Re: bind-users Digest, Vol 2734, Issue 2

2017-09-16 Thread Mark Andrews 
 Because it isn't all about udp size. Sending a OPT signals that the client 
supports EDNS. Also if you want DNSSEC you send the do with EDNS. 

-- 
Mark Andrews

> On 17 Sep 2017, at 16:10, Harshith Mulky  wrote:
> 
> Am 15.09.2017 um 09:37 schrieb Harshith Mulky:
> > Hello Experts,
> > 
> > I had a query on advertising the payload size on client in DNS Responses 
> > over UDP/TCP
> > 
> > 
> > This is as much I have understood from RFC 6891, that a 
> > requester(client) can address his capabilities to restrict the UDP 
> > Payload size to a limit between 512 to 4096 bytes based on his 
> > limitation when supporting EDNS Procedures.
> > 
> > Is it the same case with TCP?
> > 
> > Can we(client) advertize our capabilities over TCP to limit the payload 
> > size in Responses?
> 
> why would you want do do that?
> 
> TCP don't suffer from the problem of a faked sourcip and the repsonse 
> going back to the attacke victim! what do you imagine to happen when 
> your response data is larger? in case of UDP the fallback is simply TCP 
> and then you want to cripple that fallback?
> 
> [Harshith] But I do not understand why would OPT section required in a TCP 
> Query. As i see from my Traces, Even TCP Queries carry a OPT section with the 
> advertized sizes the client supports! Why would this be necessary? I do not 
> want to cripple the fallback, but if a query is intending to do so from a 
> resolver, how Do we stop that?
> 
> Thanks
> 
>  
> From: bind-users  on behalf of 
> bind-users-requ...@lists.isc.org 
> Sent: Friday, September 15, 2017 5:30 PM
> To: bind-users@lists.isc.org
> Subject: bind-users Digest, Vol 2734, Issue 2
>  
> Send bind-users mailing list submissions to
> bind-users@lists.isc.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-requ...@lists.isc.org
> 
> You can reach the person managing the list at
> bind-users-ow...@lists.isc.org
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
> 
> 
> Today's Topics:
> 
>1. Re: What is wrong with my second $ORIGIN (Harshith Mulky)
>2. Re: Is there a need for clients to advertize the capabilities
>   for DNS Responses over TCP (Reindl Harald)
> 
> 
> --
> 
> Message: 1
> Date: Fri, 15 Sep 2017 01:16:08 -0700 (MST)
> From: Harshith Mulky 
> To: bind-users@lists.isc.org
> Subject: Re: What is wrong with my second $ORIGIN
> Message-ID: <1505463368415-0.p...@n4.nabble.com>
> Content-Type: text/plain; charset=us-ascii
> 
> Than you All.
> 
> Did not notice I had missed a trailing '.' 
> 
> Will make sure I do not miss these things the next time I test
> 
> 
> 
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> 
> 
> --
> 
> Message: 2
> Date: Fri, 15 Sep 2017 12:30:23 +0200
> From: Reindl Harald 
> To: bind-users@lists.isc.org
> Subject: Re: Is there a need for clients to advertize the capabilities
> for DNS Responses over TCP
> Message-ID: 
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> 
> Am 15.09.2017 um 09:37 schrieb Harshith Mulky:
> > Hello Experts,
> > 
> > I had a query on advertising the payload size on client in DNS Responses 
> > over UDP/TCP
> > 
> > 
> > This is as much I have understood from RFC 6891, that a 
> > requester(client) can address his capabilities to restrict the UDP 
> > Payload size to a limit between 512 to 4096 bytes based on his 
> > limitation when supporting EDNS Procedures.
> > 
> > Is it the same case with TCP?
> > 
> > Can we(client) advertize our capabilities over TCP to limit the payload 
> > size in Responses?
> 
> why would you want do do that?
> 
> TCP don't suffer from the problem of a faked sourcip and the repsonse 
> going back to the attacke victim! what do you imagine to happen when 
> your response data is larger? in case of UDP the fallback is simply TCP 
> and then you want to cripple that fallback?
> 
> 
> --
> 
> Subject: Digest Footer
> 
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> --
> 
> End of bind-users Digest, Vol 2734, Issue 2
> ***
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailm

Re: bind-users Digest, Vol 2734, Issue 2

2017-09-16 Thread Harshith Mulky 
Am 15.09.2017 um 09:37 schrieb Harshith Mulky:
> Hello Experts,
>
> I had a query on advertising the payload size on client in DNS Responses
> over UDP/TCP
>
>
> This is as much I have understood from RFC 6891, that a
> requester(client) can address his capabilities to restrict the UDP
> Payload size to a limit between 512 to 4096 bytes based on his
> limitation when supporting EDNS Procedures.
>
> Is it the same case with TCP?
>
> Can we(client) advertize our capabilities over TCP to limit the payload
> size in Responses?

why would you want do do that?

