Re: DS records setup
Assuming it is a DNSSEC aware recursive server it asks the COM servers if it hasn’t cached it as part of the referral process. [beetle:~/git/bind9] marka% dig ds example.com @a.gtld-servers.net ; <<>> DiG 9.13.1+hotspot+add-prefetch+marka <<>> ds example.com @a.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57511 ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 13, ADDITIONAL: 27 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;example.com. IN DS ;; ANSWER SECTION: example.com.86400 IN DS 31589 8 1 3490A6806D47F17A34C29E2CE80E8A999FFBE4BE example.com.86400 IN DS 31589 8 2 CDE0D742D6998AA554A92D890F8184C698CFAC8A26FA59875A990C03 E576343C example.com.86400 IN DS 43547 8 1 B6225AB2CC613E0DCA7962BDC2342EA4F1B56083 example.com.86400 IN DS 43547 8 2 615A64233543F66F44D68933625B17497C89A70E858ED76A2145997E DF96A918 example.com.86400 IN DS 31406 8 1 189968811E6EBA862DD6C209F75623D8D9ED9142 example.com.86400 IN DS 31406 8 2 F78CF3344F72137235098ECBBD08947C2C9001C7F6A085A17F518B5D 8F6B916D ;; AUTHORITY SECTION: com.172800 IN NS b.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. ;; ADDITIONAL SECTION: b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN 2001:503:231d::2:30 a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN 2001:503:a83e::2:30 e.gtld-servers.net. 172800 IN A 192.12.94.30 e.gtld-servers.net. 172800 IN 2001:502:1ca1::30 h.gtld-servers.net. 172800 IN A 192.54.112.30 h.gtld-servers.net. 172800 IN 2001:502:8cc::30 k.gtld-servers.net. 172800 IN A 192.52.178.30 k.gtld-servers.net. 172800 IN 2001:503:d2d::30 i.gtld-servers.net. 172800 IN A 192.43.172.30 i.gtld-servers.net. 172800 IN 2001:503:39c1::30 j.gtld-servers.net. 172800 IN A 192.48.79.30 j.gtld-servers.net. 172800 IN 2001:502:7094::30 c.gtld-servers.net. 172800 IN A 192.26.92.30 c.gtld-servers.net. 172800 IN 2001:503:83eb::30 f.gtld-servers.net. 172800 IN A 192.35.51.30 f.gtld-servers.net. 172800 IN 2001:503:d414::30 l.gtld-servers.net. 172800 IN A 192.41.162.30 l.gtld-servers.net. 172800 IN 2001:500:d937::30 d.gtld-servers.net. 172800 IN A 192.31.80.30 d.gtld-servers.net. 172800 IN 2001:500:856e::30 m.gtld-servers.net. 172800 IN A 192.55.83.30 m.gtld-servers.net. 172800 IN 2001:501:b1f9::30 g.gtld-servers.net. 172800 IN A 192.42.93.30 g.gtld-servers.net. 172800 IN 2001:503:eea3::30 ;; Query time: 18 msec ;; SERVER: 192.5.6.30#53(192.5.6.30) ;; WHEN: Thu Feb 21 16:39:15 AEDT 2019 ;; MSG SIZE rcvd: 1088 > On 21 Feb 2019, at 4:19 pm, rams wrote: > > Greetings.! > > how does recursive resolver get the information for a zone example.com in > below setup when > > example.com has DS records in .com > > .com is tld zone > example.com is sld zone > > Regards, > Ramesh > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DS records setup
Greetings.! how does recursive resolver get the information for a zone example.com in below setup when example.com has DS records in .com .com is tld zone example.com is sld zone Regards, Ramesh ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Combining forward with master zone.
