Re: DoH credentials

2024-03-25 Thread Marco Moock 
Am 25.03.2024 um 17:09:43 Uhr schrieb Julien Salort:

> Because I am using an Apache proxy, bind9 sees the incoming requests
> as localhost, so allows all recursive requests from anybody.
> 
> Does it mean that credentials have to be implemented by the webserver
> ?

Yes, if you want to have a reverse proxy, this is a way to use auth.

If you don't want to have an open resolver, you have to control that at
the apache side.

-- 
Gruß
Marco

Send unsolicited bulk mail to 1711382983mu...@cartoonies.org
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DoH credentials

2024-03-25 Thread Julien Salort 

Hello,

I am trying bind9 DoH features (bind9 9.18.18). It works from Firefox, 
although it feels slower than with native resolver.


However, it seems that this makes an open resolver, i.e. there is no 
authentication of any sort.


I haven't found any reference to how to set up credentials in this doc:

 https://bind9.readthedocs.io/en/latest/reference.html#http-block-grammar

Because I am using an Apache proxy, bind9 sees the incoming requests as 
localhost, so allows all recursive requests from anybody.


Does it mean that credentials have to be implemented by the webserver ?

Firefox, for example, does not easily provide a way to specify credentials.

Also, strangely, the requests work fine from Firefox, or from curl 
--doh-url, but dig +https (version 9.18.25) says:


ALPN for HTTP/2 failed.
;; no servers could be reached

Cheers,


Julien

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: transfert master slave

2024-03-25 Thread sami . rahal 
It's clearer now, thank you Greg
Sami

De : Greg Choules 
Envoyé : lundi 25 mars 2024 12:52
À : RAHAL Sami SOFRECOM 
Cc : ML BIND Users 
Objet : Re: transfert master slave

Hi Sami.
"allow-..." statements are to restrict from which sources *this* server will 
accept messages, of whichever type.
On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it to 
process NOTIFY messages sent to it from the primary (master), but ignore any 
others. Actually, this is not necessary because it would do that anyway. See 
the ARM description for this statement - 
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-notify

NOTIFY messages from the primary will reach the secondary server and be 
processed because the primary is listed in an NS record in the zone. As Mark 
says, you cannot stop this. You could test sending NOTIFY from a third server 
that is *not* listed as an NS for the zone.

On the primary you do not need allow-transfer {192.168.56.157;}; as the primary 
is not transferring *from* the secondary.
You probably also don't need also-notify {192.168.56.157;}; if the secondary 
has an NS record in the zones it will be transferring, which it should.

Hope that helps.
Greg

On Mon, 25 Mar 2024 at 11:34, 
mailto:sami.ra...@sofrecom.com>> wrote:
Hello community,
I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow 
notifications only from the master (192.168.56.154). I added the directive 
"allow-notify {192.168.56.154;};" and it works. However, when I try to test the 
prohibition of notification by adding "allow-notify {none;};" at the slave, it 
still receives updates from the master. The transfer on the master is as 
follows:
allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"

PS. BIND version : 9.16.48

Regards Sami
Orange Restricted

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: transfert master slave

2024-03-25 Thread Greg Choules via bind-users 
Hi Sami.
"allow-..." statements are to restrict from which sources *this* server
will accept messages, of whichever type.
On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it
to process NOTIFY messages sent to it from the primary (master), but ignore
any others. Actually, this is not necessary because it would do that
anyway. See the ARM description for this statement -
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-allow-notify

NOTIFY messages from the primary will reach the secondary server and be
processed because the primary is listed in an NS record in the zone. As
Mark says, you cannot stop this. You could test sending NOTIFY from a third
server that is *not* listed as an NS for the zone.

On the primary you do not need allow-transfer {192.168.56.157;}; as the
primary is not transferring *from* the secondary.
You probably also don't need also-notify {192.168.56.157;}; if the
secondary has an NS record in the zones it will be transferring, which it
should.

Hope that helps.
Greg

On Mon, 25 Mar 2024 at 11:34,  wrote:

> Hello community,
>
> I'm trying to configure a DNS slave server (192.168.56.157) . I want to
> allow notifications only from the master (192.168.56.154). I added the
> directive "allow-notify {192.168.56.154;};" and it works. However, when I
> try to test the prohibition of notification by adding "allow-notify
> {none;};" at the slave, it still receives updates from the master. The
> transfer on the master is as follows:
>
> allow-transfer {192.168.56.157;};
>
> also-notify {192.168.56.157;};
>
> notify explicit;"
>
>
>
> PS. BIND version : 9.16.48
>
>
>
> Regards Sami
>
> Orange Restricted
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: transfert master slave

2024-03-25 Thread sami . rahal 
Thank you Mark for this information
Regards



De : Mark Andrews 
Envoyé : lundi 25 mars 2024 12:42
À : RAHAL Sami SOFRECOM 
Cc : ML BIND Users 
Objet : Re: transfert master slave

Allow-notify is additive. You can’t block notify from primaries.
--
Mark Andrews


On 25 Mar 2024, at 22:34, 
sami.ra...@sofrecom.com wrote:

Hello community,
I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow 
notifications only from the master (192.168.56.154). I added the directive 
"allow-notify {192.168.56.154;};" and it works. However, when I try to test the 
prohibition of notification by adding "allow-notify {none;};" at the slave, it 
still receives updates from the master. The transfer on the master is as 
follows:
allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"

PS. BIND version : 9.16.48

Regards Sami
Orange Restricted

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: transfert master slave

2024-03-25 Thread Mark Andrews 
Allow-notify is additive. You can’t block notify from primaries. 

-- 
Mark Andrews

> On 25 Mar 2024, at 22:34, sami.ra...@sofrecom.com wrote:
> 
> 
> Hello community,
> I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow 
> notifications only from the master (192.168.56.154). I added the directive 
> "allow-notify {192.168.56.154;};" and it works. However, when I try to test 
> the prohibition of notification by adding "allow-notify {none;};" at the 
> slave, it still receives updates from the master. The transfer on the master 
> is as follows:
> allow-transfer {192.168.56.157;};
> also-notify {192.168.56.157;};
> notify explicit;"
>  
> PS. BIND version : 9.16.48
>  
> Regards Sami
> Orange Restricted
>  
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: transfert master slave

2024-03-25 Thread Matus UHLAR - fantomas 

On 25.03.24 11:34, sami.ra...@sofrecom.com wrote:
I'm trying to configure a DNS slave server (192.168.56.157) .  I want to 
allow notifications only from the master (192.168.56.154).  I added the 
directive "allow-notify {192.168.56.154;};" and it works.  However, when I 
try to test the prohibition of notification by adding "allow-notify 
{none;};" at the slave, it still receives updates from the master.  The 
transfer on the master is as follows:


allow-notify will not stop the master to send notifies. They will just 
be ignored.



allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

transfert master slave

2024-03-25 Thread sami . rahal 
Hello community,
I'm trying to configure a DNS slave server (192.168.56.157) . I want to allow 
notifications only from the master (192.168.56.154). I added the directive 
"allow-notify {192.168.56.154;};" and it works. However, when I try to test the 
prohibition of notification by adding "allow-notify {none;};" at the slave, it 
still receives updates from the master. The transfer on the master is as 
follows:
allow-transfer {192.168.56.157;};
also-notify {192.168.56.157;};
notify explicit;"

PS. BIND version : 9.16.48

Regards Sami
Orange Restricted

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users