Re: Private IP address in A record
Am 27.06.2014 06:11, schrieb Teerapatr Kittiratanachai: I know that this kind of implementation isn't be recommended, but I don't understand that why some DNS servers can answer the record as normally while another can't. if there is a cisco-router with NAT between anything can happen of it faces priate IP's in DNS responses google for Cisco NAT DNS ALG On Fri, Jun 27, 2014 at 10:42 AM, Noel Butler noel.but...@ausics.net wrote: On 27/06/2014 12:32, Teerapatr Kittiratanachai wrote: Dear List, Yesterday I try to map a private IP address on Public DNS Server, but some server, actually 1 server, doesn't show the answer. But the Rcode is 0. So I already removed that record for now. Is it possible to set DNS server for not show answer that be the private IP address? signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Using a DynDNS hostname in master-statement for a bind slave?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello everyone, sorry if this is a stupid question, I would love to get a RTFM pointing me to the right documentation (I found none...). My setup is like this (at least that is my plan): In my home network I have: Host A with bind as master for my zone example.org Host B with bind as slave for my zone example.org, Host A set as its master The slave server (HOST B) is reachable from the internet via a dynDNS hostname. Now I want to setup another bind as slave on a server hosted at my provider. It should use HOST B as its master, to transfer the zone and act as a slave. BUT I found nothing in the documentation on how to deal with a master server that has no fixed IP and is reachable via a dynamic hostname. Is this possible? Or do I have to setup a VPN to connect the external server to the home network? Thanks in advance for any tips or tricks or hints... Regards, Johannes - -- I don't want to achieve immortality through my work. I want to achieve immortality through not dying. (Woody Allen) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlOtjV0ACgkQzi3gQ/xETbLrXACfdWvTk/Zjcko7xQP10cEBxv1A eJIAoIY2MPtf3ZnT95BkWOyRFI6Z2a9y =Z1g8 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Private IP address in A record
In article mailman.441.1403836337.26362.bind-us...@lists.isc.org, Teerapatr Kittiratanachai maillist...@gmail.com wrote: Dear List, Yesterday I try to map a private IP address on Public DNS Server, but some server, actually 1 server, doesn't show the answer. But the Rcode is 0. So I already removed that record for now. Is it possible to set DNS server for not show answer that be the private IP address? The other server may be behind a firewall that blocks private addresses. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
In BIND 8.2 running on Solaris 8, how to start logging
Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: In BIND 8.2 running on Solaris 8, how to start logging
-Original Message- From: Samad Agha samad.agha2...@gmail.com Date: Friday, June 27, 2014 at 1:07 PM To: bind-users@lists.isc.org bind-users@lists.isc.org, DNS BIND bind-us...@isc.org Subject: In BIND 8.2 running on Solaris 8, how to start logging Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. I see two options: Enable query logging. In your named.conf, do something like: logging { channel my_querylog { file /var/adm/query.log versions 5 size 10m; print-time yes; }; category queries { my_querylog; }; }; Adjust paths, number of copies (versions) to keep, etc. Note that this can fill quickly on busy servers. Alternatively, use tcpdump to write a pcap of anything to 53/udp or 53/tcp and analyze it after 1, 7, 30 or whatever days. Again, if the server is busy you will get a very large file. You can limit the amount of time you capture traffic, or rotate capture files with -C size e.g. tcpdump -i eth0 -s0 -C 100 -w dnscap filter (you'll endup with dnscap1, dnscap2, etc each 100MB in size). Good luck, BIND 8.2 is ancient now so good to hear you are working to get it updated. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a DynDNS hostname in master-statement for a bind slave?
On 06/27/2014 08:27 AM, Johannes Kastl wrote: The slave server (HOST B) is reachable from the internet via a dynDNS hostname. Now I want to setup another bind as slave on a server hosted at my provider. It should use HOST B as its master, to transfer the zone and act as a slave. BUT I found nothing in the documentation on how to deal with a master server that has no fixed IP and is reachable via a dynamic hostname. That's because it cannot be done. You need a master with a fixed address. If your zone content and IP address don't change often you could set a very long expire time on the zone, and fix the master definition on your provider's slave whenever it breaks, but that's pretty fragile. Good luck, Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a DynDNS hostname in master-statement for a bind slave?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 27.06.14 19:56 Doug Barton wrote: That's because it cannot be done. You need a master with a fixed address. I was hoping it could be done. My bad. I'll try it with a VPN. Thanks for the answer. Regards, Johannes - -- Love ist like Pi: Natural, irrational and very important. (unknown) -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlOtynsACgkQzi3gQ/xETbK2wwCdGvTOkpIHEEYr1yr9qVXp/Qo3 a7cAn1IAqeQbBZC4KESh6UIwmEOr1SGM =GXDR -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: In BIND 8.2 running on Solaris 8, how to start logging
On 6/27/2014, Samad Agha samad.agha2...@gmail.com wrote: Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad I may be missing something here. The servers are running BIND. What zones do the servers serve? They serve the zones listed in the BIND configuration file(s), and they may be recursive servers for your clients. Look at the config files to see what zones are mastered or slaved on the servers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: In BIND 8.2 running on Solaris 8, how to start logging