TCP don't suffer from the problem of a faked sourcip and the repsonse
going back to the attacke victim! what do you imagine to happen when
your response data is larger? in case of UDP the fallback is simply TCP
and then you want to cripple that fallback?

[Harshith] But I do not understand why would OPT section required in a TCP 
Query. As i see from my Traces, Even TCP Queries carry a OPT section with the 
advertized sizes the client supports! Why would this be necessary? I do not 
want to cripple the fallback, but if a query is intending to do so from a 
resolver, how Do we stop that?

Thanks


From: bind-users  on behalf of 
bind-users-requ...@lists.isc.org 
Sent: Friday, September 15, 2017 5:30 PM
To: bind-users@lists.isc.org
Subject: bind-users Digest, Vol 2734, Issue 2

Send bind-users mailing list submissions to
bind-users@lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
bind-users-requ...@lists.isc.org

You can reach the person managing the list at
bind-users-ow...@lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

   1. Re: What is wrong with my second $ORIGIN (Harshith Mulky)
   2. Re: Is there a need for clients to advertize the capabilities
  for DNS Responses over TCP (Reindl Harald)


--

Message: 1
Date: Fri, 15 Sep 2017 01:16:08 -0700 (MST)
From: Harshith Mulky 
To: bind-users@lists.isc.org
Subject: Re: What is wrong with my second $ORIGIN
Message-ID: <1505463368415-0.p...@n4.nabble.com>
Content-Type: text/plain; charset=us-ascii

Than you All.

Did not notice I had missed a trailing '.'

Will make sure I do not miss these things the next time I test



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/


--

Message: 2
Date: Fri, 15 Sep 2017 12:30:23 +0200
From: Reindl Harald 
To: bind-users@lists.isc.org
Subject: Re: Is there a need for clients to advertize the capabilities
for DNS Responses over TCP
Message-ID: 
Content-Type: text/plain; charset=windows-1252; format=flowed


Am 15.09.2017 um 09:37 schrieb Harshith Mulky:
> Hello Experts,
>
> I had a query on advertising the payload size on client in DNS Responses
> over UDP/TCP
>
>
> This is as much I have understood from RFC 6891, that a
> requester(client) can address his capabilities to restrict the UDP
> Payload size to a limit between 512 to 4096 bytes based on his
> limitation when supporting EDNS Procedures.
>
> Is it the same case with TCP?
>
> Can we(client) advertize our capabilities over TCP to limit the payload
> size in Responses?

why would you want do do that?

TCP don't suffer from the problem of a faked sourcip and the repsonse
going back to the attacke victim! what do you imagine to happen when
your response data is larger? in case of UDP the fallback is simply TCP
and then you want to cripple that fallback?


--

Subject: Digest Footer

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--

End of bind-users Digest, Vol 2734, Issue 2
***
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Paul Kosinski 
Maybe he has no say in what ISP is used, and they have draconian policies...


On Sat, 16 Sep 2017 19:48:51 +0200
Matus UHLAR - fantomas  wrote:

> . . .
> >Note:1.2.3.4 is not what they really return . I've changed it for
> >privacy .
> 
> why? it's your ISP, there's no need to hide IP they send to you...
> it's not your privacy, is it?
> 
> >But it is one fixed ip address which returns in case of manipulation
> >occurs
> 
> I think you could translate that IP to NXDOMAIN using RPZ.
> 
> btw, dnsmasq has "bogus-nxdomain" option for this. When you forward
> togoogle, you could use dnsmasq as well.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic Key Management

2017-09-16 Thread Mark Elkins 
On 14/09/2017 16:55, Tony Finch wrote:

> Mark Elkins  wrote:
>
>> With BIND version 9.12  coming out - I'm wondering if I've missed any
>> announcements on some form of Automatic (DNS)Key Management?
>> Something that will create and retire keys according to some sort of policy.
> See dnssec-keymgr (new in 9.11) which will automate ZSK management.
>
> KSKs are still difficult. I don't know of any nice software for pushing
> delegation updates through registrars. It's a fairly tedious business
> because in many cases you'll need to talk to several different parents so
> you have to write the same code in several different ways. Even the good
> APIs (Gandi, RIPE) have murky corners (EPP itself is a movable feast), and
> sometimes you may be stuck without an API and reduced to scripting
> PhantomJS or something similarly horrible.
>
> Tony.

Thanks Tony.

I've been experimenting. I'm also a Registrar for South African domains,
running EPP including DNSSEC extensions.

