Re: record PTR

[Ben Croswell]

181.242.197.in-addr.arpa. 3600 IN NS douala0.orange.cm.
181.242.197.in-addr.arpa. 3600 IN NS nsbangui.orangerca.com.
181.242.197.in-addr.arpa. 3600 IN NS yaounde0.orange.cm.

The in-addr currently points to the DNS servers above. Those would need to
be changed to your servers or the owners of those servers would need to add
the PTR records.

On Thu, Mar 14, 2024, 8:19 AM  wrote:

> Thank you for your response.
>
> In my case, I have added a PTR record for mail.sami.tn pointing to
> 197.242.181.69, but it is still not visible from the outside. However, when
> I test 'dig @0 -x 197.242.181.69', it works. Do I need to request a
> delegation of 197.242.181.69 to the name servers ns1.sami.tn?
>
>
>
> *De :* Ben Croswell 
> *Envoyé :* jeudi 14 mars 2024 13:10
> *À :* RAHAL Sami SOFRECOM ; ML BIND Users <
> bind-users@lists.isc.org>
> *Objet :* Re: record PTR
>
>
>
> The in-addr.arpa domain for your IP space will need to be delegated to
> your DNS servers. That generally happens at the entity that assigned the
> block. For instance ARIN, RIPE, or APNIC.
>
>
>
> On Thu, Mar 14, 2024, 8:06 AM  wrote:
>
> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before creating
> a PTR record or not. In other words, if I want to create a PTR record on my
> authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to
> 41.226.22.50, should the range 41.226.22.0/24 be delegated to my
> authoritative DNS server ns1.mydomain.com?
>
> Regards Sami
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: record PTR

[Ben Croswell]

The in-addr.arpa domain for your IP space will need to be delegated to your
DNS servers. That generally happens at the entity that assigned the block.
For instance ARIN, RIPE, or APNIC.

On Thu, Mar 14, 2024, 8:06 AM  wrote:

> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before creating
> a PTR record or not. In other words, if I want to create a PTR record on my
> authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to
> 41.226.22.50, should the range 41.226.22.0/24 be delegated to my
> authoritative DNS server ns1.mydomain.com?
>
> Regards Sami
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I will say edge DNS servers reduce client config complexity, even if you
have DHCP, and increase resiliency of the initial resolver.

Where it's true with DHCP you can change the DHCP server options it doesn't
help if someone just got a 4 day lease and then the DNS server dies.

Additionally the abstraction layer makes patching and decom of DNS servers
much easier. No config to chane just kill the box. Perhaps this is less of
a concern I'd you are running a smaller environment but when you are
running 400 to 500 servers in a variety of roles globally it becomes a
valuable resource.

On Tue, May 10, 2022, 5:49 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 5/8/22 5:58 AM, Tony Finch wrote:
> > Regarding anycast, it isn't necessary for internal authoritative
> > servers unless your organization is really huge (and probably not
> > even then): it is simpler to just use the DNS's standard reliabilty
> > features. All you need to do is have more than one authoritative
> > server for each zone.
>
> I don't know if it's a requirement for the OP or not, but Windows used
> to reach out to the MName server to perform dynamic updates.  So there
> might be some merit to the name of the MName server to be a pseudo name
> that resolves to an anycasted address, thus clients try to perform the
> dynamic update to the closest instance of the anycast / (pseudo) MName
> server.
>
> Aside:  Years ago, BIND secondaries would happily forward such dynamic
> updates the real primary MName server.
>
> Further aside:  The last time I looked, MS-DNS ADI zones would forge the
> local server's name as the MName to cause this type of client redirection.
>
> > On the other hand, anycast is a good way to improve the availability
> > and maintainability of your resolvers, because your users' devices
> > talk directly to them, and if they don't work there might as well
> > not be an Internet connection.
>
> I agree that anycasted service points make administration somewhat
> simpler.  However I do question the /need/ for such flexibility when
> things like DHCP are likely used for client configuration and can
> therefor manage most things automatically.
>
>
>
> --
> Grant. . . .
> unix || die
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use (Bob McDonald)

[Ben Croswell]

On the closest server question it will prefer the closest but a certain
percentage will go to servers further away. Additionally depending on the
version of BIND and the distance it could lead to the servers further away
taking more traffic in high QPS situations.

If you are getting high QPS you could fire off a large amount of queries to
the "slower" server before it responds and resets its SRTT. I believe newer
BIND versions have moved away from a static decrement value and has fixed
the issue but even fixes some queries will go out of region.


On Sun, May 8, 2022, 12:47 PM Bob McDonald  wrote:

> Thanks for the answers. A couple more questions and then I'll stand down.
>
> First, it's Ben Croswell. Just pointing that out.
>
> Second, my reading of the definition of a static-stub zone in the Bvarm
> indicates that its use is to allow a local copy of the NS list which may
> differ from the primary zone. I'm not sure that's what I'm looking for. I
> think I'm ok with the NS list from the primary zone. Lei me take another
> swing and try to be a bit more pedantic to see if that helps.
>
> I wish to define a global internal DNS environment.
>
> At the level closest to the client would be a global network of recursive
> DNS servers which would handle all internal and external DNS requests. The
> internal DNS zones would be housed on a global network of authoritative
> only DNS servers. The NS list for the internal DNS zones on these
> authoritative only servers would be known to the recursive servers via stub
> zones. My question is, if a client in Mumbai submits a DNS request to his
> local recursive server for an internal authoritative only zone defined by a
> stub zone statement, which authoritative only server does the recursive
> server pick from the NS list and will that eventually be the "closest"
> server. I'm assuming a global distribution of the authoritative servers.
> E.g. Hong Kong, London, US East, US West, South Amer, etc. The use of the
> stub zones in this case is to eliminate the need for an internal root. I
> want to avoid lookups for example from clients in Asia being sent to
> authoritative only servers in South Amer.
>
> Bob
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I would concur that internally Anycast is best for client facing edge nodes
to reduce client configuration complexity as well as reducing impact of a
first resolver outage.

On Sun, May 8, 2022, 7:59 AM Tony Finch  wrote:

> Bob McDonald  wrote:
> >
> > My question is this; how do the recursive servers determine from
> > the information in the stub zone which name server to query?
>
> As well as what Bob Croswell said about SRTT (which is entirely correct),
> there's a subtlety with stub zones in particular.
>
> A stub zone works a bit like the root zone hints, in that the name servers
> that you configure are just used to find the zone's NS records. This means
> that stub zones don't override where queries are routed for these zones.
> If you want your resolver to ignore the NS records on your internal zones,
> you should use static-stub instead.
>
> Regarding anycast, it isn't necessary for internal authoritative servers
> unless your organization is really huge (and probably not even then): it
> is simpler to just use the DNS's standard reliabilty features. All you
> need to do is have more than one authoritative server for each zone.
> On the other hand, anycast is a good way to improve the availability and
> maintainability of your resolvers, because your users' devices talk
> directly to them, and if they don't work there might as well not be an
> Internet connection.
>
> --
> Tony Finch(he/they)  Cambridge, England
> Selsey Bill to Lyme Regis: East or southeast, veering south later, 2
> to 4. Smooth or slight, occasionally moderate for a time offshore.
> Fair. Good.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I can't speak definitively for stub zones, but I would assume it works the
same as NS delegations or forwarding.
A DNS server maintains a listing of smoothed round trip times (SRTT) for
each potential destination.  It uses the SRTT with the lowest value, and
after each successful response all of the SRTTs with a higher value are
decremented.  This is the self-healing mechanism.  Eventually a higher
value will be reduced far enough so it is the lowest and it will be used
and readjusted.  The readjusting will likely make it higher and it would go
back to the original server.  This is a long winded way of saying all of
the servers in the list will take a certain percentage of the overall query
volume.

On Sat, May 7, 2022 at 10:20 AM Bob McDonald  wrote:

> Forgive my ignorance if this is a trivial question.
>
> Supposing I have an internal IP network (rfc1918)  where there atr local
> caching servers (recursive) which clients connect to and scattered around
> are several authoritative servers  which provide answers for internal only
> zones. Those internal only zones are defined on the caching servers via
> stub zones.
>
> My question is this; how do the recursive servers determine from
> the information in the stub zone which name server to query? And, is that
> the closest (network wise)? Do I need to put anycast into the mix?
>
> TTFN,
>
> Bob
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
-Ben Croswell
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Ben Croswell]

Are you loading the parent domain and trying to zone forward a child domain
on the same DNS server? I.e. loading somedomain.local and trying to forward
ab.somedomain.local

If so an NS delegation is required in every instance I have done in my
environment. The NS doesn't need to be "right" but it needs to exist. I
don't know the internal BIND logic for that but I have always taken it as
"I load the parent and I know the child doesn't exist because there isn't a
delegation to make it exist so why would I forward something that doesn't
exist".


On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop  wrote:

> Static-sub fixes the issue.
>
>
>
> Any idea why static-sub works when forwarder doesn't?
>
>
>
> (Again, the server is using recursion. Dig queries return the RA flag, so
> I know it's actually offering recursion in reality.)
>
>
>
> I can live with static-sub just fine, since it works - but I'd really love
> to understand why forwarder didn't - just so I can avoid getting bitten by
> it in some other situation.
>
>
>
> Thanks Andrej!
>
> -Greg
>
>
>
>
> Is static-stub something you are looking for?
>
>
> Reference documentation:
>
> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
>
>
> And in human terms:
> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
>
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
>
> On 28. 2. 2022, at 21:47, Gregory Sloop  wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
> (Yes, I know .local is reserved now, but we've been using it a long time
> and changing would be rather painful. Unless there's some horrible
> consequences, I think we'll just continue for now. We won't ever use mDNS.)
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXDOMAIN for
> abc.ab.somedomain.local.)
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
> get a proper result. (force dig to use the AD name servers directly,
> instead of relying on the forward.)
>
> (And yes the resolv.conf file has the ip addresses of the main internal
> BIND servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND OS tuning

[Ben Croswell]

Does BIND take advantage of net.core.rmem_max on Linux boxes?
If I set the rmem_max to 12.5mb but leave the rmem_default as the OS
default will I see a benefit on a high QPS DNS server?

Or does BIND look to the rmem_default and ignore the rmem_max?

-- 
-Ben Croswell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME / TXT

[Ben Croswell]

If you uncomment that mg CNAME you end up with a CNAME mx and TXT at the
same node in to the DNS tree and that is illegal. That is why you get the
error "cname and other data". The mx and txt are the other data.

On Sat, Aug 22, 2020, 8:19 PM Jukka Pakkanen  wrote:

> Cannot figure out what is wrong here… must be something simple but after
> sitting in airplanes the last 40 hours and it’s 2am…
>
> Only when I comment out the two lines in the end of the named.harriot, it
> goes through and BIND load the zone. With those two lines, get the
> following:
>
> C:\DNS\etc\namedb>named-checkzone harriot.fi named.harriot
>
> dns_master_load: named.harriot:33: mg.harriot.fi: CNAME and other data
>
> dns_rdata_fromtext: named.harriot:35: syntax error
>
> zone harriot.fi/IN: loading from master file named.harriot failed: CNAME
> and other data
>
> zone harriot.fi/IN: not loaded due to errors.
>
> ;
>
> ;File:  named.harriot
>
> ;
>
>
>
> $TTL 864
>
>
>
> @IN SOA  ns1.qnet.fi. helpdesk.qnet.fi.
> (
>
>  202008243  ; serial number
>
>  28800  ; refresh every 12 hours
>
>   7200  ; retry after 2 hours
>
> 604800  ; expire after 2 weeks
>
>   3600) ; default ttl is 2 days
>
>
>
> harriot.fi.   IN A  35.214.111.143
>
>   IN MX 10
> qntsrv8.qnet.fi.
>
>   IN MX 10
> qntsrv9.qnet.fi.
>
>  IN NS
> ns1.qnet.fi.
>
>  IN NS
> ns2.qnet.fi.
>
>  IN NS
> ns3.qnet.fi.
>
>   IN NS
> ns1.z.fi.
>
>   IN NS
> ns2.z.fi.
>
>
>
> wwwIN A 35.214.111.143
>
> api IN A 35.214.111.143
>
> webmailIN CNAME mail.qnet.fi.
>
> _autodiscover._tcp  IN SRV 0 5 443 mail.qnet.fi.
>
>
>
> dev
> IN A  35.214.111.143
>
>
>
> ;
> mg
> IN CNAME eu.mailgun.org.
>
> mg
> IN MX 10 mxa.eu.mailgun.org.
>
> mg
> IN MX 10 mxb.eu.mailgun.org.
>
> mg
> IN TXTv=spf1 include:eu.mailgun.org ~all
>
>
>
> ; smtp_domainkey.mg IN TXT "k=rsa; p=MII-AQAB"
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re:

[Ben Croswell]

In this case a zone level forwarder takes priority over the global
forwarder. Abc.com would go to 1.1.1.1

On Sat, Jun 27, 2020, 11:44 PM baalchina  wrote:

> Hi all,
>
> I had a bind 9.16.4 as recursive name server. I want to forward all
> queries to a specific dns server out of my net such as 8.8.8.8. While I
> have a new domain( such as abc.com) I want to forward to a new dns server
> such as 9.9.9.9.
>
> Here is my named.conf:
>
>
> options {
> listen-on port 53 {192.168.1.1;};
> recursion yes;
> allow-recursion {any;};
> forwarders {
> 8.8.8.8;
> };
> };
>
> zone "abc.com" {
> type forward;
> forwarders {1.1.1.1;};
>
> };
>
> So, in this configuration, the abc.com will be forward to 8.8.8.8 or
> 1.1.1.1?
>
> Thanks.
>
>
>
>
> --
> from:baalchina
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about at zone transfer behaviour on slave

[Ben Croswell]

You are looking for the refresh timer in the SOA if you mean the timer for
a slave to check the serial with the master.

On Wed, Jun 5, 2019, 10:09 PM Techs-yama  wrote:

> Hi all,
>
> Have a question about at zone transfer behaviour on slave server.
>
> In case of slave zone configure and restarting named on slave server,
> After the named restart, It looks like starting polling to the master
> server for zone transfer by slave server.
> How many seconds polling interval on this timer ?
> and can i change interval value to configure it ?
>
> Thanks and regards.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Change DNS records automatically when a link is DOWN

[Ben Croswell]

If you can craft the monitor for the link it could call nsupdate to make
the change

On Wed, Jun 5, 2019, 11:16 AM Roberto Carna 
wrote:

> Dear people, I have two sites:
>
> - Main site with an Internet link and two BIND services (DNS1 y DNS2) and
> a /28 block, and web and mail services supported
> - Backup site with a second Internet link and a BIND service (DNS3) and
> another /28 block
>
> When the Internet link from main site is DOWN, the web and mail traffic
> come through the backup site to main site crossing a L2L. So I need to
> change the IP's of the FQDN hosts I have supported in the DNS3 in order to
> continue offering services (web and mail). How can I do this automatically?
> Is there any way that "something" monitors the main Internet link and in
> case it is DOWN automatically order to modify the FQDN records in DNS3 ???
>
> Thanks a lot and regards!!!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Ben Croswell]

When a DNS response is too large to fit in a single UDP packet, 512 bytes
up to 4k with edns, the DNS server will respond with as much as it can fit
in the UDP packet. It will also set the truncate, TC, bit to let the client
doing the query that the answer is truncated and the client should query
again over TCP for the full answer.

The TC bit is also used in conjunction with RRL.

On Mon, Feb 4, 2019, 8:57 AM Roberto Carna  Thanks Ben for your response, can you tell me the types of TCP traffic I
> have to expect in BIND, excepting Zone Tansfer?
>
> Thans a lot again!!!
>
> El lun., 4 feb. 2019 a las 10:50, Ben Croswell ()
> escribió:
>
>> BIND has always required UDP and TCP 53 for proper functionality. It
>> sometimes mistakenly believed that TCP is only for zone transfers but that
>> is not the case.
>>
>> On Mon, Feb 4, 2019, 8:46 AM Roberto Carna > wrote:
>>
>>> Dear, I have a BIND 9.10 public server and I have delegated some public
>>> domains.
>>>
>>> When I test these domains with the EDNS tool offered in the DNS Flag Day
>>> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>>>
>>> After that, when I opened also TCP/53 port, the test was succesful.
>>>
>>> Please can you explain me the reason I have to open TCP/53 port to
>>> Internet from February 1st to the future???
>>>
>>> Really thanks, regards.
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Flag Day: I had to open the TCP/53 port

[Ben Croswell]

BIND has always required UDP and TCP 53 for proper functionality. It
sometimes mistakenly believed that TCP is only for zone transfers but that
is not the case.

On Mon, Feb 4, 2019, 8:46 AM Roberto Carna  Dear, I have a BIND 9.10 public server and I have delegated some public
> domains.
>
> When I test these domains with the EDNS tool offered in the DNS Flag Day
> webpage, the test was wrong wit just UDP/53 port opened to Internet.
>
> After that, when I opened also TCP/53 port, the test was succesful.
>
> Please can you explain me the reason I have to open TCP/53 port to
> Internet from February 1st to the future???
>
> Really thanks, regards.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS flag day

[Ben Croswell]

I would imagine "its a hoax" is code for we dont want to bother remediating.