On 02/20/2019 01:19 PM, King, Harold Clyde (Hal) wrote: Can I create a root zone to define a wildcard pointing to our warning page with one hostname defined going to a forward’ed DNS source? I could just give it an IP, but can I forward that one domain to outside DNS (Google or their NS repository)? Are you using Response Policy Zone? Or are you trying to do a DNS hijack? If you're using RPZ, you should be able to make example.com. / *.example.com. redirect while still allowing needs.example.com. to pass thru unmodified. example.com IN CNAME url-blocking.ourdns.com *.example.com IN CNAME url-blocking.ourdns.com needs.example.com IN rpz-passthru. I prefer RPZ for this type of filtering over DNS hijacking if I can do so. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Combining forward with master zone.
Delegate needs.example.com from example.com and you should be set. - Kevin On Wed, Feb 20, 2019 at 3:40 PM King, Harold Clyde (Hal) wrote: > Could I just define needs.example.com as a zone in a separate file so: > > > > zone "example.com" { type master; notify no; file "static/antiphish.db"; > }; > > zone "needs.example.com" { type forward; forwards{8.8.8.8;}; > > > > > > -- > > Hal > > > > > > > We have a URL phishing setup that causes URLs we detect to redirect to a > warning page. We have run into a problem. One of our clients has scripts > that he calls from a host in that domain. > > Needs.example.com when we block example.com. > > Can I create a root zone to define a wildcard pointing to our warning page > with one hostname defined going to a forward’ed DNS source? I could just > give it an IP, but can I forward that one domain to outside DNS (Google or > their NS repository)? > > > > Here’s a very rough draft of the root zone: > > > > $ORIGIN . > > $TTL 3600 > > example.com IN SOA us.ourdns.com. helpdesk.ourdns.com. > > > > *CNAME url-blocking.ourdns.com > > needsforward(8.8.8.8) > > > > -- > > Hal > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Server can not resolve Domain
Greetings, we use a own nameserver on our System. I have install bind9 now ,and configure the zone files. At our Provider I have change the nameserver to our System. But the Server can not resolve the name. I have search a lot of time,but I can not see the problem. I have the following Setup: Forward Zone: ;; db.domainname ;; Forwardlookupzone für domainname ;; $TTL 2D @ IN SOA my.domain. mail.my.domain. ( 200603 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 3H ) ; NX (TTL Negativ Cache) @ IN NS my.domain. @ IN NS sns.serverkompetenz.de. IN MX 10 mail.my.domain. @ IN A 81.169.255.130 www IN A 81.169.255.130 my.domain. IN A 81.169.255.130 mail IN A 81.169.255.130 localhost IN A 127.0.0.1 smtp IN CNAME www imap IN CNAME www @ IN TXT "v=spf1 mx -all" Reverse Zone: ;; db.255.169.81 ;; Reverselookupzone für domainname ;; $TTL 2D ;$ORIGIN 255.169.81.IN-ADDR.ARPA. @ IN SOA my.domain. mail.my.domain. ( 200603 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 2D ) ; TTL Negative Cache IN NS my.domain. IN NS sns.serverkompetenz.de. @ IN MX 10 mail.my.domain. 130 IN PTR my.domain. I have check the Zones with root@mail:/etc/bind# named-checkzone 255.169.81.in-addr.arpa /etc/bind/db.255.169.81 zone 255.169.81.in-addr.arpa/IN: loaded serial 200603 OK root@mail:/etc/bind# named-checkzone -i full my.domain /etc/bind/db.my.domain zone my.domain/IN: loaded serial 200603 OK And dig @localhost my.domain: ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45181 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;my.domain. IN A ;; ANSWER SECTION: my.domain. 172800 IN A 81.169.255.130 ;; AUTHORITY SECTION: my.domain. 172800 IN NS sns.serverkompetenz.de. my.domain. 172800 IN NS my.domain. ;; Query time: 0 msec ;; SERVER: ::1#53(::1) ;; WHEN: Tue Feb 19 17:44:43 CET 2019 ;; MSG SIZE rcvd: 108 From my PC: dig my.domain ; <<>> DiG 9.11.3-1ubuntu1.3-Ubuntu <<>> my.domain ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19629 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;my.domain. IN A ;; Query time: 18 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Tue Feb 19 22:17:28 CET 2019 ;; MSG SIZE rcvd: 42 in /var/log/syslog: Feb 20 21:40:16 mail named[4833]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA Feb 20 21:40:16 mail named[4833]: automatic empty zone: EMPTY.AS112.ARPA Feb 20 21:40:16 mail named[4833]: configuring command channel from '/etc/bind/rndc.key' Feb 20 21:40:16 mail named[4833]: configuring command channel from '/etc/bind/rndc.key' Feb 20 21:40:16 mail named[4833]: reloading configuration succeeded Feb 20 21:40:16 mail named[4833]: reloading zones succeeded Feb 20 21:40:16 mail named[4833]: all zones loaded Feb 20 21:40:16 mail named[4833]: running Can someone tell me if I a problem in my Configuration? I have no mere Idea at present. Kindly Regards Wolfgang -- Sent from: http://bind-users-forum.2342410.n4.nabble.com/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Combining forward with master zone.