Couldn't find a full example /etc/dnssec-policy.conf
so came up with:-

policy default-dnssec {
    algorithm ECDSAP256SHA256;
    pre-publist zsk 1w;
    pre-publist ksk 1w;
    post-publish zsk 1w;
    post-publish ksk 1w;
    roll-period zsk 4w;
    roll-period ksk 52w;
    coverage 190d;
};

zone smtp.co.za {
    policy default-dnssec;
    directory "/etc/bind/smtp.co.za";
};

Not completely sure if what is above is completely sane. :-)
I'm playing with a zone called "smtp.co.za". This is on a stand-alone
test machine. The test entry in my named.conf looks like...

zone "smtp.co.za" {
    type master;
    file "smtp.co.za/db.smtp.co.za";
    key-directory "smtp.co.za";
    inline-signing yes;
    auto-dnssec maintain;
    update-policy { grant ddns-key zonesub ANY; };
};

When run, dnssec-keymgr completely ignores ECDSAP256SHA256 and uses RSASHA256 
(the default if no algorithm specified).
I created ECDSAP256SHA256 signatures by hand and reran dnssec-keymgr. It simply 
creates two more RSASHA256 as if there were no Keys.

I'm not a python programmer and was somewhat lost when looking inside 
dnssec-keymgr. Stumbled into /usr/lib/python3.4/site-packages/isc/keymgr.py, 
found mention of ECDSAP256SHA256 in policy.py and stopped looking.

I also like to organise my "zones" as one per directory - so all the cruft for 
one zone is stored together in one place. Looks like I'll need a "zone" entry 
per zone in dnssec-policy.conf to manage this. Pity it doesn't simply look 
inside named.conf for that information (for where the keys live).
 
Maybe someone else on this list has looked further?

On my side, I can 'import' the KSK from the properly signed zone, Generate the 
DS record and EPP it up to the Registry. That all works fine, currently with 
the push of one (web) button. Will change/add this to something RESTful. Then, 
for full automation (KSK Rollover's) - I'd need dnssec-keymgr to call an 
external script when its time to trigger some sort of "Sync" action.

Didn't spot anything to auto-generate CDS records although BIND 9.11 is 
apparently capable. 

-- 
Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.128070590  Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Matus UHLAR - fantomas 

On 16.09.17 07:01, Omid Kosari via bind-users wrote:

2nd scenario is mine . Upstream manipulated everything on 53 tcp/udp . Even
if i query a non-existent dns-server it returns result ;)



Note:1.2.3.4 is not what they really return . I've changed it for privacy .


why? it's your ISP, there's no need to hide IP they send to you...
it's not your privacy, is it?


But it is one fixed ip address which returns in case of manipulation occurs


I think you could translate that IP to NXDOMAIN using RPZ.

btw, dnsmasq has "bogus-nxdomain" option for this. When you forward
togoogle, you could use dnsmasq as well.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread /dev/rob0 
On Sat, Sep 16, 2017 at 10:50:14AM +, Alberto Colosi wrote:
> even on hotel . why not to use a BIND on unix or window
> on ur box u r using ?
> 
> it is so easy

Ugh, this is a mailing list, please use real words and not TXT 
messaging / chat abbreviations.  Thank you.

No, it is not easy in many captive portals.  I use a laptop for 
everything, and I tried it.  Sometimes you MUST be using that 
portal's nameserver to "authenticate" or to be approved as a user.  
BIND logs will be flooded with gazillions of "lame server" messages, 
as every iterative query is answered with a non-authoritative reply.

Of course it depends where you go, but for me, sometimes I find 
myself stuck behind portals like the OP found, which redirect all 
queries to broken nameservers.

That said, for people with "normal" Internet providers, yes, it's 
very easy to run your own caching resolver.
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread /dev/rob0 
On Sat, Sep 16, 2017 at 03:18:57AM -0700,
   Omid Kosari via bind-users wrote:
> This is my first post to this mailing list .

And it's a classic example of "XY question": "I want to do X, and I 
think Y will do it, so I ask how to do Y, although people more 
familiar with the subject matter think that sounds like a very 
strange thing to do."

> I have a caching bind dns server with forwarders like this .
> forwarders {
> 8.8.8.8;
> 8.8.4.4;
> };

Later in the thread we discovered that the ISP is redirecting all 
queries on port 53 to their own nameservers which are broken in 
various ways.  I *think* they are hijacking NXDOMAIN responses, 
returning their own ad server IP address for NXDOMAIN queries.  But 
you have failed (or refused) to provide this bit of information.

With redirected queries on port 53 TCP and UDP, the address of the 
forwarder would not matter.  It could be anything, as you showed 
later in the thread.

> I want to use another forwarders if the response of the query is 
> for example 1.2.3.4

And you munged the ISP's ad server, why, to protect their "privacy"?  
Sadly, this protection possibly harms you, and possibly other users 
who might otherwise be tempted to do business with that ISP.  It 
might make your quest more difficult, because if you had been open 
about who/what you are dealing with, you might have found another 
user who had come up with a different workaround for the problem.

No, this is not possible; named makes a query and cannot be 
configured to redo the query based on its results.  But you might be 
interested in the deny-answer-* features of BIND.  See the "Content 
Filtering" section of ARM chapter 6 for your BIND version.  This 
content filtering would not repeat the queries, however.