On Fri, Jan 18, 2019, 3:20 PM Warren Kumari 
>
> On Fri, Jan 18, 2019 at 2:58 PM Ben Croswell 
> wrote:
>
>> I would say we had one provider go as far as saying this whole flag day
>> thing is a hoax.
>>
>
> That's a weird stance / position. "The whole flag day thing is
> [stupid|overblown|annoying|confusing|on a Friday]" are all positions I can
> understand - not agree with (modulo the Friday one), but at least
> understand. 'tis a hoax is just confusing...
> Flag Day been discussed at length, and presented at multiple DNS events -
> it seems that a DNS provider who hasn't seen any of the presentations and
> recognized at least one person pushing this isn't well connected to the
> community, and should probably be avoided...
>
> W
> P.S: Unless they think it is simply a *very* subtle, long running,
> widespread hoax... and now I'm wondering if I'm the patsy here :-P
>
>
>
>
>> Not sure what option there is other than voting with your wallet and
>> moving to a different provider.
>>
>
>> May even be worth looking at 2 providers. I see DNS provider redundancy
>> as being a huge priority after the Dyn DDoS event.
>>
>> On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey > wrote:
>>
>>> On checking I find that any of our domains that use Network Solutions’
>>> Worldnic.com nameservers are reporting failures when checked.
>>>
>>> For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea
>>>
>>> Other people online have posted about Network Solutions as they also saw
>>> failures.
>>>
>>> On calling Network Solutions today they told me they are compliant
>>> despite what was reported by https://dnsflagday.net/
>>>
>>>
>>>
>>> This issue is with domains registered at Network Solutions and using
>>> their Advanced DNS (i.e. their Worldnic name servers).   Other domains we
>>> have registered with them but pointing to other name servers (i.e. our own
>>> BIND servers) displayed as compliant.
>>>
>>> When I sent them the links they saw what I saw but still claimed they
>>> are compliant.   They refused to send me something in writing stating that
>>> so I suggested they reach out to ISC regarding the checker’s results if
>>> they believe they are compliant, but they said they don’t see the need.
>>> I’ve asked them to escalate and they say they have but I suspect I’ll not
>>> hear back from them.
>>>
>>> Is there a list of known edns compliant Registrar name severs for the
>>> larger Registrars?
>>>
>>> Is it possible the failures seen are false?   If so, are there alternate
>>> edns compliance checkers that might show different responses than
>>> dnsflagday.net?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *From:* bind-users  * On Behalf Of *Ben
>>> Croswell
>>> *Sent:* Friday, January 18, 2019 12:19 PM
>>> *To:* bind-users@lists.isc.org
>>> *Subject:* Re: DNS flag day
>>>
>>>
>>>
>>> I shouldn't have posted so closely to responding to the other user.
>>>
>>>
>>>
>>> I am not running 9.8. I was replying to them about firewalls in regards
>>> to their 9.8 issues.
>>>
>>>
>>>
>>> Was just hoping for a statement of 9.x or greater supports the needed
>>> badvers signaling etc.
>>>
>>>
>>>
>>> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk >>
>>>
>>>
>>> On Jan 18, 2019, at 9:09 AM, Ben Croswell 
>>> wrote:
>>>
>>>
>>>
>>> Has ISC released minimum viable BIND version for flag day?
>>>
>>>
>>>
>>> Most versions of BIND authoritative servers, going back years, are EDNS
>>> compatible. Certainly ALL currently supported versions are compatible. I
>>> see you are running 9.8, which has been EOL since September, 2014.  I think
>>> that is probably fine, as far as EDNS, however.
>>>
>>>
>>>
>>> The change in BIND related to DNS Flag Day is removing workarounds from
>>> resolvers, that will retry without EDNS or otherwise try to proceed even
>>> when EDNS fails. This change came in the BIND 9.13 development version, and
>>> will be in BIND 9.14, which is not yet released.
>>>
>>>
>>>
>>> The problem 

Re: DNS flag day

[Ben Croswell]

I would say we had one provider go as far as saying this whole flag day
thing is a hoax. Not sure what option there is other than voting with your
wallet and moving to a different provider.

May even be worth looking at 2 providers. I see DNS provider redundancy as
being a huge priority after the Dyn DDoS event.

On Fri, Jan 18, 2019, 2:50 PM Lightner, Jeffrey  On checking I find that any of our domains that use Network Solutions’
> Worldnic.com nameservers are reporting failures when checked.
>
> For example this result:  https://ednscomp.isc.org/ednscomp/e30c6cf0ea
>
> Other people online have posted about Network Solutions as they also saw
> failures.
>
> On calling Network Solutions today they told me they are compliant despite
> what was reported by https://dnsflagday.net/
>
>
>
> This issue is with domains registered at Network Solutions and using their
> Advanced DNS (i.e. their Worldnic name servers).   Other domains we have
> registered with them but pointing to other name servers (i.e. our own BIND
> servers) displayed as compliant.
>
> When I sent them the links they saw what I saw but still claimed they are
> compliant.   They refused to send me something in writing stating that so I
> suggested they reach out to ISC regarding the checker’s results if they
> believe they are compliant, but they said they don’t see the need.   I’ve
> asked them to escalate and they say they have but I suspect I’ll not hear
> back from them.
>
> Is there a list of known edns compliant Registrar name severs for the
> larger Registrars?
>
> Is it possible the failures seen are false?   If so, are there alternate
> edns compliance checkers that might show different responses than
> dnsflagday.net?
>
>
>
>
>
>
>
>
>
> *From:* bind-users  * On Behalf Of *Ben
> Croswell
> *Sent:* Friday, January 18, 2019 12:19 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: DNS flag day
>
>
>
> I shouldn't have posted so closely to responding to the other user.
>
>
>
> I am not running 9.8. I was replying to them about firewalls in regards to
> their 9.8 issues.
>
>
>
> Was just hoping for a statement of 9.x or greater supports the needed
> badvers signaling etc.
>
>
>
> On Fri, Jan 18, 2019, 12:15 PM Victoria Risk 
>
>
> On Jan 18, 2019, at 9:09 AM, Ben Croswell  wrote:
>
>
>
> Has ISC released minimum viable BIND version for flag day?
>
>
>
> Most versions of BIND authoritative servers, going back years, are EDNS
> compatible. Certainly ALL currently supported versions are compatible. I
> see you are running 9.8, which has been EOL since September, 2014.  I think
> that is probably fine, as far as EDNS, however.
>
>
>
> The change in BIND related to DNS Flag Day is removing workarounds from
> resolvers, that will retry without EDNS or otherwise try to proceed even
> when EDNS fails. This change came in the BIND 9.13 development version, and
> will be in BIND 9.14, which is not yet released.
>
>
>
> The problem you are seeing is most likely firewall-related.
>
>
>
> Vicky
>
>
>
>
>
> I looked around and couldn't find anything.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS Compliance

[Ben Croswell]

It more complicated than just packet size. I have seen FWs with IPS rules
that were dropping the packets because the rule stated 0 was the only edns
version and anything else was an attack.

I would check the FW logs to find the log of the drop and work back from
there.

On Fri, Jan 18, 2019, 12:29 PM N. Max Pierson  Thanks to the response Ben. After looking at the results, it seems we do
> have a different firewall between the 4 servers and they have IPs out of
> the same subnet for 2 of them which are failing. So this lets me know it is
> firewall related and now I can check that.
>
> Do you know what type of rule (in general, not anything specific) needs to
> be added to allow for larger EDNS packets? Is it as simple as allowing the
> maximum size for payload specified in the RFC (
> https://tools.ietf.org/html/rfc6891#section-6.2.5) which is 4096 bytes?
>
> Regards,
> Max
>
> On Fri, Jan 18, 2019 at 11:07 AM Ben Croswell 
> wrote:
>
>> As long as all 4 DNS servers are running the same version, my first
>> suggestion would be to check firewalls for dropped packets.
>>
>> Some FW/IPS drop packets with edns versions other 0 because they see it
>> as an attack.
>>
>> On Fri, Jan 18, 2019, 12:02 PM N. Max Pierson > wrote:
>>
>>> Hi List,
>>>
>>> I am trying to ensure our Bind servers comply with EDNS for the upcoming
>>> Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but
>>> from what I have read, the information is somewhat conflicting as some
>>> documentation states EDNS is not a record that you configure in your zone
>>> file then other sites refer to some sort of OPT record you can configure.
>>> So my first question is which of the documentation is correct from what I
>>> have read? Is it DNS server functionality that supports EDNS or do you also
>>> have to configure something in the zone files?
>>>
>>> Also, I have 4 (well 5 counting the master that isn't queryable)
>>> nameservers with multiple domains served on them. When I run one of my
>>> primary domains through the ISC EDNS tool, it comes back as 2 out of the 4
>>> are failing EDNS queries.They are all on the same version of Bind
>>> (9.8.2rc1) and they are all slaves of the master so they should all have
>>> the same records. Can anyone please explain what I need to do to resolve
>>> the timeouts listed on the ISC testing tool?
>>>
>>> Here is what the tool says ...
>>>
>>>
>>> venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok
>>> *edns1=timeout* edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok
>>> ednsflags=ok docookie=ok edns512tcp=ok *optlist=timeout*
>>>
>>> venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>> venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>>
>>> venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>> venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok
>>> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
>>> edns512tcp=ok optlist=ok
>>>
>>> venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok
>>> *edns1=timeout* edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok
>>> ednsflags=ok docookie=ok edns512tcp=ok *optlist=timeout*
>>>
>>>
>>> TIA!!
>>>
>>> Regards,
>>>
>>> Max
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS flag day

[Ben Croswell]

I shouldn't have posted so closely to responding to the other user.

I am not running 9.8. I was replying to them about firewalls in regards to
their 9.8 issues.

Was just hoping for a statement of 9.x or greater supports the needed
badvers signaling etc.

On Fri, Jan 18, 2019, 12:15 PM Victoria Risk 
> On Jan 18, 2019, at 9:09 AM, Ben Croswell  wrote:
>
> Has ISC released minimum viable BIND version for flag day?
>
>
> Most versions of BIND authoritative servers, going back years, are EDNS
> compatible. Certainly ALL currently supported versions are compatible. I
> see you are running 9.8, which has been EOL since September, 2014.  I think
> that is probably fine, as far as EDNS, however.
>
> The change in BIND related to DNS Flag Day is removing workarounds from
> resolvers, that will retry without EDNS or otherwise try to proceed even
> when EDNS fails. This change came in the BIND 9.13 development version, and
> will be in BIND 9.14, which is not yet released.
>
> The problem you are seeing is most likely firewall-related.
>
> Vicky
>
>
> I looked around and couldn't find anything.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS flag day

[Ben Croswell]

Has ISC released minimum viable BIND version for flag day?

I looked around and couldn't find anything.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS Compliance

[Ben Croswell]

As long as all 4 DNS servers are running the same version, my first
suggestion would be to check firewalls for dropped packets.

Some FW/IPS drop packets with edns versions other 0 because they see it as
an attack.

On Fri, Jan 18, 2019, 12:02 PM N. Max Pierson  Hi List,
>
> I am trying to ensure our Bind servers comply with EDNS for the upcoming
> Flag Day (https://dnsflagday.net/). I am somewhat ignorant to EDNS but
> from what I have read, the information is somewhat conflicting as some
> documentation states EDNS is not a record that you configure in your zone
> file then other sites refer to some sort of OPT record you can configure.
> So my first question is which of the documentation is correct from what I
> have read? Is it DNS server functionality that supports EDNS or do you also
> have to configure something in the zone files?
>
> Also, I have 4 (well 5 counting the master that isn't queryable)
> nameservers with multiple domains served on them. When I run one of my
> primary domains through the ISC EDNS tool, it comes back as 2 out of the 4
> are failing EDNS queries.They are all on the same version of Bind
> (9.8.2rc1) and they are all slaves of the master so they should all have
> the same records. Can anyone please explain what I need to do to resolve
> the timeouts listed on the ISC testing tool?
>
> Here is what the tool says ...
>
>
> venyu.com. @208.79.48.30 (ns4.venyu.com.): dns=ok edns=ok *edns1=timeout*
>  edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok
> edns512tcp=ok *optlist=timeout*
>
> venyu.com. @69.2.33.250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok
> ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok
> optlist=ok
> venyu.com. @2604:d800:12::250 (ns1.venyu.com.): dns=ok edns=ok edns1=ok
> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
> edns512tcp=ok optlist=ok
>
> venyu.com. @69.2.63.250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok edns@512=ok
> ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok edns512tcp=ok
> optlist=ok
> venyu.com. @2604:d800:13::250 (ns3.venyu.com.): dns=ok edns=ok edns1=ok
> edns@512=ok ednsopt=ok edns1opt=ok do=ok ednsflags=ok docookie=ok
> edns512tcp=ok optlist=ok
>
> venyu.com. @208.79.48.26 (ns2.venyu.com.): dns=ok edns=ok *edns1=timeout*
>  edns@512=ok ednsopt=ok *edns1opt=timeout* do=ok ednsflags=ok docookie=ok
> edns512tcp=ok *optlist=timeout*
>
>
> TIA!!
>
> Regards,
>
> Max
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and UDP tuning

[Ben Croswell]

When we ran into UDP tuning issues on high traffic devices it presented as
silent discards rather than SERVFAIL.

On Thu, Sep 27, 2018, 12:04 PM Alex  wrote:

> Hi,
>
> > On Thu, Sep 27, 2018 at 10:53:25AM -0400, Alex wrote:
> > > Many of these values I've already tweaked and have had no effect on my
> > > SERVFAIL issues :-(
> >
> > If you are getting SERVFAILs from a BIND resolver you administer, then
> > it has responded to your query. If you turn up the log level to
> > something like -d 99, it'll print the steps that led to that SERVFAIL.
> > Usually you'll find something there that directs you to next steps.
> >
> > On this topic, my home resolver is also a stock packaged BIND version as
> > you, and I too see spurious SERVFAILs sometimes. I used to think this
> > was due to too much indirection, e.g., when named starts up and you run:
> >
> > dig -x 176.9.81.50
>
> It doesn't typically happen when running from the command-line. It
> does occasionally happen, though. I usually run something like "dig
> +all +trace +nodnssec ". It sometimes times out in the
> middle, with something like "cannot resolve xyz host", which may even
> be one of the root servers.
>
> I also typically run it with "rndc trace 11" which shows me quite a
> bit of debugging info - too much to look through manually. With trace
> 99, I can imagine it being overwhelming amount of info. Do you have
> any ideas of what to look for? "query-errors"?
>
> Also, I also see other SERVFAIL errors that really are SERVFAIL errors
> - when querying the host manually, it still responds immediately with
> SERVFAIL.
>
> Thanks,
> Alex
>
>
>
> >
> > on a cold cache. However it seems to be returning SERVFAIL sometimes for
> > what should be a cached answer. I'll also turn up the debug logging and
> > watch it.
> >
> > Mukund
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

[Ben Croswell]

That is a valid consideration but being a slave doesn't always mean being
in the NS records.

On Dec 18, 2017 9:47 AM, "Barry S. Finkel"  wrote:

> On Sun, 17 Dec 2017 22:06:58 +0530, vijay bommareddy 
> wrote:
>
>> Hello folks,
>>
>> I'm trying to find more information on the practical limitations of adding
>> more slaves.
>> Can someone tell me, how many number of slaves does BIND technically
>> support? Is there a maximum limit per master server?
>>
>> Thank you
>> Vijay
>>
>
> A minor point - if there are too many slaves, then the NS list might
> not fit into a UDP packet, causing TCP to be used.  I do not know
> how many NS records would be needed to exceed the UDP packet size;
> it would depend upon the length of the nodenames of the DNS servers.
>
> --Barry Finkel
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: EDNS0 client subnet in BIND 9.10

[Ben Croswell]

The use case i am looking at is using ECS or some other mechanism to pass
the IP of client making the query to the global load-balancer. This
information could then be used by the global load-balancer in making
proximity decisions when crafting its response.
I.e. GLB sees 10.1.1.1 and returns a given IP but if it sees 10.2.2.2 the
answer is different.

On Nov 11, 2017 5:31 AM, "Ray Bellis"  wrote:

> On 11/11/2017 04:50, Mukund Sivaraman wrote:
> > I'm not sure how ECS would be useful for load-balancing, as in the best
> > case scenario it would require one to control every client side to send
> > the client-subnet option.
>
> It would help if Ben provided more details about what he's trying to
> achieve.
>
> I do have a draft that I'm trying to get adopted at IETF to allow
> client-related information to be carried from load balancer to back-end
> server.  It's not yet implemented in BIND, though:
>
> 
>
> Ray
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

EDNS0 client subnet in BIND 9.10

[Ben Croswell]

I would like to use the client subnet option to overcome some hurdles
related to proximity load-balancing.

I have looked through the ARM and found references to setting the option in
a dig. However I was not able locate options for sourcing that option on
the DNS server.

Is anyone using ECS currently?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Forwarding from delegated zone not working

[Ben Croswell]

I guess i made the assumption that zone was properly forwarded at the MS
end.

 However as you mentioned if it was only delegated then it would SERVFAIL
at the BIND server when receiving an iterative query from MS if BIND isn't
authoritative.

On Oct 10, 2017 11:44 AM, "Darcy Kevin (FCA)" <kevin.da...@fcagroup.com>
wrote:

But surely you’d get an NXDOMAIN in that case, not a SERVFAIL.



The assumption I made in my post was that the delegation was pointed to the
forwarding BIND instance, which is a non-starter.



-  Kevin





*From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf Of *Ben
Croswell
*Sent:* Tuesday, October 10, 2017 11:38 AM
*To:* seanliam73 <sean.orei...@landg.com>
*Cc:* bind-users@lists.isc.org
*Subject:* Re: Forwarding from delegated zone not working



If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.



On Oct 10, 2017 11:22 AM, "seanliam73" <sean.orei...@landg.com> wrote:

Hi

I have a subdomain delegated from AD to a bind9 instance I have running that
so that all requests for that subdomain are sent to the bind 9 instance. I
would then like to set up zone forwarding so that further subdomains can be
managed by other bind 9 instances.

I know the forwarding is working because I can query the main bind9 instance
at receive the expected results. However if I query from the AD server that
is doing the delegation I get a SERVFAIL error.

Am I trying to do something that is not possible or am I just missing some
configuration.