Enable query logging or run tcpdump on port 53. A quick Google search should explain exactly how to do either of these very easily. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry S. Finkel Sent: Friday, June 27, 2014 5:02 PM To: bind-users@lists.isc.org Subject: Re: In BIND 8.2 running on Solaris 8, how to start logging On 6/27/2014, Samad Agha samad.agha2...@gmail.com wrote: Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad I may be missing something here. The servers are running BIND. What zones do the servers serve? They serve the zones listed in the BIND configuration file(s), and they may be recursive servers for your clients. Look at the config files to see what zones are mastered or slaved on the servers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: In BIND 8.2 running on Solaris 8, how to start logging
Mike, Barry, Baird, Thank you so much for your quick replies. I'll try your recommendations first thing Monday morning and see what happens. Again, thank you and have a nice weekend. Regards, Samad On Fri, Jun 27, 2014 at 2:12 PM, Baird, Josh jba...@follett.com wrote: Enable query logging or run tcpdump on port 53. A quick Google search should explain exactly how to do either of these very easily. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto: bind-users-boun...@lists.isc.org] On Behalf Of Barry S. Finkel Sent: Friday, June 27, 2014 5:02 PM To: bind-users@lists.isc.org Subject: Re: In BIND 8.2 running on Solaris 8, how to start logging On 6/27/2014, Samad Agha samad.agha2...@gmail.com wrote: Hi All, I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both and transfer everything to a couple of RHEL 7 boxes. The City (I work for a mid-size California city) has outsourced different aspects of our DNS that I even lost track and have no idea what these two DNS servers serve. I'd like to start logging all queries on these two boxes to know who queries them. How do I start a comprehensive logging to capture all transactions going through these two servers? Please advise; please be thorough and don't assume anything. Many thanks in advance. Regards, Samad I may be missing something here. The servers are running BIND. What zones do the servers serve? They serve the zones listed in the BIND configuration file(s), and they may be recursive servers for your clients. Look at the config files to see what zones are mastered or slaved on the servers. --Barry Finkel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot chroot bind: ENGINE_by_id failed (crypto failure)
I created the directory '/var/run/nscd' (owned by named), and symbolically linked '/usr/lib64' to the '/usr/lib' directory... and it's working! Thank you all very much for your speedy and accurate help! On Thursday, June 26, 2014 5:17 PM, Hauke Lampe la...@hauke-lampe.de wrote: On 26.06.2014 22:53, Matthew Washington wrote: May 20 16:32:15 fortress named[6034]: error:260B6084:engine routines:DYNAMIC_LOAD:dso not found:eng_dyn.c:450: May 20 16:32:15 fortress named[6034]: error:2606A074:engine routines:ENGINE_by_id:no such engine:eng_list.c:418:id=gost May 20 16:32:15 fortress named[6034]: initializing DST: crypto failure libssl tries to load the GOST engine from a platform-specific path. I used strace to find it: strace named -f -c /etc/named.conf -t /svc/name -u named 21|grep gost |open(/usr/lib/x86_64-linux-gnu/openssl-1.0.0/engines/libgost.so, |O_RDONLY) = -1 ENOENT (No such file or directory) Alternatively, the Debian package patched named and moved the SSL init code before the chroot: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696661 Hauke. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a DynDNS hostname in master-statement for a bind slave?
In message 53adb051.50...@dougbarton.us, Doug Barton writes: On 06/27/2014 08:27 AM, Johannes Kastl wrote: The slave server (HOST B) is reachable from the internet via a dynDNS hostname. Now I want to setup another bind as slave on a server hosted at my provider. It should use HOST B as its master, to transfer the zone and act as a slave. BUT I found nothing in the documentation on how to deal with a master server that has no fixed IP and is reachable via a dynamic hostname. That's because it cannot be done. You need a master with a fixed address. Well its more that we havn't written the code to do it. We actually have the protocols to support nameservers being dynamically addressed (other than the root servers). UPDATE is capable of updating both glue and actual records. We lookup nameserver addresses for things like NOTIFY. There is nothing to stop a nameserver looking up addresses for AXFR. We already authenticate all these operations using TSIG. It's been on my personal TODO lists for over a decade now. If your zone content and IP address don't change often you could set a very long expire time on the zone, and fix the master definition on your provider's slave whenever it breaks, but that's pretty fragile. Good luck, Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using a DynDNS hostname in master-statement for a bind slave?
Am 27.06.2014 17:27, schrieb Johannes Kastl: sorry if this is a stupid question, I would love to get a RTFM pointing me to the right documentation (I found none...). My setup is like this (at least that is my plan): In my home network I have: Host A with bind as master for my zone example.org Host B with bind as slave for my zone example.org, Host A set as its master The slave server (HOST B) is reachable from the internet via a dynDNS hostname. Now I want to setup another bind as slave on a server hosted at my provider. It should use HOST B as its master, to transfer the zone and act as a slave. BUT I found nothing in the documentation on how to deal with a master server that has no fixed IP and is reachable via a dynamic hostname. Is this possible? Or do I have to setup a VPN to connect the external server to the home network? Thanks in advance for any tips or tricks or hints... setup openvpn with your dyndns as VPN client that way you have a fixed IP besides it solves the IP problem zone transfers are more safe because they are encrypted and can't get mangeled by broken crap like cisco routers doing DNS ALG look at the archives, i had recently the fun that a cisco router between master/slave instisted to manipulate zone transfers and set every CNAME a zero TTL signature.asc Description: OpenPGP digital signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users