See also dnsmasq(8) for a forwarding-only nameserver which 
conditionally can ignore a certain result.  As with named, it won't 
repeat the query, however.

> I've found that rpz-ip is what i want

How so?  Be more specific about the real problem and goal.

> but i was unable to create relation to forwarders .

Correct.

>//if response ip or rpz-ip = 1.2.3.4 then
> forwarders {
> 208.67.222.222 port 443;
> 208.67.220.220 port 443;
> };

So if you want to use opendns, why not just use those forwarders for 
all queries?  What benefit could there be in querying the ISP 
nameservers first?
-- 
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Sten Carlsen 


On 16-09-2017 16.01, Omid Kosari via bind-users wrote:
> 2nd scenario is mine . Upstream manipulated everything on 53 tcp/udp . Even
> if i query a non-existent dns-server it returns result ;)
>
> C:\WINDOWS\system32>nslookup newsroom.fb.com 8.8.8.254
> Server:  UnKnown
> Address:  8.8.8.254
>
> Non-authoritative answer:
> Name:newsroom.fb.com
> Addresses:  1.2.3.4
>   1.2.3.4
>
> Note:1.2.3.4 is not what they really return . I've changed it for privacy .
> But it is one fixed ip address which returns in case of manipulation occurs
> .
>
>
>
> Sten Carlsen wrote
>> In case 2) something like your solution is needed. The use of port 443
>> is an obvious idea, however DNS uses UDP and HTTPS uses TCP. Your ISP
>> appears to be paranoid enough to block also port 443 UDP, so that might
>> be one issue.
> FYI https://en.wikipedia.org/wiki/QUIC uses udp 443 . Also i try to reduce
> the queries over 443 with the way i asked in my first post .
The fact that QUIC exists does not necessarily mean that the port is
open for you, it is still experimental.

As Harald mentioned DNS will fall back to TCP but the time to do that
may provide too long delay for your connection to work.

I guess you will have to investigate exactly what prevents your
connection, Wireshark is a good tool.

I have no other ideas to offer.
>
> Thanks
>
>
>
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!" 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Omid Kosari via bind-users 
2nd scenario is mine . Upstream manipulated everything on 53 tcp/udp . Even
if i query a non-existent dns-server it returns result ;)

C:\WINDOWS\system32>nslookup newsroom.fb.com 8.8.8.254
Server:  UnKnown
Address:  8.8.8.254

Non-authoritative answer:
Name:newsroom.fb.com
Addresses:  1.2.3.4
  1.2.3.4

Note:1.2.3.4 is not what they really return . I've changed it for privacy .
But it is one fixed ip address which returns in case of manipulation occurs
.



Sten Carlsen wrote
> In case 2) something like your solution is needed. The use of port 443
> is an obvious idea, however DNS uses UDP and HTTPS uses TCP. Your ISP
> appears to be paranoid enough to block also port 443 UDP, so that might
> be one issue.

FYI https://en.wikipedia.org/wiki/QUIC uses udp 443 . Also i try to reduce
the queries over 443 with the way i asked in my first post .

Thanks






--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Reindl Harald 



Am 16.09.2017 um 15:12 schrieb Sten Carlsen:



On 16-09-2017 14.56, Matus UHLAR - fantomas wrote:

On 16.09.17 04:19, Omid Kosari via bind-users wrote:

Actually my situation is a bit strange . But as explanation i can say
that
our upstream provider do dns manipulation on normal ports 53 tcp/udp
(please
don't ask why). We may not use vpn or tunnels . The only way is using
alternate ports as forwarders.


that explains why you want forwarders on port 443.

But it doesn't explain why you forward to google. I still think it's
useless, unless your ISP blocks port 53 to public servers.


This is still not entirely clear to me. I see two possible scenarios,
please indicate which is closer to your situation:

1 - your ISP provides their own DNS servers as part of the service and
indicate those via DHCP. These servers give mangled replies.

2 - ALL traffic on port 53 is mangled in e.g. a router/switch along the
path according to some rule imposed by the ISP.

In case 1) which is common, I have used a DNS server locally without
forwarding with perfect results. It will never ask the ISP's server.

In case 2) something like your solution is needed. The use of port 443
is an obvious idea, however DNS uses UDP and HTTPS uses TCP. Your ISP
appears to be paranoid enough to block also port 443 UDP, so that might
be one issue.