*main instance config*

options {
directory "/var/named";
listen-on port 53 { listen addr; };
auth-nxdomain yes;
recursion yes;
allow-query { ip addresses; };
listen-on-v6 { any; };
dnssec-enable no;
dnssec-validation no;
dnssec-lookaside auto;
};

logging {
channel default_debug {
file "data/named.run";
severity debug 3;
};

channel querylog {
file "data/query.log";
severity debug 5;
};

category default { default_debug; };
category queries { querylog; };
};

zone "example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};

zone "development.example.company.com" IN {
type forward;
forward only;
forwarders { ip address; };
};



--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

[Ben Croswell]

If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73"  wrote:

> Hi
>
> I have a subdomain delegated from AD to a bind9 instance I have running
> that
> so that all requests for that subdomain are sent to the bind 9 instance. I
> would then like to set up zone forwarding so that further subdomains can be
> managed by other bind 9 instances.
>
> I know the forwarding is working because I can query the main bind9
> instance
> at receive the expected results. However if I query from the AD server that
> is doing the delegation I get a SERVFAIL error.
>
> Am I trying to do something that is not possible or am I just missing some
> configuration.
>
> *main instance config*
>
> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;
> recursion yes;
> allow-query { ip addresses; };
> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity debug 3;
> };
>
> channel querylog {
> file "data/query.log";
> severity debug 5;
> };
>
> category default { default_debug; };
> category queries { querylog; };
> };
>
> zone "example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
> zone "development.example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange problem with query being dropped/ignored by the BIND process

[Ben Croswell]

Have you checked deeper at the OS level? I have seen on Linux DNS servers
silent drops of queries on very busy servers that were exhausting UDP
receive buffers.

On Jun 28, 2017 10:26 AM, "Marc Richter" 
wrote:

Hi,

we have a setup here consisting of a recursive DNS server and two
monitoring servers. The monitoring servers sent a test query to the DNS
server once every two minutes to check if it is answering properly.

We now have the problems that these test queries are timing out from time
to time, (correctly) resulting in alarms in our monitoring system.

I have checked this now and noticed that each time we see that alarm, the
query sent by the monitoring server is not being answered at all.
To debug that I ran tcpdump on both the monitoring server and the recursive
DNS server. I see the query being sent out on the monitoring server and I
also see the query being received on the DNS server, however there is no
response sent to this query at all.
Looking at the query log, which I enabled temporarily, the query is also
not logged there so it looks like BIND is ignoring that query somewhere,
although it is properly received by the IP stack of the server.

Do you have any suggestions how to debug this further, to hopefully find
out where these queries are stuck/dropped/ignored, as I have run out of
ideas ?

The environment is:
BIND 9.9.9-P5 (Extended Support Version) 
running on SunOS sun4v 5.11 11.3


Thanks !
Marc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Ben Croswell]

If you load foo.com on server A and delegate bar.foo.com to server B with a
global forwarder of server C you resolution will vary depending on forward
first vs forward only and forwarders {}.

With no forward {} the path for blah.bar.foo.com directed at server A will
be A > C > B
With forward {} the global forward will be short circuited for foo.com and
below resulting in a path of A > B

On May 12, 2017 11:56 AM, "Mik J" <mikyde...@yahoo.fr> wrote:

Thank you Ben for your answer

My server uses a global forwarding

I don't understand what you wrote
"If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally."

If my DNS is autoritative, why would I use a forwarding ?

For my sub domains I use delegations
sub.mydomain.com NS ns.sub.mydomain.com
ns.sub.mydomain.com A 1.1.1.1

What's the difference between the global forward for delegated child
domains and the delegation I do ?

Thank you



Le Vendredi 12 mai 2017 15h34, Ben Croswell <ben.crosw...@gmail.com> a
écrit :


This would only change behavior if the server has global forwarding.

If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally.  The forward{} turns off global forwarding
for that branch of the tree.

On May 12, 2017 9:27 AM, "Mik J via bind-users" <bind-users@lists.isc.org>
wrote:

Hello,

If my DNS is master/slave for a zone, why would I want it to use forwarders.

In other terms why would I want
zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
};

Instead of (forwarders {};)
zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
forwarders {};
};

Why would I want to forward requests if I'm autoritative for the zone ?

Thank you for those who can hightligh this point.

__ _
Please visit https://lists.isc.org/mailman/ listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from
this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/ listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Ben Croswell]

This would only change behavior if the server has global forwarding.

If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally.  The forward{} turns off global forwarding
for that branch of the tree.

On May 12, 2017 9:27 AM, "Mik J via bind-users" 
wrote:

> Hello,
>
> If my DNS is master/slave for a zone, why would I want it to use
> forwarders.
>
> In other terms why would I want
> zone "mydomain.com"
> {
> type master;
> file "zones/master/com/mydomain.com";
> allow-update { acl; };
> };
>
> Instead of (forwarders {};)
> zone "mydomain.com"
> {
> type master;
> file "zones/master/com/mydomain.com";
> allow-update { acl; };
> forwarders {};
> };
>
> Why would I want to forward requests if I'm autoritative for the zone ?
>
> Thank you for those who can hightligh this point.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind master keeps saying it is not authoritative

[Ben Croswell]

Ensure that the allow-query clause on the master includes the slave. If the
slave can't query for the SOA on the zone it can't do an xfer.

On Mar 2, 2017 6:34 AM, "Xavier Humbert" 
wrote:

> The whole configuration, comments removed :
>
> -- Master --
> acl my-slaves {
> any;// DEBUG
> };
>
> acl my-clients {
> any;// DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.135; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-transfer{ my-slaves; };
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> // Logging
> // omitted
>
> zone "in.acv.orion.education.fr" {
> type master;
> file "/etc/named/internal/in.acv.orion.education.fr.db";
> allow-transfer {my-slaves; };
> };
>
> -- Slave --
> acl my-clients {
> localhost;
> any;//DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.133; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-update{ 172.29.16.135; };
> allow-transfer{ 172.29.16.135; };
>
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> // Logging
> // Omitted
>
> zone "in.acv.orion.education.gouv.fr" {
> type slave;
> file "/etc/named/in.acv.orion.education.gouv.fr.db";
> masters {172.29.16.135; };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> --
>
> Really, reall basic !
> Thanks
>
> --
> Xavier Humbert
> CRT Supervision et Exploitation de Niveau 1
> Rectorat de Nancy-Metz
> 03 83 86 27 39
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Ben Croswell]

The other option being having a master owned by your company and then
setting both external providers to secondary from your master. You to
maintain control over data and hqve diversity.

On Nov 1, 2016 10:42 AM, "Barry Margolin" <bar...@alum.mit.edu> wrote:

> In article <mailman.546.1477931391.7.bind-us...@lists.isc.org>,
>  Ben Croswell <ben.crosw...@gmail.com> wrote:
>
> > I think what we see as a result of this attack is DNS provider diversity
> > being the new buzz phrase. The same as not relying on a single ISP link i
> > see more people using multiple DNS providers.
> > The size of these attacks will grow as IoT continues to grow. It makes
> > sense to have diverse providers to ensure your domains are serviceable
> if a
> > provider gets attacked.
>
> My boss asked me to look into this after the attack. The sticking point
> seems to be that most DNS providers don't allow zone transfers from
> their servers. We currently get our auth DNS from SoftLayer, the hosting
> provider for our primary web, application, and database servers. I
> contacted them to find out if it's possible to enable zone transfers to
> a third party slave service, they said no; they suggested that we simply
> set up both services as masters, which would mean we'd have to update
> them independently (or write our own scripts that make use of each
> service's API). The customers of Dyn are in the same situation.
>
> Maybe last week's incident will prompt enough big customers to demand
> this that they'll change their policies.
>
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Ben Croswell]

I think what we see as a result of this attack is DNS provider diversity
being the new buzz phrase. The same as not relying on a single ISP link i
see more people using multiple DNS providers.
The size of these attacks will grow as IoT continues to grow. It makes
sense to have diverse providers to ensure your domains are serviceable if a
provider gets attacked.

On Oct 31, 2016 12:25 PM, "Matthew Seaman" 
wrote:

> On 2016/10/31 16:09, Barry Margolin wrote:
> > I heard that the impact of the attack was even narrower than just the
> > US, it was mostly eastern US. That suggests some things about the
> > granularity of Dyn's anycast network and the distribution of the Mirai
> > botnet.
>
> There were actually three attacks on the same day.  The first (about
> 12:00 UTC) affected pretty much just the Eastern USA, and we saw little
> beyond some raised RTTs in Europe.  The second (about 16:00UTC) took out
> all the Dyn POPs in the USA and affected their European POP.  The third
> (around 18:00UTC) ... was pretty much a non-event.  Dyn had mitigated
> the attacks pretty effectively by that point.
>
> Cheers,
>
> Matthew
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow

[Ben Croswell]

Cyber folks asked if there was any way for the DNS servers to "protect" the
vulnerable clients.
The only thing i  could see from the explanation  was disabling or limiting
edns0 sizes. That is obviously not a long term option.
On Feb 17, 2016 11:39 AM, "Alan Clegg"  wrote:

> On 2/17/16, 11:34 AM, "Reindl Harald"  behalf of h.rei...@thelounge.net> wrote:
>
> >Am 17.02.2016 um 17:22 schrieb Dominique Jullier:
> >> Are they any thoughts around, how to handle yesterday's glibc
> >> vulnerability[1][2] from the side bind?
> >>
> >> Since it is a rather painful task in order to update all hosts to a new
> >> version of glibc, we were thinking about other possible workarounds
> >
> >Fedora, RHEL and Debian as well as likely all other relevant
> >distributions are providing a patched glibc - dunno what is "rather
> >painful" to apply a ordinary update like kernel security updates and
> >restart all network relevant processes or reboot
>
> While I agree that the "major distributions" (and even the minor ones) are
> getting patches out, I'd like to point out something that Alan Cox posted
> over on G+:
>
> "You can upgrade all your servers but if that little cheapo plastic box on
> your network somewhere has a vulnerable post 2008 glibc and ever does DNS
> lookups chances are it's the equivalent of a trapdoor into your network."
>
> https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6
>
> There does need to be something a bit deeper than "patch your servers"..
>
> AlanC
> >
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About CVE-2015-5477 (An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure)

[Ben Croswell]

Is it safe to say the only vulnerable hosts would be those accepting
queries from the outside world, or would this also pertain servers getting
responses from the outside world with no inbound queries?
 On Jul 28, 2015 5:42 PM, Michael McNally mcna...@isc.org wrote:

 As the security incident manager for this particular vulnerability
 notification, I'd like to say a little extra, beyond our official
 vulnerability disclosure (https://kb.isc.org/article/AA-01272)
 about this critical defect in BIND.

 Many of our bugs are limited in scope or affect only users having
 a particular set of configuration choices.  CVE-2015-5477 does not
 fall into that category.  Almost all unpatched BIND servers are
 potentially vulnerable.  We know of no configuration workarounds.
 Screening the offending packets with firewalls is likely to be
 difficult or impossible unless those devices understand DNS at a
 protocol level and may be problematic even then.  And the fix for
 this defect is very localized to one specific area of the BIND code.

 The practical effect of this is that this bug is difficult to defend
 against (except by patching, which is completely effective) and will
 not be particularly difficult to reverse-engineer.  I have already
 been told by one expert that they have successfully reverse-engineered
 an attack kit from what has been divulged and from analyzing the code
 changes, and while I have complete confidence that the individual who
 told me this is not intending to use his kit in a malicious manner,
 there are others who will do so who may not be far behind.

 Please take steps to patch immediately.  This bug is designated
 Critical and it deserves that designation.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help

[Ben Croswell]

The default for allow query is local host local nets.  Basically the server
itself and directly connected networks
On Sep 29, 2014 8:03 PM, Bill Christensen billc_li...@greenbuilder.com
wrote:

  Hi folks,

 Something got sideways on one of my DNS servers, and I would appreciate
 some help in figuring out what's going on.

 I'm running BIND 9.10.1.  This server is authoritative master for a number
 of domains.

 First off, I may have the allow-query set incorrectly.  Currently I have:

 acl query-permit {
 (range of IP address on the local LAN which are allowed to use this
 server as their query server)
 };

 acl recursive-permit {
 (range of IP address on the local LAN which are allowed to use this
 server for recursive queries)
 };

 acl transfer-permit {
 (IP addresses of a couple other name servers allowed to do transfers
 with this one)
 };

 and at the beginning of the options  section:

 allow-recursion { recursive-permit; };
  allow-transfer { transfer-permit; };
 // allow-query { query-permit; };

 Allow-query is commented out, which I assume will allow anyone to query
 this server for the domains for which it has master or slave records, but
 does not allow the general public to do recursive queries or queries on
 domains not hosted here.

 Let me know if I've got that right, or how to correct it if I don't.

 If this part is correct I'll continue the questioning.

 Thanks!




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slave zero-TTL on CNAMES

[Ben Croswell]

Cisco routers do have the ability to doctor DNS packets when doing NAT.
When it doctors it sets the TTL to 0 but I dont know why it would only do
it on CNAME records.
On Jun 5, 2014 12:43 PM, Reindl Harald h.rei...@thelounge.net wrote:



 Am 05.06.2014 17:58, schrieb /dev/rob0:
  On Thu, Jun 05, 2014 at 05:21:47PM +0200, Reindl Harald wrote:
  what the hell invents $TTL 0  ; 0 seconds lines before
  each CNAME block while on the master there is exactly
  one TTL line with 86400 on top of the file?
 
  The way named writes a zone file is not the way I would do it.
  Records are strictly in alphabetic order, and $TTL blocks are made
  around all RRSETs where TTL varies.
 
  The zone FILE is not your problem. I don't know exactly what the
  problem might be. It seems that something is intercepting and
  filtering the zone transfers?
 
  You could try transfers manually from the slave:
 
  dig [key auth if required] rhsoft.net. axfr @91.118.73.16
 
  Does that show any zero TTLs? If so I suggest you place a couple of
  sniffers at strategic spots, one leaving the master, another entering
  the slave, and force a zone transfer.

 as yolu can see clearly below any CNAME record comes with a zero TTL
 the dotted line are a lot of CNAMES, all with zero TTL
 after them the first A-record has again the desired 86400

 the SOA at the end comes also with 86400 and the CNAME
 block before again has a TTL of zero

 i can't imagine anyhting which would sit between the
 transfer and change things - h wait there was a
 Zyxel router in front of ns1 which was exploitable
 and now is replaced by a small Cisco from the ISP

 oh, no, don't tell me that my ISP clutters DNS again :-(

 [root@ns2:~]$ dig rhsoft.net. axfr @91.118.73.16

 ;  DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-15.P2.fc19  rhsoft.net.
 axfr @91.118.73.16
 ;; global options: +cmd
 rhsoft.net. 86400   IN  SOA ns2.thelounge.net.
 hostmaster.thelounge.net. 1226095186 3600 1800
 1814400 3600
 rhsoft.net. 86400   IN  MX  10 barracuda.thelounge.net
 .
 rhsoft.net. 86400   IN  TXT v=spf1 ip4:91.118.73.0/24
 ip4:89.207.144.27 ip4:62.178.103.85 -all
 rhsoft.net. 86400   IN  SPF v=spf1 ip4:91.118.73.0/24
 ip4:89.207.144.27 ip4:62.178.103.85 -all
 rhsoft.net. 86400   IN  NS  ns2.thelounge.net.
 rhsoft.net. 86400   IN  NS  ns1.thelounge.net.
 rhsoft.net. 86400   IN  A   91.118.73.4
 **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
 **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
 
 testserver.rhsoft.net.  86400   IN  A   84.113.92.77
 **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
 rhsoft.net. 86400   IN  SOA ns2.thelounge.net.
 hostmaster.thelounge.net. 1226095186 3600 1800
 1814400 3600
 ;; Query time: 22 msec
 ;; SERVER: 91.118.73.16#53(91.118.73.16)
 ;; WHEN: Do Jun 05 18:35:08 CEST 2014
 ;; XFR size: 58 records (messages 1, bytes 1545)


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.1 forward zone local

[Ben Croswell]

I would imagine your issue is a lack of an NS delegation in the root zone
you are slaving.  If you load a parent and then try to forward a child of
that parent you must have a delegation in the parent. The delegation
doesn't have to match the forwarders but it must exist.
On Mar 25, 2014 1:57 PM, Андрей Ветров proukorn...@gmail.com wrote:

 Hello. I have a problem with forwarding zone local to ISP resolvers.
 My config is:
 options {
 directory /tmp;
 disable-empty-zone .;
 };

 zone . {
 type slave;
 masters { 192.0.32.132; 193.0.14.129;};
 masterfile-format text;
 file /etc/bind/db.root;
 allow-query { any; };
 };

 zone local. IN {
 type forward;
 forwarders {DNS_IP_ISP;};
 forward only;
 };

 zone opendns.com IN {
 type forward;
 forwarders {208.67.222.222; 208.67.222.220; 208.67.220.220;
 208.67.220.222;};
 forward only;
 };
 Forwarding to opendns works, dig +short myip.opendns.com returns ip
 address correctly.
 Forwarding to local doesnt works, dig return nxdomain.
 Commenting zone . leads to correct work of zone local

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which Name sever is selected?

[Ben Croswell]

By decaying I mean they take some percent of time off of the rtt of the
name servers that aren't used when there is a successful query to the
fastest.  Eventually the slower servers will be faster than the fastest and
get queried. That query will set the rtt again for that server and will go
back to being slower.
On Mar 3, 2014 8:24 AM, houguanghua houguang...@hotmail.com wrote:

 Hi Ben,

 What's the meaning of bind decaying? Where can I find the detailed
 description? Thanks!

