Re: Negative zones; NXDOMAIN responses
On 19 May 2013 20:51, Narcis Garcia informat...@actiu.net wrote: The internet ISP returns positive values for .local queries, and I need that LAN clients receive NXDOMAIN instead. do they return positive answers for any non-existing domains? (is this one of ISPs wanting to make money on mistypes and ling to the people?) On 19.05.13 21:26, Steven Carr wrote: But in response to the actual question... what you want to do is not possible in BIND zone configs as you can't create a negative zone (that I'm aware of). He can create empty .local zone that will return NXDOMAIN for everything. On 19 May 2013 21:22, Steven Carr sjc...@gmail.com wrote: Why are you forwarding queries to the ISP? Implement your own caching layer, I for one would never use/trust an ISPs caching servers. If I want to resolve a domain I go direct to the source, not via a 3rd party. This is the real solution. You should not use services broken like this of any ISP. I'd even recommend not to use ANY services of such ISPs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. To Boot or not to Boot, that's the question. [WD1270 Caviar] ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Negative zones; NXDOMAIN responses
- Yes, I thought about not using DNS from the same internet provider,
but wanted to know if there is a way to patch only the .local response.
- This is the configuration I use in one of the LANs:
view local-nets {
match-clients { acl_local-nets; };
recursion yes;
forwarders {
62.151.2.8;
};
include /etc/bind/named.conf.default-zones;
}
- These are the tests to be done from a client:
$ host -t SOA local.
$ host -t SOA local. 62.151.2.8
- I've tried to create an empty zone, or lacking of A or SOA records,
but then BIND9 doesn't load it:
zone local/IN: has 0 SOA records
zone local/IN: has no NS records
zone local/IN: not loaded due to errors.
- I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
But I'm not sure if it's useful for SOA records.
Al 20/05/13 09:00, En/na Matus UHLAR - fantomas ha escrit:
On 19 May 2013 20:51, Narcis Garcia informat...@actiu.net wrote:
The internet ISP returns positive values for .local
queries, and I need that LAN clients receive NXDOMAIN instead.
do they return positive answers for any non-existing domains?
(is this one of ISPs wanting to make money on mistypes and ling to the
people?)
On 19.05.13 21:26, Steven Carr wrote:
But in response to the actual question... what you want to do is not
possible in BIND zone configs as you can't create a negative zone
(that I'm aware of).
He can create empty .local zone that will return NXDOMAIN for everything.
On 19 May 2013 21:22, Steven Carr sjc...@gmail.com wrote:
Why are you forwarding queries to the ISP? Implement your own caching
layer, I for one would never use/trust an ISPs caching servers. If I
want to resolve a domain I go direct to the source, not via a 3rd
party.
This is the real solution. You should not use services broken like this of
any ISP. I'd even recommend not to use ANY services of such ISPs.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
problem with named-sdb DLZ with mysql
hello I am running named with sdb support on CentOS 6.4 here are the componetns I Am using bind-9.8.2-0.17.rc1.el6_4.4.x86_64 bind-utils-9.8.2-0.17.rc1.el6_4.4.x86_64 bind-libs-9.8.2-0.17.rc1.el6_4.4.x86_64 bind-sdb-9.8.2-0.17.rc1.el6_4.4.x86_64 bind-chroot-9.8.2-0.17.rc1.el6_4.4.x86_64 mysql-5.1.67-1.el6_3.x86_64 mysql-server-5.1.67-1.el6_3.x86_64 mysql-libs-5.1.67-1.el6_3.x86_64 the configuration is a standard DLZ configuration for mysql everything seems to work fine but after 2 weeks of running this problem always accours Apr 17 12:24:17 ns2 kernel: named-sdb[3890]: segfault at c8 ip 7f842ae04df2 sp 7f84261f9530 error 4 in libmysqlclient.so.16.0.0[7f842adaf000+136000] Apr 17 12:24:17 ns2 kernel: named-sdb[3892]: segfault at 0 ip 7f842914a831 sp 7f8424df7548 error 6 in libc-2.12.so[7f84290c1000+18a000] so it looks not so stable... anyone have this problem ? thank you Rick ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Negative zones; NXDOMAIN responses
On May 20, 2013, at 12:51 AM, Narcis Garcia informat...@actiu.net wrote:
- Yes, I thought about not using DNS from the same internet provider,
but wanted to know if there is a way to patch only the .local response.