DNS is using both and when UDP fails it should fallback in any case to 
TCP as it does for large respones - you can likely reject UDP 53 and it 
would still work and as already said: distinct between https and dns 
traffic on the ISP side would require expensive (expensive at least for 
the scale of an ISP) deep packet inspection


https://en.wikipedia.org/wiki/Extension_mechanisms_for_DNS

for DNSSEC as exmaple TCP is mandatory because the DO-Flag wont fit into 
the default header for UDP



Would there be any UDP ports open, like streaming services or games? If
so they may provide a possibility


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Sten Carlsen 


On 16-09-2017 14.56, Matus UHLAR - fantomas wrote:
> On 16.09.17 04:19, Omid Kosari via bind-users wrote:
>> Actually my situation is a bit strange . But as explanation i can say
>> that
>> our upstream provider do dns manipulation on normal ports 53 tcp/udp
>> (please
>> don't ask why). We may not use vpn or tunnels . The only way is using
>> alternate ports as forwarders.
>
> that explains why you want forwarders on port 443.
>
> But it doesn't explain why you forward to google. I still think it's
> useless, unless your ISP blocks port 53 to public servers.
>
This is still not entirely clear to me. I see two possible scenarios,
please indicate which is closer to your situation:

1 - your ISP provides their own DNS servers as part of the service and
indicate those via DHCP. These servers give mangled replies.

2 - ALL traffic on port 53 is mangled in e.g. a router/switch along the
path according to some rule imposed by the ISP.

In case 1) which is common, I have used a DNS server locally without
forwarding with perfect results. It will never ask the ISP's server.

In case 2) something like your solution is needed. The use of port 443
is an obvious idea, however DNS uses UDP and HTTPS uses TCP. Your ISP
appears to be paranoid enough to block also port 443 UDP, so that might
be one issue.

Would there be any UDP ports open, like streaming services or games? If
so they may provide a possibility.

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

"MALE BOVINE MANURE!!!" 


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Matus UHLAR - fantomas 

On 16.09.17 04:19, Omid Kosari via bind-users wrote:

Actually my situation is a bit strange . But as explanation i can say that
our upstream provider do dns manipulation on normal ports 53 tcp/udp (please
don't ask why). We may not use vpn or tunnels . The only way is using
alternate ports as forwarders.


that explains why you want forwarders on port 443.

But it doesn't explain why you forward to google. I still think it's
useless, unless your ISP blocks port 53 to public servers.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for cerain response ip (result ip )

2017-09-16 Thread Reindl Harald 



Am 16.09.2017 um 14:26 schrieb Alberto Colosi:

your answer to "Actually my situation is a bit strange . But as
explanation i can say that our upstream provider do dns manipulation on 
normal ports 53 tcp/udp" coming with "port 53 is only open directed to 
forwarders" and "I think u should read how DNS works, TLD and so on 
simply drop forwarders only use TLD" is nonsense


nonsense ? :O I use from tons of years and even on single computers


that has no meaning in any language, but if you want to play the 
expierience card i play mine: professional dns/network admin for some 
hundret domains including write named backends


*_forwarders are not a needed stuff even for caching even for 
authoritative_*


use only TLD but if port 53 is closed you have no "normal" way to gain 
access to root TLD DNS engines


and *hence* he wants to forward the traffic to a dns server on port 443 
*which has access and can do recursion* - so just stop it - none of your 
responses is helpful for anybody, it's just noise




*From:* bind-users  on behalf of 
Reindl Harald 

*Sent:* Saturday, September 16, 2017 2:12 PM
*To:* bind-users@lists.isc.org
*Subject:* Re: Different forwarder for cerain response ip (result ip )


Am 16.09.2017 um 13:30 schrieb Alberto Colosi:

I read so well your answer and wasn't an answer to you


in all case ,                who said I can't use port 53 if blocked ? 
😲         are many ways       without a VPN that usually is a paid 
service or a company service for who have it.



In all case even VPN even 443 is open, can be dropped 😲 ... pass 443 
(browser) but not VPN.



In all case here wasn't a discussion on hacking or bypassing protections 
or limitations! So I'll quit any other answer on this topic over the 
real question.


jesus fix your quoting style and english - non of your responses was in
any case helpful and other than you people with expierience guess what
the reason for somenon.default configs likely is

your answer to "Actually my situation is a bit strange . But as
explanation i can say that our upstream provider do dns manipulation on
normal ports 53 tcp/udp" coming with "port 53 is only open directed to
forwarders" and "I think u should read how DNS works, TLD and so on
simply drop forwarders only use TLD" is nonsense

when the ISP of his upstream internet connection mangles traffic on port
53 and you still recommend drop forwarders and use port 53 who is the
one which don't undertand DNS or the topic

can you please refrain from answering to each and every post in a thread
you obvisouly don't understand?