 Guanghua


 
 Date: Fri, 28 Feb 2014 11:39:54 -0500
 From: Ben Croswell ben.crosw...@gmail.com
 To: bind-users@lists.isc.org
 Subject: Re: which Name sever is selected?
 Message-ID:
 cajga8zsug2nrznufuxetbpkvzqkjczzred5u2qxw+uqw0pm...@mail.gmail.com
 Content-Type: text/plain; charset=iso-8859-1

 RTT banding was removed in early versions of 9.8 due to the performance hit
 being larger than any security benefit.
 So it would depend what version of bind is being used in this case.
 https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/

 It is important to note that all ns records will take some percent of the
 traffic even if they are not the fastest. This is due to bind decaying
 the RTT on the ns records that were not used when it gets a successful
 query from the fastest ns. That way if there is a failure on a box it can
 eventually be tried again and make back into the top position.
 On Feb 28, 2014 11:07 AM, Barry Margolin bar...@alum.mit.edu wrote:

  In article mailman.2368.1393596895.20661.bind-us...@lists.isc.org,
  houguanghua houguang...@hotmail.com wrote:
 
   If there is a list of NS records, the local name server uses the RTT
  (round
   trip time) algorithm to find the fatest, and queries that server.
   But I found it's not right. In the testing, the local name server
 doesn't
   query the fastest authority name server. Some one tells me that if the
  local
   name server gets the RTT to one remote server is les than 30ms, it will
  not
   test RTT to other remote servers, even if the RTT is more less. In
 other
   words, the local server will only query the first remote server with
 the
  RTT
   less than 30ms. Who would tell me the truth? Thanks! Guanghua
 
  I believe the RTT values are grouped into ranges, and it prefers servers
  that are in a better range. 30 ms might be in the lowest range, so
  another server can't be better.
 
  --
  Barry Margolin
  Arlington, MA

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which Name sever is selected?

[Ben Croswell]

RTT banding was removed in early versions of 9.8 due to the performance hit
being larger than any security benefit.
So it would depend what version of bind is being used in this case.
https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/

It is important to note that all ns records will take some percent of the
traffic even if they are not the fastest.  This is due to bind decaying
the RTT on the ns records that were not used when it gets a successful
query from the fastest ns. That way if there is a failure on a box it can
eventually be tried again and make back into the top position.
On Feb 28, 2014 11:07 AM, Barry Margolin bar...@alum.mit.edu wrote:

 In article mailman.2368.1393596895.20661.bind-us...@lists.isc.org,
  houguanghua houguang...@hotmail.com wrote:

  If there is a list of NS records, the local name server uses the RTT
 (round
  trip time) algorithm to find the fatest, and queries that server.
  But I found it's not right. In the testing, the local name server doesn't
  query the fastest authority name server. Some one tells me that if the
 local
  name server gets the RTT to one remote server is les than 30ms, it will
 not
  test RTT to other remote servers, even if the RTT is more less. In other
  words, the local server will only query the first remote server with the
 RTT
  less than 30ms. Who would tell me the truth? Thanks! Guanghua

 I believe the RTT values are grouped into ranges, and it prefers servers
 that are in a better range. 30 ms might be in the lowest range, so
 another server can't be better.

 --
 Barry Margolin
 Arlington, MA
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Ben Croswell]

I guess I am missing why anyone on the internet should be able to open
queries against your caching resolver.

Why would in bound queries be allowed to servers that are for your people
to get out?
On Feb 27, 2014 10:13 AM, Ivo i...@nic.lv wrote:

  Hi Dmitry,

 We observed that similar requests are landing on our cache resolver mostly
 from various home routers running dns server as open resolver and that also
 masquerades the original request source.
 We have a collection of ~60 domains involved and most of them are related
 to China. The problem is that attacker selects few domains and generates
 queries with random hostnames which therefore are not in the cache and
 server has to perform recursion for each query. So each query will consume
 one udp or tcp socket for at least 10 seconds because remote DNS server is
 responding slowly or is down and based on a query volume it can effectively
 overload the cache server.

 Initially we thought we could fix it with  resolver-query-timeout, but
 after bind code analysis it seems that everything less that 10 seconds
 would be ignored, it would be great to mention this in the documentation.
 So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
 recompile named, but  it would be nice to understand why 10 seconds as
 minimum value were selected in the first place, see /lib/dns/resolver.c

 #define MAX_SINGLE_QUERY_TIMEOUT 9U
 #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)

 snip

 void
 dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
 REQUIRE(VALID_RESOLVER(resolver));
 if (seconds == 0)
 seconds = DEFAULT_QUERY_TIMEOUT;
 if (seconds  MAXIMUM_QUERY_TIMEOUT)
 seconds = MAXIMUM_QUERY_TIMEOUT;
 if (seconds  MINIMUM_QUERY_TIMEOUT)
 seconds =  MINIMUM_QUERY_TIMEOUT;
 resolver-query_timeout = seconds;
 }

 We also tried to create local dummy zones for all these domains but since
 domains change frequently we started to block most active open resolvers
 and coordinate with local CERT.

 It would be nice to have some kind of rate limits for query volume of
 different hosts inside a single zone.

 Best regards,

 Ivo


 On 2/27/14 7:59 AM, Dmitry Rybin wrote:

 Over 2 weeks ago begins flood. A lot of queries:

 niqcs.www.84822258.com
 vbhea.www.84822258.com
 abpqeftuijklm.www.84822258.com
 adcbefmzidmx.www.84822258.com
 and many others.

 Bind answers with Server failure. On high load (4 qps) all normal client
 can get Servfail on good query. Or query can execute more 2-3 second.

 Recursion clients via rnds status 300-500.

 I can try to use rate limit:
 rate-limit {
 nxdomains-per-second 10;
 errors-per-second 10;
 nodata-per-second 10;
 };
 I do not see an any improvement.

 Found one exit in this situation, add flood zones local.

 What can we do in this situation?
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Ben Croswell]

Ah I see you are in provider situation.  Shows my assumption you were in an
enclosed enterprise environment.
On Feb 27, 2014 10:57 AM, Ivo i...@nic.lv wrote:

  Ben,

 No, our server is not an open resolver,  we have a large user community
 and the problem is that users install their own wifi box like Zyxel or
 similar which may have open resolver by default.

 Ivo

 On 2/27/14 5:18 PM, Ben Croswell wrote:

 I guess I am missing why anyone on the internet should be able to open
 queries against your caching resolver.

 Why would in bound queries be allowed to servers that are for your people
 to get out?
 On Feb 27, 2014 10:13 AM, Ivo i...@nic.lv wrote:

  Hi Dmitry,

 We observed that similar requests are landing on our cache resolver
 mostly from various home routers running dns server as open resolver and
 that also masquerades the original request source.
 We have a collection of ~60 domains involved and most of them are related
 to China. The problem is that attacker selects few domains and generates
 queries with random hostnames which therefore are not in the cache and
 server has to perform recursion for each query. So each query will consume
 one udp or tcp socket for at least 10 seconds because remote DNS server is
 responding slowly or is down and based on a query volume it can effectively
 overload the cache server.

 Initially we thought we could fix it with  resolver-query-timeout, but
 after bind code analysis it seems that everything less that 10 seconds
 would be ignored, it would be great to mention this in the documentation.
 So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
 recompile named, but  it would be nice to understand why 10 seconds as
 minimum value were selected in the first place, see /lib/dns/resolver.c

 #define MAX_SINGLE_QUERY_TIMEOUT 9U
 #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)

 snip

 void
 dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
 REQUIRE(VALID_RESOLVER(resolver));
 if (seconds == 0)
 seconds = DEFAULT_QUERY_TIMEOUT;
 if (seconds  MAXIMUM_QUERY_TIMEOUT)
 seconds = MAXIMUM_QUERY_TIMEOUT;
 if (seconds  MINIMUM_QUERY_TIMEOUT)
 seconds =  MINIMUM_QUERY_TIMEOUT;
 resolver-query_timeout = seconds;
 }

 We also tried to create local dummy zones for all these domains but since
 domains change frequently we started to block most active open resolvers
 and coordinate with local CERT.

 It would be nice to have some kind of rate limits for query volume of
 different hosts inside a single zone.

 Best regards,

 Ivo


 On 2/27/14 7:59 AM, Dmitry Rybin wrote:

 Over 2 weeks ago begins flood. A lot of queries:

 niqcs.www.84822258.com
 vbhea.www.84822258.com
 abpqeftuijklm.www.84822258.com
 adcbefmzidmx.www.84822258.com
 and many others.

 Bind answers with Server failure. On high load (4 qps) all normal
 client can get Servfail on good query. Or query can execute more 2-3
 second.

 Recursion clients via rnds status 300-500.

 I can try to use rate limit:
 rate-limit {
 nxdomains-per-second 10;
 errors-per-second 10;
 nodata-per-second 10;
 };
 I do not see an any improvement.

 Found one exit in this situation, add flood zones local.

 What can we do in this situation?
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to modify the cache

[Ben Croswell]

You can't modify cache.  If that was allowed you could cache poison any
domain you wanted.
On Feb 14, 2014 8:52 AM, houguanghua houguang...@hotmail.com wrote:

 Hi all,
 Bind provides rndc tools to operate the cache. But how to change a record
 in the cache. For example:
 to modify origin record  *www.abc.com* http://www.abc.com/* A IN
 219.142.3.1 * into *www abc.com http://abc.com A IN 143.3.1.20*.
 I just know that using rndc flush to clear the cache, but don't know how
 to modify the cache.

 Who can tell me how to do?Thanks.
 Guanghua

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to modify the cache

[Ben Croswell]

What you say is true, but the OP wasn't clear in who owned the record he
wanted to override.  I assumed it was someone else's or you would just
change authoritative source that you own.
On Feb 14, 2014 10:20 AM, Barry Margolin bar...@alum.mit.edu wrote:

 In article mailman.2257.1392386898.20661.bind-us...@lists.isc.org,
  Ben Croswell ben.crosw...@gmail.com wrote:

  You can't modify cache.  If that was allowed you could cache poison any
  domain you wanted.

 poisoning refers to putting incorrect records into the cache of some
 *other* server. If you operate the server itself, you can put anything
 you want into its memory. If you want to override a particular record
 that would normally be cached, just make the server authoritative for
 that name.

 --
 Barry Margolin
 Arlington, MA
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: I may be confused regarding sub delegated zone

[Ben Croswell]

A freshly started server with no cache will be directed to nd1 first which
will give a referral to ns2 for the subdomain. After that it will go to ns2
directly until the ns records time out in cache.
On Jan 23, 2014 12:30 PM, Blason R blaso...@gmail.com wrote:

 Hello friends,

 I may sound like novice but have basic question regarding Sub-zone which
 is an delegated zone. lets say I have zone example.com whose NS are
 ns1.example.com and then I have delegated sub-zone subdom.example.comwhose ns 
 record would be say
 ns2.example.com.

 So people who will be querying to A record for subdom.example.com [which
 @] will first be forwarded to ns1.example.com and then from there ns
 record of subdom.example.com will be given?

 Or will it directly be forwarded to n2.example.com?

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation and Forwarding

[Ben Croswell]

The basic answer is that you use null forwarders for any domains that you
want to turn off the global forwarders.
If you have a global forwarder and then you have bob.com with a null
forwarder, bob.com and the domains below is will follow delegation.
On Dec 11, 2013 7:10 AM, Bob McDonald bmcdonal...@gmail.com wrote:

 I'm a bit confused on the need for a blank forwarders statement inside of
 a zone statement in the named.conf file.  Given an internal zone on a
 recursive server with global forwarders, what are the situations which
 would require me to code a blank forwarders statement inside of a zone
 statement in a named.conf?  I have internal zones which 1) do not delegate
 children, 2) delegate children on the same server, and delegate children on
 different servers (and different versions of bind).  I know that delegation
 is not affected on servers without global forwarders.  The documentation
 around this is not clear (at least to me grin).

 Is there a difference if the parent is local and the child is forwarded?
  (or both forwarded but to different addresses?)

 Thanks,

 Bob

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about a basic concept

[Ben Croswell]

Everything you listed is pretty close to accurate.
A couple points of clarification.

8) The master needs UDP/TCP 53 open to the slaves.  Before a zone transfer
can happen the slave needs to get the SOA RR from the master to see if the
serial number has changed.  This normally happens over UDP 53(see my point
on 9).  So The slaves need to also be in the allow-query ACL on the master,
if they cant query for SOA they can never determine the serial number and
cant transfer.
9) You should always have UDP/TCP 53 open to DNS servers.  Normal queries
happen on UDP 53, but if an answer is too large to fit in a single packet
the answer will be truncated and the TC bit will be set.  This bit tells
the client they didnt get the full answer and that they may want to try
the same query via TCP.

On you last points you are pretty much spot on the answer but are wondering
the mechanics. Most best practices state that you should not have recursion
and authoritative on the same DNS server. That is a should, but not a must.
 What you said is the normal answer you run DNS servers that host zones,
and you run DNS servers that serve direct client queries. The client
caching DNS servers would need to know where your authoritative servers are
via NS records or forwarding.

One big reason for the split is DNSSEC. An authoritative DNS server cant
validate DNSSEC for a query sent directly to it from a client.  There has
to be another step in between.  For instance if I ask you if you are Bryan
and you say yes, why should I believe you.  However, if I ask a trusted
friend if you are Bryan I will believe you because there is third party
verification.



On Wed, Jun 5, 2013 at 10:02 AM, Bryan Harris bryanlhar...@me.com wrote:

 Hi all,

 I think I may be confused about a very basic DNS concept.  Sorry if this
 has been asked before.

 1. I have a master and two slaves.
 2. The master server is the SOA for my zone.  The SOA record points to the
 master server.
 3. Each of the two slaves are authoritative for my zone.
 4. There are 2 NS records for my zone.  The first NS = slave1 and the
 second NS = slave2.
 5. The Master server is not listed in the NS records for my zone.
 6. The master does not receive any queries from the clients.
 7. The slaves receive queries from the clients.
 8. The master - slaves relationship is via tcp/53 (notifies  zone
 transfers)
 9. The slaves - clients relationship is via udp/53 (queries)

 Is this correct so far?  I'm being told our authoritative DNS servers
 should not receive any queries, as well as DNS slaves respond to
 queries.  These statements seem like a conflict to me, but maybe I'm
 simply confused?


 I don't see how a slave could respond to a query unless it's
 authoritative.  The only thing I can imagine is adding some more caching
 servers just for queries and have them forward+recurse to the authoritative
 slave servers (but they're not slaves themselves).  But even in that case,
 the authoritative servers would still need to respond to queries, no?
  Otherwise how would the caching servers get any answers in the first place?

 Bryan


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
-Ben Croswell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

[Ben Croswell]

You need to ensure if the resolver that is doing the forwarding also loads
the blank 10/8 that you have the smaller /24 delegated in the 10/8.
The reason being if it loads the /8 with no /24 delegation it will ignore
the forward because it believes the /24 doesn't exist.
On Feb 21, 2013 1:21 PM, Nikita Koshikov koshi...@gmail.com wrote:

 Hello list,


 I'm trying to cut /24 network from the scope of /8 network, here is
 example:

 zone 11.2.10.in-addr.arpa {
 type forward;
 forwarders { 192.168.1.23; 192.168.1.24; };
 };

 zone 10.in-addr.arpa {
 type master;
 file master/int/10.in-addr.arpa;
 };

 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8ip 
 address. But I need to forward requests for
 10.2.11.0/24 net to other dns servers and the above config not working.
 I got empty responses for 10.2.11.0/24 net.

 This is right: (192.168.1.8 - server with bind)

 $ host -t ptr 10.1.1.1 192.168.1.8
 Using domain server:
 Name: 192.168.1.8
 Address: 192.168.1.8#53
 Aliases:
 Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)

 This is wrong:
 $ host -t ptr 10.2.11.10  192.168.1.8
 Using domain server:
 Name: 192.168.1.8
 Address: 192.168.1.8#53
 Aliases:
 Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)

 This is expected answer from the forwarded server  - 192.168.1.23
 $ host -t ptr 10.2.11.10  192.168.1.23
 Using domain server:
 Name: 192.168.1.23
 Address: 192.168.1.23#53
 Aliases:
 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.

 Can someone help with this ?


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What causes 'zone transfer setup failed' ?

[Ben Croswell]

A common issue is the secondary not being allowed to query the master for
the SOA of the zone. Ensure the master has an allow-query that includes the
secondary.
On Jan 25, 2013 6:06 AM, Jan-Piet Mens jpmens@gmail.com wrote:

 Hello,

 I'm seeing quite a number of messages like

 xfer-out: debug 3: client 192.168.1.2#54688 (example.com): zone
 transfer setup failed

 BIND 9.9.2P1 here, configured with:

 request-ixfr no;
 transfer-format many-answers;
 transfers-in 100;
 transfers-per-ns 100;
 max-transfer-time-in 60;

 BIND has a lot of zones to transfer; does this have something to do with
 too many TCP connections?

 FWIW, BIND is running on Centos 6.3 in an OpenVZ container.

 Regards,

 -JP
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

[Ben Croswell]

If you load the zone your server will believe it knows everything about the
zone and not forward anything below it.

If you load foo.com with two records, nothing but those two records will
ever resolve on that server for foo.com.

One way to make it work would be to load two zones. Vpn1.foo.com and
vpn2.foo.com each with their A records. Then you would only blackhole
things below vpn1.foo.com and vpn2.foo.com.
On Jan 17, 2013 10:09 AM, Alberto Zanon alberto.za...@edistar.com wrote:

 Hi all,

 I googled all the morning without success :( I'm using Bind 9.9.1 and i'm
 a newbie of Bind. This is my goal:

 - I want to define in my dns server a zone external_partner.com, which
 is the domain of our partner who manages it with his dns public server 
 dns.external_partner.com.
 - I need to define into this zone a couple of servers (vpn_host_1.
 external_partner.com, vpn_host_2.external_partner.com) because we
 connect via vpn to our partner.
 - I want that the rest of the names, e.g. www.external_partner.com, are
 resolved forwarding the requests to the dns of our partner.

 I tried this without success:

 - in named.conf:

 zone external_partner.com {   type master;   file master/
 external_partner.com.zon;   forwarders {xxx.xxx.xxx.xxx;}; };

 and I have recursion yes in the options.