Could I just define needs.example.com as a zone in a separate file so: zone "example.com" { type master; notify no; file "static/antiphish.db"; }; zone "needs.example.com" { type forward; forwards{8.8.8.8;}; -- Hal We have a URL phishing setup that causes URLs we detect to redirect to a warning page. We have run into a problem. One of our clients has scripts that he calls from a host in that domain. Needs.example.com when we block example.com. Can I create a root zone to define a wildcard pointing to our warning page with one hostname defined going to a forward’ed DNS source? I could just give it an IP, but can I forward that one domain to outside DNS (Google or their NS repository)? Here’s a very rough draft of the root zone: $ORIGIN . $TTL 3600 example.com IN SOA us.ourdns.com. helpdesk.ourdns.com. *CNAME url-blocking.ourdns.com needsforward(8.8.8.8) -- Hal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Combining forward with master zone.
As discussed in another thread, delegate the zone you want to forward, in addition to defining the zone as "type forward". If you already tried a "type forward" and it didn't work, it was probably because the delegation was missing. It's a non-obvious requirement, but named needs to see the zone cut. - Kevin On Wed, Feb 20, 2019 at 3:19 PM King, Harold Clyde (Hal) wrote: > We have a URL phishing setup that causes URLs we detect to redirect to a > warning page. We have run into a problem. One of our clients has scripts > that he calls from a host in that domain. > > Needs.example.com when we block example.com. > > Can I create a root zone to define a wildcard pointing to our warning page > with one hostname defined going to a forward’ed DNS source? I could just > give it an IP, but can I forward that one domain to outside DNS (Google or > their NS repository)? > > > > Here’s a very rough draft of the root zone: > > > > $ORIGIN . > > $TTL 3600 > > example.com IN SOA us.ourdns.com. helpdesk.ourdns.com. > > > > *CNAME url-blocking.ourdns.com > > needsforward(8.8.8.8) > > > > -- > > Hal > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Combining forward with master zone.