*From:* bind-users  on behalf of 
Reindl Harald 

*Sent:* Saturday, September 16, 2017 12:59 PM
*To:* bind-users@lists.isc.org
*Subject:* Re: Different forwarder for certain response ip (result ip )


Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
even on hotel . why not to use a BIND on unix or window on ur 
box u r using ?


did you read what i repsoned and too and did you try to understand my
answer?

a default bind with recursion won't work when it can't connect to the
world in case it is redirected to a hotel nameserver and when you can
only connect to 80/443, well then your BIND on the box you are using may
use a nameserver you own in the web running on 443



*From:* bind-users  on behalf of 
Reindl Harald 

*Sent:* Saturday, September 16, 2017 12:46 PM
*To:* bind-users@lists.isc.org
*Subject:* Re: Different forwarder for certain response ip (result ip )


Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:

1. who runs DNS servers on port 443?


likely people which where bitten by hotel access points where 53 is
catched to a internal nameserver and outgoing only 80/443 are possible,
the same reason many people have a VPN server on 443

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list
bind-users Info Page - lists.isc.org Mailing Lists 


lists.isc.org
To see the collection of prior postings to the list, visit the 
bind-users Archives. Using bind-users: To post a message to all the list 
members, send ...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for cerain response ip (result ip )

2017-09-16 Thread Alberto Colosi 

>your answer to "Actually my situation is a bit strange . But as
>explanation i can say that our upstream provider do dns manipulation on
>normal ports 53 tcp/udp" coming with "port 53 is only open directed to
>forwarders" and "I think u should read how DNS works, TLD and so on
>simply drop forwarders only use TLD" is nonsense


nonsense ? :O I use from tons of years and even on single computers


forwarders are not a needed stuff even for caching even for authoritative


use only TLD but if port 53 is closed you have no "normal" way to gain access 
to root TLD DNS engines


see you



From: bind-users  on behalf of Reindl Harald 

Sent: Saturday, September 16, 2017 2:12 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for cerain response ip (result ip )



Am 16.09.2017 um 13:30 schrieb Alberto Colosi:
> I read so well your answer and wasn't an answer to you
>
>
> in all case ,who said I can't use port 53 if blocked ?
> 😲 are many ways   without a VPN that usually is a paid
> service or a company service for who have it.
>
>
> In all case even VPN even 443 is open, can be dropped 😲 ... pass 443
> (browser) but not VPN.
>
>
> In all case here wasn't a discussion on hacking or bypassing protections
> or limitations! So I'll quit any other answer on this topic over the
> real question.

jesus fix your quoting style and english - non of your responses was in
any case helpful and other than you people with expierience guess what
the reason for somenon.default configs likely is

your answer to "Actually my situation is a bit strange . But as
explanation i can say that our upstream provider do dns manipulation on
normal ports 53 tcp/udp" coming with "port 53 is only open directed to
forwarders" and "I think u should read how DNS works, TLD and so on
simply drop forwarders only use TLD" is nonsense

when the ISP of his upstream internet connection mangles traffic on port
53 and you still recommend drop forwarders and use port 53 who is the
one which don't undertand DNS or the topic

can you please refrain from answering to each and every post in a thread
you obvisouly don't understand?

> 
> *From:* bind-users  on behalf of
> Reindl Harald 
> *Sent:* Saturday, September 16, 2017 12:59 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: Different forwarder for certain response ip (result ip )
>
>
> Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
>> even on hotel . why not to use a BIND on unix or window on ur
>> box u r using ?
>
> did you read what i repsoned and too and did you try to understand my
> answer?
>
> a default bind with recursion won't work when it can't connect to the
> world in case it is redirected to a hotel nameserver and when you can
> only connect to 80/443, well then your BIND on the box you are using may
> use a nameserver you own in the web running on 443
>
>> 
>> *From:* bind-users  on behalf of
>> Reindl Harald 
>> *Sent:* Saturday, September 16, 2017 12:46 PM
>> *To:* bind-users@lists.isc.org
>> *Subject:* Re: Different forwarder for certain response ip (result ip )
>>
>>
>> Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:
>>> 1. who runs DNS servers on port 443?
>>
>> likely people which where bitten by hotel access points where 53 is
>> catched to a internal nameserver and outgoing only 80/443 are possible,
>> the same reason many people have a VPN server on 443
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for cerain response ip (result ip )

2017-09-16 Thread Reindl Harald 



Am 16.09.2017 um 13:30 schrieb Alberto Colosi:

I read so well your answer and wasn't an answer to you


in all case ,                who said I can't use port 53 if blocked ? 
😲         are many ways       without a VPN that usually is a paid 
service or a company service for who have it.



In all case even VPN even 443 is open, can be dropped 😲 ... pass 443 
(browser) but not VPN.



In all case here wasn't a discussion on hacking or bypassing protections 
or limitations! So I'll quit any other answer on this topic over the 
real question.


jesus fix your quoting style and english - non of your responses was in 
any case helpful and other than you people with expierience guess what 
the reason for somenon.default configs likely is


your answer to "Actually my situation is a bit strange . But as 
explanation i can say that our upstream provider do dns manipulation on 
normal ports 53 tcp/udp" coming with "port 53 is only open directed to 
forwarders" and "I think u should read how DNS works, TLD and so on 
simply drop forwarders only use TLD" is nonsense


when the ISP of his upstream internet connection mangles traffic on port 
53 and you still recommend drop forwarders and use port 53 who is the 
one which don't undertand DNS or the topic


can you please refrain from answering to each and every post in a thread 
you obvisouly don't understand?