 - in external_partner.com.zon I have only the two entries:

 $TTL300
 @   IN  SOA dns.edistar.com. admin.dns.edistar.com. (
 2013011701  ; Serial
 300 ; Refresh
 300 ; Retry every hour
 300 ; Expire after a
 week
 300 )   ; Minimum ttl of 1
 day

 IN  NS  dns.edistar.com.
 TXT vpn servers


 vpn_host_1.external_partner.com.  IN  A
 xxx.xxx.xxx.xxx
 vpn_host_2.external_partner.com.  IN  A
 xxx.xxx.xxx.xxx


 I read about forward first option but is the opposite of my goal,
 correct?




 Thanks in advance for your responses.


  Alberto Zanon


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME not a listed NS record

[Ben Croswell]

There is no issue with a configuration like this. It is the very definition
of a stealth master and is a very common configuration. Any DDNS updates
will continue to reach the stealth master via the mname and no resolvers
will find the master via NS records so it won't be queried.
On Jan 16, 2013 3:42 PM, Dave Warren li...@hireahit.com wrote:

 Is there anything technically wrong with having a SOA MNAME field that
 isn't listed as a NS record?

 The server listed as MNAME will host the zone and is authoritative for the
 zone, but out of latency concerns it isn't ideal to have other resolvers
 querying this server.

 Various online DNS diagnostic tools throw warnings, but as far as I can
 tell from the RFCs, this is a valid configuration. Is it valid? Are there
 any operational gotchas to be aware of or can I ignore the warnings?

 --
 Dave Warren
 http://www.hireahit.com/
 http://ca.linkedin.com/in/**davejwarrenhttp://ca.linkedin.com/in/davejwarren

 __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name resolution fails if not forwarding

[Ben Croswell]

My first thought would be lack of firewall rules and connectivity to the
Internet.
On Jan 8, 2013 9:35 AM, Daniele d.imbrog...@gmail.com wrote:

 If I use BIND9 forwarding all the queries not belonging to my local zones,
 it works.

 But if I don't forward those queries, `dig` sometimes (and this is weird)
 fails (with connection timed out; no servers could be reached) and the
 logs are full of lame server, FORMERR.

 Why?

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

[Ben Croswell]

It is probably related to forward first versus forward only. Forward first
is default but will fall back to no forwarding if the forwarders fail.
On Dec 7, 2012 12:06 PM, Romgo ro...@free.fr wrote:

 Hello,

 I am currently running two bind9 server on Debian Squeeze.
  1:9.7.3.dfsg-1~squeeze8

 Server 1 is internal dns server and serve some local zone. This server
 should forward all unknown requests to our  public DNS server. So I
 configured this server as follow :
 /etc/bind/named.conf.options

   forward only;
 forwarders {
   ip_server_2;
 };


 The second server is allowed to do DNS request on the internet, so there
 is no forwarder configured.

 The issue is that I see on my firewall that server1 is trying to do DNS
 requests on DNS ROOT server.

 Any idea why I do have this issue ? wrong configuration ?

 Regards,



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Performance tuning

[Ben Croswell]

I did digs to both names from my work DNS infrastructure.  The response was
58ms to resolve the WWW entry and 44ms for the non WWW entry. Would not
appear to be a resolution related slow down.
-Ben Croswell
On Nov 26, 2012 1:25 PM, Lightner, Jeff jlight...@water.com wrote:

   For question 1:

 “Loading” is a function of the web site not DNS.  Your first question
 could have to do what the default site is in your web configuration and
 what kind of rewrite rules are getting you to the other.

 ** **

 If it were me I’d probably do some timed “host” or “dig” commands for the
 two records to verify name resolution itself wasn’t a problem.   

 ** **

 I guess it MIGHT be a minutely slower to resolve www if it is a CNAME to
 the other as opposed to both being A records.   However, since this is a
 fairly common practice I doubt it is likely to be of major importance in
 overall timing.

 ** **

 *From:* bind-users-bounces+jlightner=water@lists.isc.org [mailto:
 bind-users-bounces+jlightner=water@lists.isc.org] *On Behalf Of *Adamiec,
 Lawrence
 *Sent:* Monday, November 26, 2012 1:13 PM
 *To:* bind-users@lists.isc.org
 *Subject:* Re: Performance tuning

 ** **

 To the best of my knowledge, there are no problems with our DNS.  We only
 host 25 domains.

 ** **

 The report must also address these two specific questions:

 ** **

1. Why does www.kentlaw.iit.edu load quicker than kentlaw.iit.edu in
any browser?
2. What happens if we remove the forwarders option from named.conf?

  I can't duplicate the issue in Q1 and I'm trying to determine a way of
 testing Q2.

 ** **

 Larry

 ** **

 On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton do...@dougbarton.us wrote:
 

 What a delightfully vague requirement. :)

 I would push back a bit on exactly what problems are attempted to be
 solved here. The BIND defaults are about as efficient as they can be,
 especially so in later versions.

 Doug


 On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote:
  Hi,
 
  I have been tasked with authoring a DNS report to achieve optimal
  performance.  The report must include:
 
  CPU usage
  memory usage
  bandwidth usage
  throughput
  latency
 
  I have found some information regarding the number of queries processed
  per minute but nothing of value for the above areas.
 
  Is there some documentation that discusses the above areas?
 
  We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server.  My
  report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1
 
  Thank you in advance.
 
  Larry
 
  Lawrence Adamiec
  UNIX Mgr
  IIT Chicago-Kent College of Law

 ** **









 Athena®, Created for the Cause™

 Making a Difference in the Fight Against Breast Cancer





 *How and Why I Should Support Bottled Water!
 *Do not relinquish your right to choose bottled water as a healthy
 alternative to beverages that contain sugar, calories, etc. Your support of
 bottled water will make a difference! Your signatures count! Go to
 http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and
 sign a petition to support your right to always choose bottled water. Help
 fight federal and state issues, such as bottle deposits (or taxes) and
 organizations that want to ban the sale of bottled water. Support community
 curbside recycling programs. Support bottled water as a healthy way to
 maintain proper hydration. Our goal is 50,000 signatures. Share this
 petition with your friends and family today!



 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
 information and is for the sole use of the intended recipient(s). If you
 are not the intended recipient, any disclosure, copying, distribution, or
 use of the contents of this information is prohibited and may be unlawful.
 If you have received this electronic transmission in error, please reply
 immediately to the sender that you have received the message in error, and
 delete it. Thank you.
 --




 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder is ignored when authoritative zone is added

[Ben Croswell]

The one thing I can think of off the top of my head is to ensure the child
subdomain is properly delegated in the parent. If you try to zone level
forward a child domain on a server that loads the parent it will ignore the
forward if  it can see the child doesn't exist as a true delegation.
I assume the logic is, why would I forward a subdomain I know doesn't exist.

-Ben Croswell
On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote:

 I've recently had an issue that I'm having some issues finding
 information on solving.

 I have internal DNS resolvers...they act as recursive name servers for
 general internet queries, but we have forwarders explicitly defined
 for specific internal zones being served by other name servers.

 My configuration has one particular zone configured as such:

 zone internal.organization.com IN { type forward; forward only;
 forwarders {172.x.x.x; 172.x.x.x; }; };

 I have our main zone, organization.com, hosted in an external area
 outside of a firewall with a wildcard record contained in it for
 anything that is not explicitly defined.  I have some services that I
 need to reach using names that are in this external zone internally.
 What I'm trying to do is to slave the organization.com zone to my
 internal recursive resolver to mitigate any possible network issues.

 So I setup the internal resolver as a slave for the organization.com
 zone and found that queries against internal.organization.com were
 getting answered with the wildcard for the external organization.com
 zone.  I can't seem to figure out why the forwarders are getting
 ignored.  Is it an order of precedence, say authoritative zones are
 respected over forwarders...or something else??

 Thanks for any assistance anyone can provide, or point me to some
 documentation I'm missing,
 Frank
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder is ignored when authoritative zone is added

[Ben Croswell]

The thing that brings me back to a delegation issue is the statement of
slaving an external version of the second level domain the internal DNS
server. I know if I was splitting a domain I would not put internal only
delegations external.

-Ben Croswell
On Oct 26, 2012 7:23 AM, Sten Carlsen st...@s-carlsen.dk wrote:


 On 26/10/12 12:56, Ben Croswell wrote:

 The one thing I can think of off the top of my head is to ensure the child
 subdomain is properly delegated in the parent. If you try to zone level
 forward a child domain on a server that loads the parent it will ignore the
 forward if  it can see the child doesn't exist as a true delegation.
 I assume the logic is, why would I forward a subdomain I know doesn't
 exist.

 I should think that internal.org... is properly delegated, so the forward
 will not be concerned about a subdomain, only about the domain, that is
 actually forwarded. internal.org... will then be looked up in the normal
 recursive way, so another forward statement might solve this issue.

 -Ben Croswell
 On Oct 26, 2012 2:17 AM, Frank Even lists+isc@elitists.org wrote:

 I've recently had an issue that I'm having some issues finding
 information on solving.

 I have internal DNS resolvers...they act as recursive name servers for
 general internet queries, but we have forwarders explicitly defined
 for specific internal zones being served by other name servers.

 My configuration has one particular zone configured as such:

 zone internal.organization.com IN { type forward; forward only;
 forwarders {172.x.x.x; 172.x.x.x; }; };

 I have our main zone, organization.com, hosted in an external area
 outside of a firewall with a wildcard record contained in it for
 anything that is not explicitly defined.  I have some services that I
 need to reach using names that are in this external zone internally.
 What I'm trying to do is to slave the organization.com zone to my
 internal recursive resolver to mitigate any possible network issues.

 So I setup the internal resolver as a slave for the organization.com
 zone and found that queries against internal.organization.com were
 getting answered with the wildcard for the external organization.com
 zone.  I can't seem to figure out why the forwarders are getting
 ignored.  Is it an order of precedence, say authoritative zones are
 respected over forwarders...or something else??

 Thanks for any assistance anyone can provide, or point me to some
 documentation I'm missing,
 Frank
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list

 bind-users mailing 
 listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users


 --
 Best regards

 Sten Carlsen

 No improvements come from shouting:
MALE BOVINE MANURE!!!


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: global forwarders - current BIND9 behaviour documentation

[Ben Croswell]

All forwarders in the list will tried at least some. Every time the fastest
forwarder responds the srtt of the remaining forwarders are decayed.
Eventually they will be lower and get tried. If they are slower than the
original fastest their srtt go back up and the original will be used again.
It's the method for retrying a forwarder after it was set high due to a
timeout etc.

-Ben Croswell
On Jul 25, 2012 2:36 PM, ip admin ipm...@googlemail.com wrote:

 Hi,

 anybody there who can provide a definitive answer on the current BIND 9.7
 (or higher) global forwarder behaviour?

 I did find the following info before on using multiple forwarders:

 https://lists.isc.org/pipermail/bind-users/2007-September/067830.html

 My expectation based on that is that the fastest responding forwarder will
 basically always be used until a timeout may occur, i.e. when specifying
 three forwarders one will be the prefered one based on SRTT and the others
 are only used if the prefered one goes down.

 First of all when doing 'rndc dumpdb -all' I cannot find my forwarders' IP
 addresses in the named_dump.db at all as explained in the posting above
 (BIND 9.7.3-P3 on Linux), so I cannot verify the SRTTs. 'rndc stats' /
 named.stats does not show any info on the forwarders as well.

 Also by doing a tcpdump I can see that all three forwarders I have
 specified are constantly used. However it is not a real round-robin but
 roughly a 3:2:1 ratio instead (i.e. one receives approx 3 times the number
 of queries compared to the third one, the other one receives 2 times the
 number of queries compared to the 3rd one). In fact the 3:2:1 distribution
 reflects the response time I can manually determine by running dig against
 all forwarders - the one which responds quickest gets the most queries and
 the one which is slowest gets the fewest queries.

 My server receives quite a few queries (approx 10.000 within a minute).
 Any idea if the DNS-Server will send every 10th query or so the slower
 forwarders?

 I also tried to set the logging level to debug 10 for category resolver
 but no luck at all in finding out which forwarder is used (and why).

 So . . . if somebody could explain what the current behaviour is supposed
 to be that would be helpful.

 Regards
  Tom


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How does a child find its parent?

[Ben Croswell]

The child doesn't know it's parent and goes up to the root like any other
server would.

-Ben Croswell
On May 8, 2012 2:13 PM, Mike Bernhardt bernha...@bart.gov wrote:

 Reading the section on delegation in the O'Reilly book, I'm confused about
 something: The parent is configured to delegate the subdomain to the child
 with glue records, etc. But how does the child know who to ask if a host in
 the subdomain requests a record in the parent zone? They don't show any
 configuration example for that other than making the child a slave for the
 parent zone.

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How does a child find its parent?

[Ben Croswell]

Another option would be zone level forwarding on the child to point at the
parent or stub zones.

-Ben Croswell
On May 8, 2012 3:59 PM, Mike Bernhardt bernha...@bart.gov wrote:

  In this case, the root only knows the external public server, not the
 internal parent who is doing the delegating. So it would seem that slaving
 the internal parent is the only solution for resolving hosts in the
 internal parent domain, correct?

 ** **
  --

 *From:* Ben Croswell [mailto:ben.crosw...@gmail.com]
 *Sent:* Tuesday, May 08, 2012 12:21 PM
 *To:* Mike Bernhardt
 *Cc:* bind-users@lists.isc.org
 *Subject:* Re: How does a child find its parent?

 ** **

 The child doesn't know it's parent and goes up to the root like any other
 server would. 

 -Ben Croswell 

 On May 8, 2012 2:13 PM, Mike Bernhardt bernha...@bart.gov wrote:

 Reading the section on delegation in the O'Reilly book, I'm confused about
 something: The parent is configured to delegate the subdomain to the child
 with glue records, etc. But how does the child know who to ask if a host in
 the subdomain requests a record in the parent zone? They don't show any
 configuration example for that other than making the child a slave for the
 parent zone.

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why does a non-delegated sub-domain work?

[Ben Croswell]

You are getting lucky that they are on the same server and when asked
about anything in the subdomain the server notices it loads it and answers
for it. It is however a landmine waiting for someone in thee future.  If
you move the subdomain to another server without fixing the delegation the
subdomain will disappear.

-Ben Croswell
On May 7, 2012 1:08 PM, M. Meadows sun-g...@live.com wrote:


 So ... if we have

 exacttarget.com delegated to ns1 and ns2.exacttarget.com nameservers

 and ... we manage the s6.exacttarget.com zone file from ns1 and
 ns2.exacttarget.com

 but we don't delegate s6 in the exacttarget.com zone file ... forgot to
 enter it in the zone file ...

 how is it that s6.exacttarget.com and its contents resolve properly from
 everywhere?

 Seems BIND is helping us out behind the scenes somehow. Right?

 Confused.

 Thanks,
 Marty



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new here

[Ben Croswell]

Allow-transfer is not the same as forwarding.

Are they wanting to secondary from you?

If so you need to ensure they can do queries against your master for the
zones so they can request soa to check the serial number.

Also it appears they are trying to xfer the cidr block with a different
name than you are loading it as.
You load 104.16.98.in-addr.arpa. they are transferring
104-22.16.98.in-addr.arpa.
-Ben Croswell
On May 2, 2012 1:18 PM, David dmilho...@wletc.com wrote:

 **
 Hello All,
  I am new here but have been watching the list for a while.
 I run a small WISP and we have just moved to a new carrier.
 They have provided us with a cdir ipv4 block of /22 and a /23.
 I am trying to get my reverse DNS working correctly but they will not point
 their servers to my authoritative servers to tell these blocks where to
 find
 their reverse. They told me to place forwards in my servers which I have
 done.

 FYI: I am running Bind 9 latest stable on my systems not sure what the
 carrier is running.

 Here is what they show on their logs:

 01-May-2012 09:07:30.868 transfer of '104-22.16.98.in-addr.arpa/IN' from
 98.16.104.14#53: connected using 207.91.5.70#40513
 01-May-2012 09:07:30.971 transfer of '104-22.16.98.in-addr.arpa/IN' from
 98.16.104.14#53: failed while receiving responses: NOTAUTH
 01-May-2012 09:07:30.971 transfer of '104-22.16.98.in-addr.arpa/IN' from
 98.16.104.14#53: end of transfer

 Here is what My logs show:

  02-May-2012 15:28:29.979 security: client 162.40.117.250#6483: query
 (cache) '104-22.16.98.in-addr.arpa/SOA/IN' denied
 02-May-2012 15:28:30.133 xfer-out: client 162.40.117.250#43378: bad zone
 transfer request: '104-22.16.98.in-addr.arpa/IN': non-authoritative zone
 (NOTAUTH)

 Here is what the named.conf zone looks like

 zone 104.16.98.in-addr.arpa {
 type master;
 file /var/named/98.16.104.rev;
 allow-transfer {
 166.102.165.15;
 162.39.164.14;
 207.91.5.70;
 162.40.117.250;
 };
 I placed the forwarders to allow transfer on this zone but I think the
 zone name is no good.

 Thanks
 Dave


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to influence forwarder selection BIND 9.7.3

[Ben Croswell]

A certain percentage of queries will always go to all of the forwarders
listed.

If you have servers A B and C and A is the fastest SRTT, whenever A answers
the SRTT for B and C will be decremented by a small percentage. Eventually
they will be lower than A and get used. The likely result is that they will
be higher and it will go back to A.

This method is needed to ensure that a server that gets a high SRTT due to
being down is eventually used and gets back to it's normal SRTT.
On Apr 23, 2012 8:20 AM, antti-jussi.korjo...@nokia.com wrote:

  Hello

 ** **

 I have this kind of forwarders configuration. 192.168.100.1 has 3ms RTT***
 *

 192.168.200.1 has 150ms RTT

 ** **

 options {

 forwarders {

 192.168.100.1;

 192.168.200.1;

 };

 };

 ** **

 Usually all queries go to 192.168.100.1 but occasionally it experiences***
 *

 high load which obviously has effect on SRTT.

 This causes that 12% of the queries are forwarded to 192.168.200.1. 

