccia wrote: add this line to /etc/named.conf include locallyblockeddomains.zones; contents of locallyblockeddomains.zones: // This bind zone is intended to be included in a running dns server for a local net // // It will return a 127.0.0.1 for the domains listed as malware // // This is for locally determined domains we want blocked // // zone r.im {type master; file /etc/namedb/blockeddomain.hosts;}; snipped many more out zone emailupgrader.clan.su {type master;file /etc/named/blockeddomain.hosts;}; this is the /etc/namedb/blockeddomain.hosts file: $TTL86400 ; one day @ IN SOA ns1.geneseo.edu coloccia.geneseo.edu ( 2007112601 ; serial 28800 ; refresh 8 hours 7200; retry2 hours 864000 ; expire 10 days 86400 ) ; min ttl 1 day IN NS ns1.geneseo.edu. A 127.0.0.1 * IN A 127.0.0.1 * IN ::1 ; This zone will kill all traffic to a listed domain Done. Add domains you want blocked to the locallyblockeddomains.zones file. The null or unspecified address -- 0.0.0.0 in IPv4, :: in IPv6 -- is generally considered the more polite and proper way to express don't ever try to connect to this. If you put a loopback address in there, a poorly-coded app might end up spinning, connecting to itself. But the unspecified address gets stopped cold at the OS level so it's the preferred choice. - Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
In message 1346342946.14282.32.ca...@mjelap.posix.co.za, Mark Elkins writes: On Thu, 2012-08-30 at 17:25 +0200, Emanuele Balla (aka Skull) wrote: On 8/30/12 3:19 PM, Stephane Bortzmeyer wrote: On Thu, Aug 30, 2012 at 03:16:32PM +0200, fddi f...@gmx.it wrote=20 a message of 15 lines which said: =20 Actually many telephone companies in the world are doing this,=20 =20 They're wrong politically (censorship) and they're wrong technically (see O'Reilly's answer). =20 Copying telephone companies is not a good idea for the Internet :-) =20 Still, that kind of setup is *mandatory* for ISPs in Italy :-\ Is the mandatory setup to actually use 'DNS' to block access to gambling sites? Its easy enough to script an automatic update if someone central and with the necessary authority decides what it not allowed (eg a governmental man). Could even stick the 'bad' names in DNS to do the distribution. Suggestion: Don't listen to Niall O'Reilly - although he may be right. (tongue firmly stuck in cheek) Note to self, run own recursive DNS resolver on my laptop whilst travelling in Italy. 8.8.8.8 ? Which is exactly why the DNS is the wrong level to do this at if you have a legal obligation to block access. The only way to do that is to block the packets themselves. Given these are gambling sites the chance of collateral damage is minimal if you just block all access to the ips in question. Just make sure you can get through to their nameservers so you can keep the list of IP addresses to filter current. Mark --=20 . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users