We have a URL phishing setup that causes URLs we detect to redirect to a warning page. We have run into a problem. One of our clients has scripts that he calls from a host in that domain. Needs.example.com when we block example.com. Can I create a root zone to define a wildcard pointing to our warning page with one hostname defined going to a forward’ed DNS source? I could just give it an IP, but can I forward that one domain to outside DNS (Google or their NS repository)? Here’s a very rough draft of the root zone: $ORIGIN . $TTL 3600 example.com IN SOA us.ourdns.com. helpdesk.ourdns.com. *CNAME url-blocking.ourdns.com needsforward(8.8.8.8) -- Hal ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
On 20.02.19 10:48, Roberto Carna wrote: You tell me to do this: zone "." { type master; file "empty.db"; }; The root zone Is "type master" or "type hint" ??? The empty.db is really an empty file with no data at all ??? debian ships db.empty which contains everything an empty zone file needs. And where do I have to put my current file: recursion yes; useless as it's the default zone "teamviewer.com" { type forward; forwarders { 8.8.8.8; }; }; anywhere, but your files looks like debian installation, it should go to db.local. I think you can specify empty forwarders list and BIND should do the resolution itself. On Tue, Feb 19, 2019 at 10:29 AM Roberto Carna wrote: > > Dear Matus and Kevin, please tell me if it's OK if I do thsi: > > named.conf: > include "/etc/bind/named.conf.default-zones"; > > named.conf.default-zones: > recursion yes; > zone "teamviewer.com" { > type forward; > forwarders { 8.8.8.8; }; > }; > > named.conf.local: > -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
"type master". It must contain the mandatory records that all zones require -- exactly 1 SOA and at least 2 NSes. You'll need some A/ records to resolve the NS names into addresses. What the NSes point to is pretty much irrelevant, if all of your clients are stub resolvers and only look up leaf records (A, , MX, etc.) For the teamviewer.com delegation, you'll need at least 2 NSes, but you can point those to the same names as the apex NSes, if you wish. That would save you from having to populate more A/ records in the zone. If you haven't created a master file before, you might want to study up. There are a few rules that need to be followed, and certain mistakes to be avoided (although, for the root zone, the most common mistake -- failure to dot-terminate names -- tends to be a non-issue :-) - Kevin On Wed, Feb 20, 2019 at 8:49 AM Roberto Carna wrote: > Dear Crist, sorry but I can understand at all what you say.please I > ned to ask you again: > > You tell me to do this: > > zone "." { > type master; > file "empty.db"; > }; > > The root zone Is "type master" or "type hint" ??? > > The empty.db is really an empty file with no data at all ??? > > And where do I have to put my current file: > > recursion yes; > zone "teamviewer.com" { > type forward; > forwarders { 8.8.8.8; }; > }; > > Thanks in advance, I'll be waiting for your response please. > > Greetings!!! > > El mié., 20 feb. 2019 a las 0:57, Crist Clark () > escribió: > >> You need to explicitly define the root zone. Last I knew, BIND still >> gets the root zone hardcoded into the executable and will try to Do >> the Right Thing and find the root on its own even if the administrator >> does not define one or provide hints. >> >> You need something like, >> >> zone "." { >> type master; >> file "empty.db"; >> }; >> >> >> On Tue, Feb 19, 2019 at 10:29 AM Roberto Carna >> wrote: >> > >> > Dear Matus and Kevin, please tell me if it's OK if I do thsi: >> > >> > named.conf: >> > include "/etc/bind/named.conf.default-zones"; >> > >> > named.conf.default-zones: >> > recursion yes; >> > zone "teamviewer.com" { >> > type forward; >> > forwarders { 8.8.8.8; }; >> > }; >> > >> > named.conf.local: >> > >> > >> > I define "recursion yes" in named.conf.default-zones. >> > >> > Thanks again, regards !!! >> > >> > El mar., 19 feb. 2019 a las 15:13, Matus UHLAR - fantomas via >> bind-users () escribió: >> >> >> >> On 19.02.19 09:45, Roberto Carna wrote: >> >> >Dear Kevin, I am sorry but I didn't see your past response. >> >> > >> >> >Please can you show me with an example what you say: "Define root >> zone. >> >> >Delegate teamviewer.com from root. Define teamviewer.com as 'type >> forward'". >> >> > >> >> >An also what is the benefit in defining a root zone with the >> teamviewer.com >> >> >delegated into it??? Because I put to work this zone just as a forward >> >> >zone, without a root zone definition. >> >> >> >> the benefit is it does exactly what you want. >> >> the "teamviewer.com" zone of type forward causes DNS resolution of >> teamviewer.com >> >> domain. >> >> the root zone effectively disables everything else (because bind thinks >> >> nothing else exists). >> >> >> >> >El lun., 18 feb. 2019 a las 17:00, Kevin Darcy (< >> kevin.da...