 ** **

 I want that 192.168.200.1 is used only when 192.168.100.1 is down or is***
 *

 experiencing really high latency.

 ** **

 I tried adding 192.168.100.1 multiple times in forwarders section but

 it didn’t help.

 ** **

 Is there any way around this?

 Any way to manually tweak SRTT per server?

 ** **

 Regards,

 Antti-Jussi Korjonen

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new here

[Ben Croswell]

You set a listen-on that does not include 127.0.0.1.
On Apr 22, 2012 11:08 PM, David Milholen dmilho...@wletc.com wrote:

  I am a Wisp admin and I have just configured a couple of new Bind9
 servers.
 They will resolve using dig google.com @9x.1xx.104.14
 I am having some trouble getting them to answer themselves on 127.0.0.1
 for example:

 [root@ns4 named]# dig google.com @127.0.0.1 +trace

 ;  DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5  google.com @127.0.0.1+trace
 ;; global options:  printcmd
 ;; connection timed out; no servers could be reached
 [root@ns4 named]#

 Here is an my config:
 //
 // named.conf for Red Hat caching-nameserver
 //
 controls {
 inet 127.0.0.1 allow { localhost; } keys { rndckey; rndc-key; };
 };

 options {
 directory /var/named;
 dump-file /var/named/data/cache_dump.db;
 statistics-file /var/named/data/named_stats.txt;
 /*
  * If there is a firewall between you and nameservers you want
  * to talk to, you might need to uncomment the query-source
  * directive below.  Previous versions of BIND always asked
  * questions using port 53, but BIND 8.1 uses an unprivileged
  * port by default.
  */
  // query-source address * port 53;
 version Surely you must be joking;
 notify yes;
 allow-recursion {
 127.0.0.1;
 9x.1xx.104.0/22;
 9x.1xx.108.0/23;
 };
 allow-transfer { 9x.1xx.104.22;
};
 listen-on {
 9x.1xx.104.14;
 };
  };
 //
 logging {
 channel my_syslog {
 syslog kern;
 severity debug;
 };
 channel my_file {
 file /var/named/chroot/var/named/log.msgs;
 severity dynamic;
 print-category yes;
 };
 category unmatched {
 null;
 };
 category queries {
 my_file;
 };
 category lame-servers {
 null;
 };
 category general {
 default_syslog;
 };
 };


 // a caching only nameserver config
 //

 zone . IN {
 type hint;
 file root.servers;
 };



 zone 104.1xx.9x.in-addr.arpa {
 type master;
 file /var/named/9x.1xx.104.rev;
 allow-transfer {
 9x.1xx.104.22;
 };
 };
 zone 0.0.127.in-addr.arpa {
 type master;
 file /var/named/127.0.0.rev;
 };
 zone localdomain {
 type master;
 file /var/named/localdomain.hosts;
 };
 zone localhost {
 type master;
 file /var/named/localhost.hosts;
 };
 key rndc-key {
 algorithm hmac-md5;
 secret wh6DFiuNGJHzHwvNTy8JEA==;
 };

 Here is my resolv.conf :
 nameserver 127.0.0.1
 nameserver 9x.1xx.104.14

 Not sure what I broke but it seems to work on some of my older servers.
 Thanks for any help.

 --

 David Milholen
 Project Engineer
 P:501-318-1300

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring CNAME for nosslsearch.google.com

[Ben Croswell]

This is incorrect. It is illegal to have a cname and any other record on
the same name in dns. The ns and soa count as records.
 On Apr 16, 2012 9:41 AM, Matthew Huff mh...@ox.com wrote:

 Actually, this can be done.

 Create a zone file for www.google.com, not google.com. The zone file
 should like this (replace THIS_HOSTNAME with the name of your nameserver:


 @   IN  SOA localhost   root@localhost. (
2012041100
7200
1800
1209600
300 )

IN NS THIS_HOSTNAME

IN CNAME nosslsearch.google.com.




 
 Matthew Huff | 1 Manhattanville Rd
 Director of Operations   | Purchase, NY 10577
 OTA Management LLC   | Phone: 914-460-4039
 aim: matthewbhuff| Fax:   914-460-4139

  -Original Message-
  From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users-
  bounces+mhuff=ox@lists.isc.org] On Behalf Of Lyle Giese
  Sent: Monday, April 16, 2012 8:50 AM
  To: bind-users@lists.isc.org
  Subject: Re: Configuring CNAME for nosslsearch.google.com
 
  On 4/16/2012 3:30 AM, Phil Mayers wrote:
   On 04/15/2012 11:40 PM, Tobias Krais wrote:
   Hi Ben,
  
   hmm. How can I manage what google suggests:
   Information for school network administrators about the No-SSL
   option
  
   To utilize the no SSL option for your network, configure the DNS
   entry for www.google.com to be a CNAME for nosslsearch.google.com.
   Source:
  
  http://support.google.com/websearch/bin/answer.py?hl=enhlrm=enanswer=
  186669.
  
   You can find this quite at the end of the document.
  
   How can I realize such a configuration in bind?
  
   As you've been told, you can't. CNAMEs can't live at zone apex, so
  you
   can't a CNAME at the zone apex of www.google.com. And if you create
   google.com as a zone, all other hostnames will be blackholed,
   including nosslsearch.google.com.
  
   I don't know why Google have made that suggestion; it's a bad
   suggestion, that's not supported by many nameservers.
  
   I personally think it's a bad idea to try and disable SSL search for
   your users too, but that's your decision.
  
   unbound might be able to to this, with a transparent local-zone and
   local-data override for www.google.com.
   ___
 
  Or did they really mean, create a hosts file on the local machine that
  contains...
 
  Or in your proxy server redirect www.google.com to
  nosslsearch.google.com
 
  DNS server software is not very supportive of doing this for good
  reasons.
 
  Lyle Giese
  LCR Computer Services, Inc.
 
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to
  unsubscribe from this list
 
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

[Ben Croswell]

What you are asking for can't be done.
If you load the google.com zone everything you don't load in the zone will
be black holed and not resolve.
If you try to load WWW.Google.com you will not be able to make WWW a cname
due to the no cname and other data rule.
 On Apr 15, 2012 5:39 PM, Tobias Krais tux-s...@design-to-use.de wrote:

 Hi together,

 I am a newbie to bind and wasted hours to create my first bind
 configuration. My target is simply creating a configuration with a CNAME
 for www.google.com to nosslsearch.google.com.

 First: I use Ubuntu Precise Pangolin with bind 9.8.1. I have a
 transparent proxy (Dansguardian + Squid) that I use for just this lonely
 copmuter.

 Now I read that I have to create a zone for google.com. Others said that
 it is OK to create a zone for www.google.com. But as far as I understand
 this won't be a great solution.

 Can you help me to create a zone for google.com that does only one
 thing: a CNAME for www.google.com to nosslsearch.google.com. It would be
 best, if all IP-addresses for other google.com subdomains like
 docs.google.com or even nosslsearch.google.com are taken from the
 normal nameserver, e.g. 8.8.8.8.

 Can anyone help me to create my /etc/bind/db.google.com file?

 Greetings,

 Tobias
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TC Flag

[Ben Croswell]

The TC flag is set when the response is larger than your max udp packet
size. 512 bytes with no edns0 and up to 4096 bytes with edns0 fully
functioning.
On Apr 10, 2012 9:55 AM, rams brames...@gmail.com wrote:

 When I get TC flag for UDP query?

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: external view recursion issue

[Ben Croswell]

If you are authoritative for a cname that points to an A elsewhere, your
server will resolve the cname and leave it to the client dns server to go
get the A from the server that hosts it.
On Mar 16, 2012 10:14 AM, Samantha Steers sam.fait...@gmail.com wrote:

 Hi,

 I am getting prepped to migrate dns from one service to in-house servers.
 While going through the zone file to ensure I got everything, I found that
 we have CNAME in our domain pointing to a CNAME in another domain that is
 pointing to the A record in the other domain:

 host record.ourdomain.com
 record.ourdomain.com is an alias for record.client.otherdomain.com.
 record.client.otherdomain.com is an alias for otherhost.otherdomain.com.
 otherhost.otherdomain.com has address x.x.x.x

 To duplicate this exactly on our servers, it appears that I have to enable
 recursion but the provider said that they are not doing that. I get the
 feeling that I am not going to get the information from them on how they
 are accomplishing this without recursion.

 Right now I have replaced the CNAME with an A record pointing to the IP
 directly and am getting the proper results, but feel that this leaves me
 having to watch for changes that the otherdomain.com administrator might
 make.

 Am I missing something else that I can do to replicate? A separate
 external view?

 Thanks.

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE:

[Ben Croswell]

If you do not delegate the subdomains with NS records you are not fully
delegating the subdomain.
It will work fine in the short term, but are setting up a landmine for
someone to step on later.
If decide to move that subdomain to other dns servers later it will
disappear without the NS records.

The best practice is to always put the NS records and not leave it to
chance.
On Mar 13, 2012 9:43 AM, hugo hugoo hugo...@hotmail.com wrote:

  Thanks for the feedback.
 Is this a glue record? I do not have any IP defined in the NS record.

 What is the flow of a request to a subzone?
 Is the content of the zone checked before checking the subzone?


   Date: Tue, 13 Mar 2012 08:26:02 -0500
  Subject: Re:
  From: dan.mcdon...@austinenergy.com
  To: hugo...@hotmail.com; bind-users@lists.isc.org
 
 
 
 
  On 3/13/12 8:20 AM, hugo hugoo hugo...@hotmail.com wrote:
 
   == do I have to create in zone toto.be the following NS record:
  
   titi.toto.be. TTL IN NS ns1.xxx.be
  
  
   I have found cases where this situation is present and other when it
 is not
   present...and both cases seems to work.
   What is the difference?
 
  The glue records aren't necessary when both the zone and subzone are on
 the
  same server, although it is good to have them for completeness. When the
  zones are on different servers you need the glue records.
 
 
 
  --
  Daniel J McDonald, CCIE # 2495, CISSP # 78281
 

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: log for one domain

[Ben Croswell]

We rip the logs apart put them into a database with a web front end. We
watch for 6 months then remove ones with no traffic.
On Mar 11, 2012 6:12 PM, hugo hugoo hugo...@hotmail.com wrote:

  Dear all,

 Is it possible to logs queries to a specific domain?
 I have a domain configured in my system but I do not know if it used and
 by who?

 I want to avoid a lot of logs, so the reason of my question: only have a
 query log for a specific domain.

 Thanks in advance for any help.

 Hugo,

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone update to slave

[Ben Croswell]

You can freeze thaw or use nsupdate to dynamically add the static entries.

rndc freeze
Edit zone
rndc thaw

You will lose any ddns updates during the freeze.

-Ben Croswell
On Jan 11, 2012 3:52 PM, Dan Letkeman danletke...@gmail.com wrote:

 Ah, I did not know that.  So then my scenario must be somewhat common.
  Yes I update this reverse zone dynamically via dhcp, but I also have
 some static devices in the same range that I want to manually enter,
 hence the manual entry on the master.  So what is the best practice
 for adding a static entry to a dynamically updated zone?

 On Wed, Jan 11, 2012 at 2:51 AM, Matus UHLAR - fantomas
 uh...@fantomas.sk wrote:
  On 10.01.12 15:06, Dan Letkeman wrote:
 
  It seems as if these types of records get transfered:
 
  9   PTR gvc-busdrivers.wks-gvc.domain.com.
 
  But these do not:
 
  24.184.16.172.in-addr.arpa. IN  PTR
 str-r7500.gvc.domain.com.
 
  If I delete the journal file on the on the slave server up the serial
  number on the master I get the same results.  The first type of record
  is updated dynamically and the second type of record is added
  manually.
 
 
  afaik zone zan be updated only statically or only dynamically, not both.
  Apparently your master does not know that you have added something
 manually,
  because it only writes the zone file, it does not read it.
  --
  Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
  Warning: I wish NOT to receive e-mail advertising to this address.
  Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
  (R)etry, (A)bort, (C)ancer
  ___
  Please visit https://lists.isc.org/mailman/listinfo/bind-users to
  unsubscribe from this list
 
  bind-users mailing list
  bind-users@lists.isc.org
  https://lists.isc.org/mailman/listinfo/bind-users
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding @ to a different domain?

[Ben Croswell]

You can't cnane mydomain.com to anything because it has, at the minimum, ns
and soa records.

-Ben Croswell
On Jan 8, 2012 1:11 PM, Jukka Pakkanen jukka.pakka...@qnet.fi wrote:


 www in cname mydomain.myshopify.com.
 mydomain.com. in cname mydomain.myshopify.com.

 Is this what you are looking for?


 8.1.2012 17:48, enigmedia kirjoitti:

 Hi All: I have a situation where I need to forward requests for 
 mydomain.com
 and www.mydomain.com to a third party: mydomain.myshopify.com (while
 still
 pointing other things like MX records elsewhere).

 I realize I can point a CNAME for WWW to mydomain.myshopify.com, but
 how do
 I point mydomain.com to this third party if there is no A record to
 point to?

 TIA


 __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users


 __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Problem at loading advert in Squid 2.7 3.1

[Ben Croswell]

Not sure how this is a BIND related issue.

-Ben Croswell
On Dec 26, 2011 11:55 AM, feralert feral...@gmail.com wrote:

 Dear all,

 Squid is not loading an advert in a web page frame which loads fine
 when using a direct connection to the internet.
 The versions used are 2.7.STABLE9-2.1 and 3.1.6-1.2 both in a debian
 squezze with default configuration)

 The url the frame tries to load is:


 http://frame.cool.com/ad-frame/#ad_wrap=ad-1ad_url=http://ad.doubleclick.net/adj/site011.opus/home;Slot=Leaderboard;Pos=Top;Page=home;LoggedIn=No;tile=1;sz=728x90;ad_timestamp=13249166700149


 In squids log file I only see a line for 'http://frame.cool.com/ad-frame/
 ':

 1324916528.019   5405 192.168.5.237 TCP_REFRESH_MISS/200 445 GET
 http://frame.cool.com/ad-frame/ - DIRECT/67.228.247.179 text/html

 But no sight of a 'http://ad.doubleclick.net/adj/site011.opus/home'
  request.


 If I load the page in my computer (with a direct connection to the
 internet) and watch http traffic with the http fox firefox
 extension, I can see both requests.


 Any help would be highly appreciated.

 Cheers!
 Fred.


 UNIX is very simple, it just needs a genius to understand its simplicity.
 -- Dennis Ritchie, D.E.P.
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New problem with lame-server after Dist-Upgrade

[Ben Croswell]

Did the BIND version change with the OS upgrade?

-Ben Croswell
On Dec 24, 2011 6:38 PM, Michelle Konzack linux4miche...@tamay-dogan.net
wrote:

 Hello *,

 my Inttranet NameServer (my DNS-Master) was running Debian Lenny/5.0 and
 is now upgraded to Debian Squeeze/6.0 and et I get  per  day  very  huge
 named.log files, because:

 [ '/var/log/named.log' ]
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'www.erdbeerlounge.de//IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'www.erdbeerlounge.de/A/IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (connection
 refused) resolving 'www.erdbeerlounge.de//IN': 217.147.94.23#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (connection
 refused) resolving 'www.erdbeerlounge.de/A/IN': 217.147.94.23#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns1.dns24.net/A/IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns2.dns24.net/A/IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns1.dns24.net//IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns2.dns24.net//IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns3.dns24.net/A/IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns4.dns24.net/A/IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns3.dns24.net//IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns4.dns24.net//IN': 78.47.247.21#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns1.dns24.net/A/IN': 78.47.104.44#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns2.dns24.net/A/IN': 78.47.104.44#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns1.dns24.net//IN': 78.47.104.44#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns2.dns24.net//IN': 78.47.104.44#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns3.dns24.net/A/IN': 78.47.104.44#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns4.dns24.net/A/IN': 78.47.104.44#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns3.dns24.net//IN': 78.47.104.44#53
 Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'ns4.dns24.net//IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
 refused) resolving 'ns1.dns24.net/A/IN': 217.147.94.23#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
 refused) resolving 'ns2.dns24.net/A/IN': 217.147.94.23#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
 refused) resolving 'ns1.dns24.net//IN': 217.147.94.23#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
 refused) resolving 'ns2.dns24.net//IN': 217.147.94.23#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns1.name-services.com/A/IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns2.name-services.com/A/IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns1.name-services.com//IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns2.name-services.com//IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns3.name-services.com/A/IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns4.name-services.com/A/IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns3.name-services.com//IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED) resolving 'dns4.name-services.com//IN': 78.47.104.44#53
 Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
 RCODE REFUSED

Re: What does this mean ? INSIST(zone-type == dns_zone_stub) failed

[Ben Croswell]

I don't see the desired outcome of making them both master and the trying
to have one transfer from the other.
Have one be master and one be slave from the master. No reason to alter
code and query responses will be the same to your clients.

-Ben Croswell
On Dec 8, 2011 8:57 PM, 蔡火胜 hx...@packetscout.com wrote:

 I use a modified version of BIND9.7.1-p2.I installed it on two
 machines(MachineA and MachineB). They both host the same zone in master
 mode.
 And in the modified code , one machine would refresh (using
 dns_zone_refresh) its zone data from the other in order to get the same
 data.

 This time , MachineA has a serial number 85 for the zone and MachineB has
 a serial number of 83. MachineA is running .
 When I start MachineB , it calls dns_zone_refresh and later runs into the
 callback function refresh_callback. In that function , it runs into the
 lines which start from the label tcp_transfer: , which requires the zone
 type to be dns_zone_slave or dns_zone_stub , but this time the zone type is
 dns_zone_master , so assert error. It runs into the tcp_transfer: code
 because of a lower serial number (83 vs 85,that's another problem for
 myself).