*From:* bind-users  on behalf of 
Reindl Harald 

*Sent:* Saturday, September 16, 2017 12:59 PM
*To:* bind-users@lists.isc.org
*Subject:* Re: Different forwarder for certain response ip (result ip )


Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
even on hotel . why not to use a BIND on unix or window on ur 
box u r using ?


did you read what i repsoned and too and did you try to understand my
answer?

a default bind with recursion won't work when it can't connect to the
world in case it is redirected to a hotel nameserver and when you can
only connect to 80/443, well then your BIND on the box you are using may
use a nameserver you own in the web running on 443



*From:* bind-users  on behalf of 
Reindl Harald 

*Sent:* Saturday, September 16, 2017 12:46 PM
*To:* bind-users@lists.isc.org
*Subject:* Re: Different forwarder for certain response ip (result ip )


Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:

1. who runs DNS servers on port 443?


likely people which where bitten by hotel access points where 53 is
catched to a internal nameserver and outgoing only 80/443 are possible,
the same reason many people have a VPN server on 443

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Omid Kosari via bind-users 
I asked a technical question . Please answer technically if you know the
answer . Else your answer just take others time .

Thanks inn advance




--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Alberto Colosi 
port 53 is only open directed to forwarders

as I read , you think to use different forwarders so , port 53 should be open 
to all IP ,   right ?


I think u should read how DNS works, TLD and so on


simply drop forwarders only use TLD





From: bind-users  on behalf of Omid Kosari 
via bind-users 
Sent: Saturday, September 16, 2017 1:19 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )

Wow . I love active community .

Actually my situation is a bit strange . But as explanation i can say that
our upstream provider do dns manipulation on normal ports 53 tcp/udp (please
don't ask why). We may not use vpn or tunnels . The only way is using
alternate ports as forwarders.

But i can not use alternate ports as my main forwarders because if so , then
upstream provider may be aware of that and manipulate them also . So if i
could use them only for certain requests then everything may work fine.

Note:My BIND dns server is caching server .



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
Bind-Users forum | Mailing List 
Archive
bind-users-forum.2342410.n4.nabble.com
Bind-Users forum and mailing list archive. BIND is the original, classic, 
full-featured open source DNS software system. The BIND9 distribution includes 
a DNS ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for cerain response ip (result ip )

2017-09-16 Thread Alberto Colosi 
I read so well your answer and wasn't an answer to you


in all case ,who said I can't use port 53 if blocked ? 😲
 are many ways   without a VPN that usually is a paid service or a company 
service for who have it.


In all case even VPN even 443 is open, can be dropped 😲 ... pass 443 (browser) 
but not VPN.


In all case here wasn't a discussion on hacking or bypassing protections or 
limitations! So I'll quit any other answer on this topic over the real question.



Have a good day on





From: bind-users  on behalf of Reindl Harald 

Sent: Saturday, September 16, 2017 12:59 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )



Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
> even on hotel . why not to use a BIND on unix or window on ur
> box u r using ?

did you read what i repsoned and too and did you try to understand my
answer?

a default bind with recursion won't work when it can't connect to the
world in case it is redirected to a hotel nameserver and when you can
only connect to 80/443, well then your BIND on the box you are using may
use a nameserver you own in the web running on 443

> 
> *From:* bind-users  on behalf of
> Reindl Harald 
> *Sent:* Saturday, September 16, 2017 12:46 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: Different forwarder for certain response ip (result ip )
>
>
> Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:
>> 1. who runs DNS servers on port 443?
>
> likely people which where bitten by hotel access points where 53 is
> catched to a internal nameserver and outgoing only 80/443 are possible,
> the same reason many people have a VPN server on 443

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Reindl Harald 



Am 16.09.2017 um 13:19 schrieb Omid Kosari via bind-users:

Wow . I love active community .

Actually my situation is a bit strange . But as explanation i can say that
our upstream provider do dns manipulation on normal ports 53 tcp/udp (please
don't ask why). We may not use vpn or tunnels . The only way is using
alternate ports as forwarders.

But i can not use alternate ports as my main forwarders because if so , then
upstream provider may be aware of that and manipulate them also


you pretty overestimate the work a ISP is willing to invest

that will surely not happen and if it's only because it would require 
deep packet inspection which would require hardware ressources and cost 
money while port based manipulation is technically cheap


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Omid Kosari via bind-users 
Wow . I love active community .

Actually my situation is a bit strange . But as explanation i can say that
our upstream provider do dns manipulation on normal ports 53 tcp/udp (please
don't ask why). We may not use vpn or tunnels . The only way is using
alternate ports as forwarders.

But i can not use alternate ports as my main forwarders because if so , then
upstream provider may be aware of that and manipulate them also . So if i
could use them only for certain requests then everything may work fine.

Note:My BIND dns server is caching server .