@fcagroup.com>) >> >> >escribió: >> >> > >> >> >> I've already posted a solution for this. Basically, "Define root >> zone. >> >> >> Delegate teamviewer.com from root zone. Define teamviewer.com as >> 'type >> >> >> forward'". >> >> >> >> >> >> "Recursion yes" is implied. No views necessary. It doesn't make any >> sense >> >> >> anyway, to have the same match-clients list for all of one's views, >> since >> >> >> the first one matched is the one that's used. >> >> >> >> >> >> Did you not see my response, or did you perhaps dislike the >> approach I >> >> >> suggested? >> >> >> >> >> >> There was some subsequent discussion about not relying on DNS >> resolution >> >> >> as one's *only* control over what sites one's clients can or cannot >> access. >> >> >> While I agree with that, my position is that there's nothing wrong >> with >> >> >> controlling DNS resolution, in addition to other controls. >> >> >> >> -- >> >> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ >> >> Warning: I wish NOT to receive e-mail advertising to this address. >> >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. >> >> M$ Win's are shit, do not use it ! >> >> ___ >> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> >> >> bind-users mailing list >> >> bind-users@lists.isc.org >> >> https://lists.isc.org/mailman/listinfo/bind-users >> > >> > ___ >> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> > >> > bind-users mailing list >> > bind-users@l
Re: DNS load balancing: UDP or TCP ?
On 2/20/19 10:22 AM, Alan Clegg wrote: > On 2/20/19 7:55 AM, Roberto Carna wrote: > >> DNS clients send a UDP query to a DNS server, if no response is received >> until some seconds, then they try with UDP. >> You tell me this is not true, just clients try with UDP is the response >> is truncated. > > Tony is correct, the first paragraph above IS NOT TRUE. Assuming that the first paragraph above was re-written to the way it was in the original post which was (something along the lines of): > DNS clients send a UDP query to a DNS server, if no response is > received until some seconds, then they try with TCP. I really don't like this pair of threads (this one and the one with no subject line). Answers have been given. The people here are WAY smart. Test and verify! AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
On 2/20/19 7:55 AM, Roberto Carna wrote: > DNS clients send a UDP query to a DNS server, if no response is received > until some seconds, then they try with UDP. > You tell me this is not true, just clients try with UDP is the response > is truncated. Tony is correct, the first paragraph above IS NOT TRUE. Truncation is a situation in which the server responding to a client provides a message that won't fit in the specified packet size that the specification (and possibly the client, but I won't get into that here) has set for the response, thus providing a response that does not contain the entire response and sets the header bit TC=1. This has nothing to do with TCP vs. UDP in the initial query. There is no fallback from UDP to TCP when the initial UDP query times out. Please read up on `dnsdist` and give it a try. Thanks! AlanC ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Roberto Carna wrote: Can you confirm thgis is true in 100% of clients??? On 20.02.19 14:11, Tony Finch wrote: It's true of clients that follow the spec. I would like to add that the spec mentions there mey be clients that use only TCP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Roberto Carna wrote: > > Can you confirm thgis is true in 100% of clients??? It's true of clients that follow the spec. Tony. -- f.anthony.n.finchhttp://dotat.at/ Rattray Head to Berwick upon Tweed: South or southwest 4 or 5, occasionally 6 at first. Slight or moderate, occasionally rough at first in northeast. Occasional rain or drizzle at first. Good, occasionally moderate at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