 Above is the cause of the crash. It seems nothing to do with the original
 BIND code.But I have some questions.Should I do a transfer of a zone
  between two  servers which both host that zone as MASTER type? And , if
 they have the same serial number , then the call of dns_zone_refresh has no
 effect , right?Then , it means I misused dns_zone_transfer  , is that right
 ?


 于 2011年12月08日 23:28, Evan Hunt 写道:

 Congratulations, it means you've found the successor of CVE-2011-4313 :-}

 Any details on the triggering event? Was it a zone transfer?

 On the off chance that the crash was in fact remotely triggered (in
 which case this would indeed be a security concern), please *don't* send
 details of the triggering event to an open mailing list.  Instead, gather
 up the information detailed in this article:

 https://deepthought.isc.org/**article/AA-00340/89/What-to-**
 do-if-your-BIND-or-DHCP-**server-has-crashed.htmlhttps://deepthought.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html

 ...and send mail to bind9-b...@isc.org.  Thanks.

  __**_
 Please visit 
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-usersto
  unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/**listinfo/bind-usershttps://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone Transfer Query

[Ben Croswell]

I would imagine the IP you trying to transfer on is not in the allow-query
acl of the master. You have to be to do soa queries to the master.

-Ben Croswell
On Dec 5, 2011 7:34 AM, Gaurav Kansal gaurav.kan...@nic.in wrote:

 Dear All,

 ** **

 I have a master DNS on IPv4 AND slave DNS on IPv6.

 I also have a IPv4 address on slave (But only IPv6 address is entered in
 NS). Now I am trying to transfer my zone from master to slave through the
 IPv4 address.

 ** **

 But it is giving me a error “failed while receiving responses: REFUSED”.**
 **

 ** **

 So, Is the error is because I am trying to transferring a zone on a
 different IP which is not Authoritative for that zone or because of
 something else

 ** **

 Thanks and Regards,

 Gaurav Kansal

 9910118448

 ** **

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Switching from forwarding to recursion

[Ben Croswell]

If you have a global forwarder in place there are two options that affect
its use. Forward first, the default, and forward only.
Forward first will exhaust the forwarders you have and then attempt to
follow NS records. Forward only will only use forwarders.

The delay you are seeing is likely the delay in exhausting the forwarders
before attempting the roots.

-Ben Croswell
On Nov 1, 2011 9:23 AM, Will Lists listsw...@gmail.com wrote:

 We recently tried a test to see how our internal servers would react to a
 loss of their external peers, with the goal being that the internal servers
 would switch from forwarding to doing recursive queries for clients.
  Normally, the internal servers forward to the external servers.  To
 simulate the loss of the external servers, we pushed a new firewall rule
 that blocked port 53 to the external servers from the internal servers.
  That did seem to cause the internal servers to start using the root
 servers in a recursive manner.

 We did see that some recursive queries were answered, eventually, though
 usually much, much slower than if the request had been forwarded as normal
 to the external servers.  We saw traffic (lots of traffic) going across the
 firewall to the roots as well as multiple domain specific name servers, so
 that flow path is working as best as I can tell.  All servers are running
 BIND 9.7.4.

 The issue we saw was that the queries would time out more often than not
 and on the off chance they did get an answer back to the requesting client,
 it was very slow after several retries.

 Am I missing something in the named.conf file?  Is there something
 specific I should be looking for in the syslog or daemon.log?


 The relevant portion of the named.conf file for the INTERNAL view is below:


 forwarders { NS2; NS1; };
 forward first;
 allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; };
 recursion yes;

 // zone: . [hint]
 include ...;


 The hints DB file is current as of the version of BIND in use (2011060800).


 Thanks.

 -Will

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Switching from forwarding to recursion

[Ben Croswell]

If a given forwarder is bad  it get its round trip time, rtt, set high
and will not be used until that comes back down via the normal rtt decay
mechanism in BIND. I have not tested the behaviour when all are down. My
assumption would be that if all are down they will all have to be tried
before going to NS or there is no way of knowing when the forwarders are
back.

In your case if you have a limited number of servers a quick removal of the
forwarders may be the quickest way to restore service.

-Ben Croswell
On Nov 1, 2011 10:03 AM, Will Lists listsw...@gmail.com wrote:

 Ben,

 I seem to recall reading at some point in the past that after X amount of
 time, BIND would stop trying to contact servers it figured to be dead (at
 least it would stop trying for some amount of time).  Is that in fact the
 case and would it eventually come into play here?  Any configurable options
 here, if this behavior does exist?

 It almost seems like the best way to handle this scenario, in the event of
 a real failure of one or more external servers that typically act as
 forwarders, would be to quickly modify the configuration internally to just
 stop forwarding.  Thoughts?

 Thanks.


 -Will


 On Tue, Nov 1, 2011 at 8:54 AM, Ben Croswell ben.crosw...@gmail.comwrote:

 If you have a global forwarder in place there are two options that affect
 its use. Forward first, the default, and forward only.
 Forward first will exhaust the forwarders you have and then attempt to
 follow NS records. Forward only will only use forwarders.

 The delay you are seeing is likely the delay in exhausting the forwarders
 before attempting the roots.

 -Ben Croswell
 On Nov 1, 2011 9:23 AM, Will Lists listsw...@gmail.com wrote:

 We recently tried a test to see how our internal servers would react to
 a loss of their external peers, with the goal being that the internal
 servers would switch from forwarding to doing recursive queries for
 clients.  Normally, the internal servers forward to the external servers.
  To simulate the loss of the external servers, we pushed a new firewall
 rule that blocked port 53 to the external servers from the internal
 servers.  That did seem to cause the internal servers to start using the
 root servers in a recursive manner.

 We did see that some recursive queries were answered, eventually, though
 usually much, much slower than if the request had been forwarded as normal
 to the external servers.  We saw traffic (lots of traffic) going across the
 firewall to the roots as well as multiple domain specific name servers, so
 that flow path is working as best as I can tell.  All servers are running
 BIND 9.7.4.

 The issue we saw was that the queries would time out more often than not
 and on the off chance they did get an answer back to the requesting client,
 it was very slow after several retries.

 Am I missing something in the named.conf file?  Is there something
 specific I should be looking for in the syslog or daemon.log?


 The relevant portion of the named.conf file for the INTERNAL view is
 below:


 forwarders { NS2; NS1; };
 forward first;
 allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; };
 recursion yes;

 // zone: . [hint]
 include ...;


 The hints DB file is current as of the version of BIND in use
 (2011060800).


 Thanks.

 -Will

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what's a valid domain name?

[Ben Croswell]

Actually a . is not part of a host name. It separates all the parts of
FQDN. If you put one in a host name you have an undelegated subdomain as I
stated before.

-Ben Croswell
On Oct 31, 2011 6:59 AM, Kristen Eisenberg kristen.eisenb...@yahoo.com
wrote:

 Ben Croswell writes:

  In that case technically you are creating undelegated subdomains for each
  router.
  The dot is a delimiter and can't be part of a hostname.
 

 I was thinking you are wrong.
 Period is somewhat permitted in a hostname.

 Kristen Eisenberg
 Billige Flüge
 Marketing GmbH
 Emanuelstr. 3,
 10317 Berlin
 Deutschland
 Telefon: +49 (33)
 5310967
 Email:
 utebachmeier at
 gmail.com
 Site:
 http://flug.airego.de - Billige Flüge vergleichen

 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

[Ben Croswell]

Either is fine. Using the cname would require a single update if your ip
changes, but prevents other records at the same level. So you couldn't
attach mx for instance at example.com and www.example.com if you wanted to.

Neither is wrong and both have pros and  cons

-Ben Croswell
On Sep 28, 2011 10:43 AM, feralert feral...@gmail.com wrote:
 Thanks Jeff,

 But I really only wrote that as an example :) . The real question is
 what is best or what is recommended, two A RR (one for domain, one for
 www) or a single A RR for domain and a CNAME RR for www, is one way
 better than the other or can I choose either way?

 Cheers!,
 Fred.



 On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff jlight...@water.com
wrote:
 If you set your SOA properly to use @ (which means this zone) your A
records should be:

 domain.com. A   1.1.1.1
 www A   1.1.1.1

 The SOA should append the domain.com to every record not terminated by
a dot so that www is read as www.domain.com.  Similarly you put a dot at
the end of domain.com A record to prevent it from being appended and read as
domain.com.domain.com.





 -Original Message-
 From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:
bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of feralert
 Sent: Wednesday, September 28, 2011 10:20 AM
 To: bind-us...@isc.org
 Subject: CNAME or A record?

 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.


 domain.com   A1.1.1.1
 www.domain.com   A1.1.1.1

 OR

 domain.com   A1.1.1.1
 www.domain.com   CNAME  domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




 Athena(r), Created for the Cause(tm)
 Making a Difference in the Fight Against Breast Cancer

 -
 CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you have
received the message in error, and delete it. Thank you.
 --


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

[Ben Croswell]

That makes no sense.

If he didn't have a dns entry for both sites, how does the user get to site
without the dns entry to be rewritten by Apache?

-Ben Croswell
On Sep 28, 2011 10:52 AM, 风河 short...@gmail.com wrote:
 this is the stuff what should be done by webserver rather than by DNS.
i,e,
 Apache rewrite will do that.
 在 2011-9-28 下午10:29，feralert feral...@gmail.com写道：
 Hi all,

 I'm sure this has been asked trillions of times but since I couldn't
 find any concrete answer/reference in google I am asking you guys in
 this list. Sorry if anyone thinks this a dumb question or something
 very obvious.

 The thing is that i want users redirected to 'www.domain.com' even
 when they just type the domain name 'domain.com'.
 In order to do so I am not sure if its best to have one A RR for each
 or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
 for 'www.domain.com'.


 domain.com A 1.1.1.1
 www.domain.com A 1.1.1.1

 OR

 domain.com A 1.1.1.1
 www.domain.com CNAME domain.com


 Any help appreciated.


 Thanks,
 Fred
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail are not cached!

[Ben Croswell]

Actually he said the DNS protocol allows for it and ISC had been considering
adding it.

-Ben Croswell
On Sep 27, 2011 11:38 AM, Issam Harrathi issam...@gmail.com wrote:
 As i test it's not cached at all, and you say here it's cached for 30
 seconds?!
 i'm using 9.7.2-P3.

 2011/9/27 Evan Hunt e...@isc.org

  I discover that servfail are not cached. is it normal?

 Yes, that's normal.

 Temporary negative caching of SERVFAIL responses for a limited period (up
 to 30 seconds, if I recall correctly) is permitted by the DNS protocol,
 and we've discussed implementing it in BIND9, but haven't had time yet.

 --
 Evan Hunt -- e...@isc.org
 Internet Systems Consortium, Inc.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind weighted round robin not working

[Ben Croswell]

That doesn't work with recent versions. BIND discards the duplicates.

-Ben Croswell
On Jul 16, 2011 4:28 PM, d...@cornholio.nl wrote:
 Hi,

 I’ve got a problem getting weighted round robin dns to work. What I need
is
 ip adress 1 getting twice the hits of ip address 2, however making
multiple
 entries of ip address 1 in my zonefile (according to
 https://lists.isc.org/mailman/htdig/bind-users/2007-April/066196.html )
does
 not seem to help. See below for my troubleshooting configuration and
 testing, can anyone tell what’s going wrong ?

 root@Kiwi:/var/named]# cat /etc/named.conf // // named.conf // // Provided
 by Red Hat bind package to configure the ISC BIND named(8) DNS // server
as
 a caching only nameserver (as a localhost DNS resolver only).
 //
 // See /usr/share/doc/bind*/sample/ for example named configuration files.
 //

 options {
 listen-on port 53 { 127.0.0.1; };
 listen-on-v6 port 53 { ::1; };
 directory   /var/named;
 dump-file   /var/named/data/cache_dump.db;
 statistics-file /var/named/data/named_stats.txt;
 memstatistics-file /var/named/data/named_mem_stats.txt;
 allow-query { localhost; };
 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;
 dnssec-lookaside auto;

 /* Path to ISC DLV key */
 bindkeys-file /etc/named.iscdlv.key;

 managed-keys-directory /var/named/dynamic; };

 logging {
 channel default_debug {
 file data/named.run;
 severity dynamic;
 };
 };

 zone . IN {
 type hint;
 file named.ca;
 };

 zone test.nl {
 type master;
 file test.nl.hosts;
 };

 include /etc/named.rfc1912.zones;
 include /etc/named.root.key;

 root@Kiwi:/var/named]# cat /var/named/test.nl.hosts $TTL 3600 test.nl
.
 IN  SOA localhost. dns.cornholio.nl. (
   2011061406
   1800
   14400
   604800
   3600 )
 test.nl. NS localhost.
 test.nl. A  80.57.38.19
 test2   IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   1.1.1.1
 IN  A   2.2.2.2

 root@Kiwi:/var/named]# nslookup test2.test.nl
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   test2.test.nl
 Address: 1.1.1.1
 Name:   test2.test.nl
 Address: 2.2.2.2

 root@Kiwi:/var/named]# nslookup test2.test.nl
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   test2.test.nl
 Address: 2.2.2.2
 Name:   test2.test.nl
 Address: 1.1.1.1

 root@Kiwi:/var/named]# nslookup test2.test.nl
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   test2.test.nl
 Address: 1.1.1.1
 Name:   test2.test.nl
 Address: 2.2.2.2

 root@Kiwi:/var/named]# nslookup test2.test.nl
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   test2.test.nl
 Address: 2.2.2.2
 Name:   test2.test.nl
 Address: 1.1.1.1

 root@Kiwi:/var/named]# nslookup test2.test.nl
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   test2.test.nl
 Address: 1.1.1.1
 Name:   test2.test.nl
 Address: 2.2.2.2

 root@Kiwi:/var/named]# nslookup test2.test.nl
 Server: 127.0.0.1
 Address:127.0.0.1#53

 Name:   test2.test.nl
 Address: 2.2.2.2
 Name:   test2.test.nl
 Address: 1.1.1.1

 Regards,

 Marc
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: monitoring BIND

[Ben Croswell]

Nagios is a very move tool for synthetic transaction monitoring. You put in
whatever hosts and host names to resolve and it  does it.

-Ben Croswell
On Jul 13, 2011 11:01 AM, Karl Auer ka...@biplane.com.au wrote:
 We have some nameservers :-) that are used by quite a few thousands of
 people. Every now and then someone comes to us and complains that the
 DNS is responding slowly. Sometimes they are right, and we find the
 problem and fix it. But most of the time everything runs fine, and the
 DNS is not, in fact, responding slowly when that someone comes to
 complain. It turns out to be their PC, or a local network issue, or
 whatever.

 So we have a homegrown system in place that watches the traffic to and
 from the nameservers, matches queries to answers, ignores everything
 else, and notes how long it was between the question going past and the
 answer going past in the opposite direction. It writes summarised
 information second by second into a database so we can see exactly when
 problems with response times happen, how long they happen for, and how
 bad they are when they happen.

 Our system has two faults (well, two that we are actually concerned
 about): It only watches UDP, and it can't deal with fragmented packets.

 So I was wondering if there is a better solution out there?

 Regards, K.