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Reindl Harald 



Am 16.09.2017 um 12:50 schrieb Alberto Colosi:
even on hotel . why not to use a BIND on unix or window on ur 
box u r using ?


did you read what i repsoned and too and did you try to understand my 
answer?


a default bind with recursion won't work when it can't connect to the 
world in case it is redirected to a hotel nameserver and when you can 
only connect to 80/443, well then your BIND on the box you are using may 
use a nameserver you own in the web running on 443




*From:* bind-users  on behalf of 
Reindl Harald 

*Sent:* Saturday, September 16, 2017 12:46 PM
*To:* bind-users@lists.isc.org
*Subject:* Re: Different forwarder for certain response ip (result ip )


Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:

1. who runs DNS servers on port 443?


likely people which where bitten by hotel access points where 53 is
catched to a internal nameserver and outgoing only 80/443 are possible,
the same reason many people have a VPN server on 443


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Alberto Colosi 
even on hotel . why not to use a BIND on unix or window on ur box u r 
using ?


it is so easy




From: bind-users  on behalf of Reindl Harald 

Sent: Saturday, September 16, 2017 12:46 PM
To: bind-users@lists.isc.org
Subject: Re: Different forwarder for certain response ip (result ip )



Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:
> 1. who runs DNS servers on port 443?

likely people which where bitten by hotel access points where 53 is
catched to a internal nameserver and outgoing only 80/443 are possible,
the same reason many people have a VPN server on 443
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Alberto Colosi 
is really normal ! I have seen even with DNS from VODAFONE or COLT-TELECOM , 
ALBACOM / BT.COM and so on. I used more but all here have some that give some 
trouble. Telecom Italia / TIM so to say are good.


not all are good or fast updating (not depending on TTL)


At work as ITC Engineer I have seen and used lines and services from many ISP.


I have a question ... caching or not .. 
   WHY TO USE FORWARDERS ? I stopped to use a long time ago (many and many 
years)


A sugestion:FORGET FORWARDERS , DON'T USE


Really better .. and don't use Google DNS (  1) google know what 
you do   2) are really slow 3) I never seen any difference like protecion 
or other)



Alberto Colosi

ITC NetWork & Security Architect & Administrator & CED Handling ..




From: bind-users  on behalf of Omid Kosari 
via bind-users 
Sent: Saturday, September 16, 2017 12:18 PM
To: bind-users@lists.isc.org
Subject: Different forwarder for certain response ip (result ip )

Hello,

This is my first post to this mailing list .

I have a caching bind dns server with forwarders like this .
forwarders {
8.8.8.8;
8.8.4.4;
};

I want to use another forwarders if the response of the query is for example
1.2.3.4
I've found that rpz-ip is what i want but i was unable to create relation to
forwarders .

   //if response ip or rpz-ip = 1.2.3.4 then
forwarders {
208.67.222.222 port 443;
208.67.220.220 port 443;
};


Thanks



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
Bind-Users forum | Mailing List 
Archive
bind-users-forum.2342410.n4.nabble.com
Bind-Users forum and mailing list archive. BIND is the original, classic, 
full-featured open source DNS software system. The BIND9 distribution includes 
a DNS ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives. Using bind-users: To post a message to all the list members, send ...


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Reindl Harald 



Am 16.09.2017 um 12:32 schrieb Matus UHLAR - fantomas:

1. who runs DNS servers on port 443?


likely people which where bitten by hotel access points where 53 is 
catched to a internal nameserver and outgoing only 80/443 are possible, 
the same reason many people have a VPN server on 443

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different forwarder for certain response ip (result ip )

2017-09-16 Thread Matus UHLAR - fantomas 

On 16.09.17 03:18, Omid Kosari via bind-users wrote:

I have a caching bind dns server with forwarders like this .
   forwarders {
   8.8.8.8;
   8.8.4.4;
   };


why do you use forwarders? You rarely need that - not when you have acess to
the nameservers on internet.
BIND can do very well without forwarders.


I want to use another forwarders if the response of the query is for example
1.2.3.4


why? 


I've found that rpz-ip is what i want but i was unable to create relation to
forwarders .

  //if response ip or rpz-ip = 1.2.3.4 then
   forwarders {
   208.67.222.222 port 443;
   208.67.220.220 port 443;
   };


1. who runs DNS servers on port 443?
2. you can configure port for DNS server in server {} statement.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese. 
___

Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Different forwarder for certain response ip (result ip )

2017-09-16 Thread Omid Kosari via bind-users 
Hello,

This is my first post to this mailing list .

I have a caching bind dns server with forwarders like this .
forwarders {
8.8.8.8;
8.8.4.4;
};

I want to use another forwarders if the response of the query is for example
1.2.3.4
I've found that rpz-ip is what i want but i was unable to create relation to
forwarders .

   //if response ip or rpz-ip = 1.2.3.4 then
forwarders {
208.67.222.222 port 443;
208.67.220.220 port 443;
};


Thanks



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users