Dear Crist, sorry but I can understand at all what you say.please I ned to ask you again: You tell me to do this: zone "." { type master; file "empty.db"; }; The root zone Is "type master" or "type hint" ??? The empty.db is really an empty file with no data at all ??? And where do I have to put my current file: recursion yes; zone "teamviewer.com" { type forward; forwarders { 8.8.8.8; }; }; Thanks in advance, I'll be waiting for your response please. Greetings!!! El mié., 20 feb. 2019 a las 0:57, Crist Clark () escribió: > You need to explicitly define the root zone. Last I knew, BIND still > gets the root zone hardcoded into the executable and will try to Do > the Right Thing and find the root on its own even if the administrator > does not define one or provide hints. > > You need something like, > > zone "." { > type master; > file "empty.db"; > }; > > > On Tue, Feb 19, 2019 at 10:29 AM Roberto Carna > wrote: > > > > Dear Matus and Kevin, please tell me if it's OK if I do thsi: > > > > named.conf: > > include "/etc/bind/named.conf.default-zones"; > > > > named.conf.default-zones: > > recursion yes; > > zone "teamviewer.com" { > > type forward; > > forwarders { 8.8.8.8; }; > > }; > > > > named.conf.local: > > > > > > I define "recursion yes" in named.conf.default-zones. > > > > Thanks again, regards !!! > > > > El mar., 19 feb. 2019 a las 15:13, Matus UHLAR - fantomas via bind-users > () escribió: > >> > >> On 19.02.19 09:45, Roberto Carna wrote: > >> >Dear Kevin, I am sorry but I didn't see your past response. > >> > > >> >Please can you show me with an example what you say: "Define root zone. > >> >Delegate teamviewer.com from root. Define teamviewer.com as 'type > forward'". > >> > > >> >An also what is the benefit in defining a root zone with the > teamviewer.com > >> >delegated into it??? Because I put to work this zone just as a forward > >> >zone, without a root zone definition. > >> > >> the benefit is it does exactly what you want. > >> the "teamviewer.com" zone of type forward causes DNS resolution of > teamviewer.com > >> domain. > >> the root zone effectively disables everything else (because bind thinks > >> nothing else exists). > >> > >> >El lun., 18 feb. 2019 a las 17:00, Kevin Darcy (< > kevin.da...@fcagroup.com>) > >> >escribió: > >> > > >> >> I've already posted a solution for this. Basically, "Define root > zone. > >> >> Delegate teamviewer.com from root zone. Define teamviewer.com as > 'type > >> >> forward'". > >> >> > >> >> "Recursion yes" is implied. No views necessary. It doesn't make any > sense > >> >> anyway, to have the same match-clients list for all of one's views, > since > >> >> the first one matched is the one that's used. > >> >> > >> >> Did you not see my response, or did you perhaps dislike the approach > I > >> >> suggested? > >> >> > >> >> There was some subsequent discussion about not relying on DNS > resolution > >> >> as one's *only* control over what sites one's clients can or cannot > access. > >> >> While I agree with that, my position is that there's nothing wrong > with > >> >> controlling DNS resolution, in addition to other controls. > >> > >> -- > >> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > >> Warning: I wish NOT to receive e-mail advertising to this address. > >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > >> M$ Win's are shit, do not use it ! > >> ___ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > >> > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Dear Tony, thanks for your response. I've read something I don't know if it's true or not: DNC clients send a UDP query to a DNS server, if no response is received until some seconds, then they try with UDP. You tell me this is not true, just clients try with UDP is the response is truncated. Can you confirm thgis is true in 100% of clients??? Thanks again, regards !! El mar., 19 feb. 2019 a las 13:24, Tony Finch () escribió: > Roberto Carna wrote: > > > Dear, I have to balance two DNS servers for a special reason. > > https://www.powerdns.com/dnsdist.html > > > The DNS clients are a mix of Windows, Cisco and Linux machines, so I > > think they ask for a FQDN using UDP and after that -if there is no > > response-, they ask the same FQDN using TCP, and so the load balancing > > will be succesful. > > No, fallback to TCP relies on receiving a truncated UDP response. You > never want a DNS client to be waiting around for a response that will > not arrive. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5 > later. > Rough or very rough. Rain. Moderate or poor. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users