- This is the configuration I use in one of the LANs:
view local-nets {
match-clients { acl_local-nets; };
recursion yes;
forwarders {
62.151.2.8;
};
include /etc/bind/named.conf.default-zones;
}
- These are the tests to be done from a client:
$ host -t SOA local.
$ host -t SOA local. 62.151.2.8
- I've tried to create an empty zone, or lacking of A or SOA records,
but then BIND9 doesn't load it:
zone local/IN: has 0 SOA records
zone local/IN: has no NS records
zone local/IN: not loaded due to errors.
- I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
But I'm not sure if it's useful for SOA records.
For the time being, .local is not delegated from the root. So just not using
your ISP's resolvers will do what you want -- recurse directly to the Internet.
There is no way to create an empty .local zone that won't have even an SOA
record. I'm not sure if you could do this via RPZ -- probably -- but why bother
when you could just remove your ISP's servers from the equation?
Regards,
Chris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Negative zones; NXDOMAIN responses
On 5/20/2013 11:36 AM, Chris Buxton wrote:
On May 20, 2013, at 12:51 AM, Narcis Garcia informat...@actiu.net wrote:
- Yes, I thought about not using DNS from the same internet provider,
but wanted to know if there is a way to patch only the .local response.
- This is the configuration I use in one of the LANs:
view local-nets {
match-clients { acl_local-nets; };
recursion yes;
forwarders {
62.151.2.8;
};
include /etc/bind/named.conf.default-zones;
}
- These are the tests to be done from a client:
$ host -t SOA local.
$ host -t SOA local. 62.151.2.8
- I've tried to create an empty zone, or lacking of A or SOA records,
but then BIND9 doesn't load it:
zone local/IN: has 0 SOA records
zone local/IN: has no NS records
zone local/IN: not loaded due to errors.
- I'm using BIND 9.7.3 from Debian 6, and I see that I need to upgrade
to BIND 9.8.4 from Debian 7 to configure an RPZ zone.
But I'm not sure if it's useful for SOA records.
For the time being, .local is not delegated from the root. So just not using
your ISP's resolvers will do what you want -- recurse directly to the Internet.
There is no way to create an empty .local zone that won't have even an SOA
record. I'm not sure if you could do this via RPZ -- probably -- but why bother
when you could just remove your ISP's servers from the equation?
I'm not a big fan of solutions that bombard the root servers with junk
traffic. According to the Wikipedia entry for .local,
l.root-servers.net is already getting hit with about 2300 qps for
.local names (thus 4th behind .com, .net and .org). Let's not add to that.
This is fairly trivial to deal with via RPZ:
local CNAME .; for the apex
*.local CNAME . ; for everything else
Full disclosure: I'd love to implement this myself, but
a) my strategic product for DNS resolution charges extra for the RPZ
functionality, and
b) my biggest business partner, having followed Microsoft's
recommendation of many years (until their recent reversal) has deployed
several real internal zones under the .local TLD. I can't afford to
blind myself to those.
- Kevin
P.S. Wikipedia might want to update their figures, since I just did a
query via
http://stats.l.root-servers.org/cgi-bin/dsc-grapher.pl?window=86400plot=qtype_vs_all_tldserver=L-root
and local shows as third on the graph, the figure appearing closer to
2500 qps than 2300 qps.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Negative zones; NXDOMAIN responses
The simplest solution is to slave the root zone and
turn off notify to so you don't spam the official
root servers. 192.5.5.241 is f.root-servers.net.
zone . IN {
type slave;
file slave/root;
masters { 192.5.5.241; };
notify no;
};
If you want to use DNSSEC to validate the contents then
you can use views to achieve this.
managed-keys {
. initial-key 257 3 8
AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=;
};
view secure {
match-clients { localnets; };
match-recursive-only yes;
zone . {
type static-stub;
server-addresses { 127.0.0.1; };
};
};
view external {
recursion no;
allow-recursion { none; };
zone . IN {
type slave;
file slave/root;
masters { 192.5.5.241; };
notify no;
};
};
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