 --
 ~~~
 Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h)
 http://www.biplane.com.au/kauer/ +61-428-957160 (mob)

 GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
 Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange behaviour resolving CNAME's via a forwarder.

[Ben Croswell]

I believe your original issue is due to the fact that you are sending a
recursive query via the forward to a device you said won't do recursive
queries.  The cname you are asking for is not in the domain hosted by the
second server. Since it won't do recursive queries it won't resolve the end
point of the cname chain.
If you specifically ask for cname first, it caches the cname and then
further queries don't go  to the second box and your first box just resolves
the end of the chain.

-Ben Croswell
On Apr 20, 2011 7:23 AM, Adam Goodall adam.good...@gmail.com wrote:
 On 20 April 2011 10:42, Chris Buxton chris.p.bux...@gmail.com wrote:

 On Apr 20, 2011, at 2:19 AM, Adam Goodall wrote:

 However if a client queries server A for mail.testdomain.com (type any)
 the request is not answered. From the logs on server B i can see that
server
 A is only forwarding on a request of type A. As an A record for
 mail.testdomain.com does not exist on server B it does not resolve.

 If i then specifically query Server A for mail.testdomain.com of type
 CNAME, it resolves as expected. Subsequent requests against server A for
 mail.testdomain.com of type any then resolve, presumably because it is
 already in the cache.

 Hopefully that makes sense! Has anyone had a similar issue and did you
come
 up with a work around? Is this expected behaviour or a bug?


 This is an excellent example of why you should not forward to an
auth-only
 server. Use a stub zone instead. You might need to give it an empty
 forwarders list, to override forwarding set in either the options or view
 statements.

 For example:

 zone testdomain.com {
 type stub;
 masters { 192.168.1.1; };
 forwarders { };
 };

 Try it, you'll like it.


 Chris

 This certainly seems to have solved the problem. I'm not convinced i
 understand why it didn't work they way i was trying but this is a
perfectly
 acceptable alternative - thanks for your help!

 Adam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multiple IP address in Address Record in BIND

[Ben Croswell]

In the bind 8 days people would put the same address multiple times and then
other addresses as well to weight the responses.

-Ben Croswell
On Apr 17, 2011 2:45 PM, Eivind Olsen eiv...@aminor.no wrote:
 Hi,
   we have internal domain called sva.com and address record for this
 sva.com is pointed to many IP addresses. When i do nslookup, i am getting
 below output.  I would like to enable the same configuration in bind.
  Let us know how this can be acheived.
 #nslookup sva.com
 Name:   sva.com
 Addresses:  10.10.10.10, 10.10.10.10, 10.10.10.10,
10.10.10.10,10.10.10.10

 You would like it to point to the same IP-address many times? Why?

 Regards
 Eivind Olsen


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns RR method is not equal balanced?

[Ben Croswell]

First and foremost you shouldn't be running any version of BIND 8. That is
way out of date and open to a lot of exploits.

That being said if by some
-Ben Croswell
On Mar 29, 2011 4:55 AM, Kay ch...@daumcorp.com wrote:
 Dear my friends.

 I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains.

 In my case ;
 some domain has 12 IPs but traffic of the server is not equal.
 The traffic of 11 IPs is same and just 1 IP is higher than others.

 Today, I moved the dns that is not equal to GSLB(F5) and set
 address-return 2(Maximum Addresses Returned).
 And then, it's disappeared, equal traffic incoming completely.

 Is there some kind of bugs in bind that I use?
 or any idea?

 Thanks.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns RR method is not equal balanced?

[Ben Croswell]

I apologize for the cut off reply. I accidently hit send before I was
complete.

If by some domains have 12 ips you mean a 12 A record round robin, then it
is important remember that BIND doesn't have any way of telling the load on
the 12 servers. So it's load sharing not load balancing.
The f5  is load balancing so you would see a more even load across the 12
servers.

-Ben Croswell
On Mar 29, 2011 4:55 AM, Kay ch...@daumcorp.com wrote:
 Dear my friends.

 I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains.

 In my case ;
 some domain has 12 IPs but traffic of the server is not equal.
 The traffic of 11 IPs is same and just 1 IP is higher than others.

 Today, I moved the dns that is not equal to GSLB(F5) and set
 address-return 2(Maximum Addresses Returned).
 And then, it's disappeared, equal traffic incoming completely.

 Is there some kind of bugs in bind that I use?
 or any idea?

 Thanks.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RE: what's a valid domain name?

[Ben Croswell]

In that case technically you are creating undelegated subdomains for each
router.
The dot is a delimiter and can't be part of a hostname.

-Ben Croswell
On Jan 31, 2011 11:19 AM, Vyto Grigaliunas v...@fnal.gov wrote:
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what's a valid domain name?

[Ben Croswell]

The rfc you quote clearly states when used as a delimiter of a domain as I
stated.

-Ben Croswell
On Jan 31, 2011 8:58 PM, p...@mail.nsbeta.info wrote:
 Ben Croswell writes:

 In that case technically you are creating undelegated subdomains for each
 router.
 The dot is a delimiter and can't be part of a hostname.


 I was thinking you are wrong.
 Period is somewhat permitted in a hostname.

 From RFC 952

 A name (Net, Host, Gateway, or Domain name) is a text string up
 to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
 sign (-), and period (.). Note that periods are only allowed when
 they serve to delimit components of domain style names.

 No blank or space characters are permitted as part of a
 name. No distinction is made between upper and lower case. The first
 character must be an alpha character [Relaxed in RFC 1123] . The
 last character must not be a minus sign or period.


 regrads.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: cache server with authoritative answer

[Ben Croswell]

That is no longer the case.  It doesn't respond authoritative on the first
query.

-Ben Croswell
On Jan 30, 2011 10:01 AM, Kevin Oberman ober...@es.net wrote:
 On Sat, 2011-01-29 at 14:49 +0800, p...@mail.nsbeta.info wrote:
 The book Pro DNS and BIND says:

 If the caching server obtains its data directly from an authoritative
DNS,
 then it too will respond as authoritative. Ohterwise, if the data is
 supplied from its cache, the response is nonauthoritative.

 So this means even for a cache only server it can answer with
authoritative
 response? I have been thinking the cache only server shouldn't do this.

 Regards.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

 If the caching-only server does not have an answer to a query in its
 cache and recurses and gets an authoritative response, it, too, will set
 the AA bit. If it gets another query for the name that is now cached,
 the AA bit will not be set. Further, if any host responding to a query
 already has the information in cache, the AA bit will not be set.

 In simple terms, if the response to a query comes directly from
 information at an authoritative source, the AA bit is set.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master server offline

[Ben Croswell]

Actually speaking without thinking is bad.
It's the expire timer in the SOA not the refresh.



On Thu, May 6, 2010 at 10:37 PM, Dave Filchak sub...@zuka.net wrote:

  Our master server machine had a drive failure and looks like it will be
 offline for some time. Somewhere in the back of my mind, I thought I
 remembered that something bad can happen to the dns resolution for your
 zones if the master is offline for too long. Is there anything to this or am
 I just dreaming? As long as the secondary can answer request, we should be
 ok?

 Cheers,

 Dave

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master server offline

[Ben Croswell]

If your secondaries can't reach the primary for the period of time you have
in your SOAs for refresh the secondaries wills top answering.

-- 
-Ben Croswell

On Thu, May 6, 2010 at 10:37 PM, Dave Filchak sub...@zuka.net wrote:

  Our master server machine had a drive failure and looks like it will be
 offline for some time. Somewhere in the back of my mind, I thought I
 remembered that something bad can happen to the dns resolution for your
 zones if the master is offline for too long. Is there anything to this or am
 I just dreaming? As long as the secondary can answer request, we should be
 ok?

 Cheers,

 Dave

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Poblem with ZONE (subdomain)

[Ben Croswell]

It is against the DNS rules to have a CNAME and any other record type exist
at the same level of the DNS tree.
For instance you can have a domain called foo.com and then try to do
foo.comIN CNAME
bar.com because the CNAME collides with the SOA and NS records for the
domain.

On Tue, Jan 19, 2010 at 4:06 PM, Michelle Konzack 
linux4miche...@tamay-dogan.net wrote:

 Helle Kevin,

 Am 2010-01-19 14:29:59, schrieb Kevin Darcy:
  Correct. You can't have lists be a CNAME and also have it own an
  MX record. The zone is invalid.

 OK

  You can probably just whack the CNAME for lists and add one for
  the target of the CNAME (vserver3.tamay-dogan.net), which will
  function the way you apparently intended. Be aware, however, that
  this will then be valid for all of the other CNAMEs pointing at that
  target,

 I do not understand this.
 Do you mean:

 lists   IN MX 10mail.tamay-dogan.net.
 bugsIN MX 10mail.tamay-dogan.net.
IN CNAMEvserver3.tamay-dogan.net.

 Thanks, Greetings and nice Day/Evening
Michelle Konzack

 --
 Linux-User #280138 with the Linux Counter, http://counter.li.org/
 # Debian GNU/Linux Consultant #
 http://www.tamay-dogan.net/ Michelle Konzack
 http://www.can4linux.org/   Apt. 917
 http://www.flexray4linux.org/   50, rue de Soultz
 Jabber linux4miche...@jabber.ccc.de   67100 Strabourg/France
 IRC#Debian (irc.icq.com)  Tel. DE: +49 177 9351947
 ICQ#328449886 Tel. FR: +33  6  61925193

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New BIND user

[Ben Croswell]

Best place to start in my mind is the O'Reily book DNS and BIND by
Cricket.
It's where I started and the first thing a person had to read before I
started training them back in the day.

On Tue, Oct 6, 2009 at 12:47 PM, NéoSynergix | Martin Dubreuil 
martin.dubre...@neosynergix.com wrote:

  Hello everyone,



 I am using a mix of MS DNS and XP workstations with a DNS software (simple
 Dns +)



 I am now looking to move into BIND world under *nix distributions.

 Would you recommend me reading/using a specific reference ?

 Book, URL, distribution, tutorial…



 Thank you, your help is appreciated.



 *Martin*





 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SIBLING GLUE address records (A or AAAA)

[Ben Croswell]

I would imagine the answer will be that they aren't required but would be
helpful.

Since the parent .xx is delegating to the second-level domains, if you do
glue for all four DNS servers you are preventing a remote DNS server from
having to go to the servers for example.xx to get the A records for the DNS
servers for otherexample.xx.


On Mon, Oct 5, 2009 at 3:59 PM, Sergio Ramirez srami...@seciu.edu.uywrote:

 Hi,

   In the following example, the authoritive server for
 zone .xx has configured the delegations of the zones example.xx
 and otherexample.xx:

 example.xx  NS  ns1.example.xx
 example.xx  NS  ns2.example.xx
 ns1.example.xx A  11.22.33.44
 ns2.example.xx A  11.22.33.55
 otherexample.xx NS ns3.example.xx
 otherexample.xx NS ns4.example.xx

 the bind report these messages:

 ns3.example.xx has no SIBLING GLUE address records (A or )
 ns4.example.xx has no SIBLING GLUE address records (A or )

 because the glue records are not configured in the zone .xx, for
 ns3.example.xx and ns4.example.xx

 Are these glue records requiered ?

 I understand that is not. Is this right ?

 Regards,
 --
 Sergio R.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FW: Blocking top level domain

[Ben Croswell]

Easiest way would probably be to load the .cn domain and just not put
anything in it.


On Wed, Sep 30, 2009 at 11:12 AM, Apisa, Kathy (US - MABS) 
kathy.ap...@meggitt.com wrote:


   --

 *From:* Apisa, Kathy (US - MABS)
 *Sent:* Wednesday, September 30, 2009 10:23 AM
 *To:* 'bind-users@lists.isc.org'
 *Subject:* Blocking top level domain



 Greetings everyone



 I would like to know how to implement the blocking of a top level domain in
 Bind 9



 For example, I want to block access to any domain that ends in .cn





 Thanks,

 Kathy Apisa

 

 Information Technology

 330-796-5963

 kathy.ap...@meggitt.com



 This email may contain proprietary information and/or copyright material.
 This email is intended for the use of the addressee only. Any unauthorized
 use may be unlawful. If you receive this email by mistake, please advise the
 sender immediately by using the reply facility in your email software.

 Information contained in and/or attached to this document may be subject to
 export control regulations of the European Community, USA, or other
 countries. Each recipient of this document is responsible to ensure that
 usage and/or transfer of any information contained in this document complies
 with all relevant export control regulations. If you are in any doubt about
 the export control restrictions that apply to this information, please
 contact the sender immediately.

 Be aware that Meggitt may monitor incoming and outgoing emails to ensure
 compliance with the Meggitt IT User policy.

 This transmittal and any attached documents may contain technical data, the
 use of which may be restricted by the U.S. Arms Export Control Act and/or
 the Export Administration Act. By accepting such data, the recipient agrees
 to comply with the International Traffic in Arms Regulations (ITAR) and/or
 the Export Administration Regulations, as applicable.

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users




-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on delegation to subdomain/external servers

[Ben Croswell]

I have done some testing of the RTT forwarding and found that as long as
only one, or the other of the two nameservers that you forward to is
active at any given time the switch over is actually very quick.
The exception being the first query when the currently active forwarder dies
and the second comes up.  The reason being that the first query has to wait
for a timeout cycle before trying the second forwarder and readjusting the
RTT values for both.

So theoretically if your forwarders are 10.1.1.1 and 10.2.1.1 as long as
only one will answer queries at a given time with their own right answer
it should failover fairly quickly.  If both answer then you will be at the
mercy of the RTT as to which answer you will get.

-- 
-Ben Croswell

On Thu, Sep 17, 2009 at 12:27 PM, Kevin Darcy k...@chrysler.com wrote:

 RUOFF LARS wrote:




 [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy



 BTW, at the moment I am experimenting a solution usign a forward zone:
 zone dummy.ts IN {
type forward;
forward only;
forwarders { 172.25.32.171; 192.168.2.3; };
 };

 It seems to work.
 I guess that the requests are not sent simultaneously though?


 Correct, it's similar to the algorithm that a stub resolver uses: try one
 forwarder, if it times out, try another, and so on.

 In fact, the way I like to think of forwarding is: when you forward, you're
 turning named *into* a stub resolver with a cache, at least for part of the
 namespace. If you forward globally (i.e. in options), and have some
 authoritative zones and/or stub zones with forwarders { } defined, then
 those are just selective overrides of your stub-resolver+cache function.
 And if you have forward first anywhere, then you're just giving named a
 second chance to resolve names iteratively, in case the initial
 stub-resolver+cache approach fails (because the forwarders aren't
 available/reachable).

 Seems like extreme overkill to use a big heavyweight process like named, to
 perform a simple stub-resolver function that can otherwise be accomplished
 with a few library routines, doesn't it? Well it *should* seem like
 overkill, because it's usually the wrong tool for the job. Forwarding is
 generally to be avoided, unless you need to deal with a limited-connectivity
 situation (e.g. trying to resolve Internet names to internal clients through
 a firewalled environment) or, in certain select cases, to forward to a
 richly-populated central cache, with ample capacity, over fast internal
 links, in order to speed up the average name resolution time for a local set
 of clients.

 What delay do I have to expect when only the second server (192.168.2.3)
 is active?


 I'm not sure, I'd have to look through the code. I don't believe this delay
 is configurable, by the way.

 What search policy is applied by default? (round-robin vs sequential?)
 Can I modify it?
 Obviously I would prefer a policy where we always forward to the last
 active, unless we time out; Then try the alternate.
 Will check that out.



 I believe that forwarder-selection uses the same algorithm as NS-selection,
 i.e. it's based on the historical RTT data. So it might not switch over as
 fast as you'd like.

 - Kevin


 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegating reverse DNS to a customer

[Ben Croswell]

The issue is probably that you need to delegate the 251.250.63.in-addr.arpa
to your client in the 250.63.in-addr.arpa zone.
If you load 251.250.63.in-addr.arpa to try and delegate it, your servers
will answer for it because they load it.

Think of it in the same mind of delegating a forward subdomain of a domain
you load. If you want to delegate foo.bar.com to someone you put the NS
records in bar.com not foo.bar.com.

-- 
-Ben Croswell

On Tue, Aug 18, 2009 at 8:31 AM, Tim Huffman t...@bobbroadband.com wrote:

  Guys,



 We’re a smallish (but growing) ISP, and we’ve been asked by one of our
 customers to delegate reverse DNS for 63.250.251.0/24 to their DNS
 servers, ns1.emns.com – ns4.emns.com. Unfortunately, we’ve never had to
 delegate DNS to a customer before, and we’re having problems getting it to
 work.



 We’re running BIND 9.5.1 on Fedora.



 Can anyone give me an example of how this should be done in named.conf and
 the file 251.250.63.in-addr.arpa.zone? I’d appreciate it!



 --

 Tim



 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tcp versus udp

[Ben Croswell]

Also if EDNS0 is in effect theoretically the max size would be 4096 bytes
before a truncate happened.

-- 
-Ben Croswell

On Mon, May 4, 2009 at 8:55 PM, Martin McCormick
mar...@dc.cis.okstate.eduwrote:

 Matt Baxter writes:
  When a response can not fit in a single UDP packet the server will mark
  the
  truncated flag (and respond with all the data it can inside the UDP
  packet). That should trigger a client to resubmit the query via TCP. Zone
  transfers are the most common use for TCP, but it can be required for
  normal queries, although that is far from normal.

 My thanks to you and to 2 other list members who replied
 off list. This confirms what I thought I remembered reading some
 time before.

 Martin McCormick
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using TCP for checking

[Ben Croswell]

My one caution on this would be you may run into false negatives with TCP if
people have misconfigured firewalls.
It's surprising the number of people out there that believe TCP is only for
xfers.

-- 
-Ben Croswell


On Tue, Apr 7, 2009 at 3:17 PM, Mark Elkins m...@posix.co.za wrote:

 I'm involved in the CO.ZA Registry. In the process of registering a
 domain name in the co.za zone - we do a bunch of DNS checks using
 'dig'.

 for each nameserver,
  a) check that the zone exists (fetch the SOA),
  b) fetch the NS RRSet count and compare entries.
  c) if Nameserver inside the domain being registered (glue needed)
i) check the reverse glue (can be multiple v4 + v6 addresses)
ii) check each reverse has a forward


 Currently - many of these (dig-9.4.1) checks include the flags +time=9
 +retry=5..

 ..the assumption being that for any 'dig' action - try, timeout 9
 seconds - repeat another 5 times... - so a totally failed lookup would
 take 54 seconds... however - an ethernet trace/dump seems to indicate
 queries go out one after the other - with little inter-query delay..

 If we do a lookup with UDP - a low but significant number of 'digs' fail
 - which results in our checks failing - and the registration checking
 process delaying that particular registration for a few hours.

 If we switch to using TCP for 'dig' lookups  - the failure rate
 basically disappears to Zero. This would result in happier customers
 (less registration delays).

 I've always been taught (and teach others) to use UDP and not TCP for
 DNS queries - but in the case of a registry checking for info like we do
 - would it not be politically correct to instead do TCP checks?

 What does the net-dns wisdom say?

 My current thought is to do a UDP check (don't change timeout/retry from
 default) and only if that fails - retry immediately with a TCP Check.
 Others in my group are for using TCP immediately.

 --
  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
  /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
 / |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496

 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: time.windows.com and download.windowsupdate.com

[Ben Croswell]

You certainly load the zone you don't own, but be aware the downside will be
every downstream domain or host under the two domains you load will be
blackholed.
In your examples:
1) Everything under time.windows.com will not be resolvable other than
time.windows.com.  i.e. someotherhost.time.windows.com won't work
2) Everything under windowsupdate.com will not be resolvable other than
download.windowsupdate.com i.e. someotherhost.windowsupdate.com

As long as you are aware of and ok with those caveats you should be fine.

-- 
-Ben Croswell

On Sun, Feb 8, 2009 at 6:03 PM, patate...@gmail.com wrote:

 Hi,

 I've just started with Bind and DNS, so...

 1 I'm on a LAN where external ntp and Window$ update sites are denied.
 2 we have, on this LAN a wsus and a ntp server
 3 a fresh Window$ XP pro try download.windowsupdate.com for update and
 time.windows.com for synctime...

 Can I play with these two zones on my NS ?

 zone time.windows.com IN { type master; file time.windows.com; };

 @   IN  SOA fake admin ( 20090201 8H 1H 2W 5D )
IN  NS  fake
 fakeIN  A   172.20.0.2
 time.windows.com.   IN  A   172.20.0.2

 zone windowsupdate.com IN { type master; file
 windowsupdate.com; };

 @   IN  SOA fake admin ( 20090201 8H 1H 2W 5D )
IN  NS  fake
 fakeIN  A   172.20.0.2
 download.windowsupdate.com.   IN  A   172.20.0.2

 Thanks for help.
 ___
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users