RE: BIND DNS Enable audit logs - Authoritative
Hello We edit our zones manually (not through panel interface), is it possible to log DNS updates in this case? Logging is already enabled but we are unable to track the updated zones in the logs The enabled category on the authoritative Master DNS server are "xfer-in", "security", "network", "default", "config", "queries" and "update". How can we enable the journal files in our case? Is there any impact on the DNS performance? Regards Daniel -Original Message- From: Tony Finch [mailto:d...@dotat.at] Sent: Tuesday, January 8, 2019 2:05 PM To: Daniel Dawalibi Cc: bind-users@lists.isc.org Subject: Re: BIND DNS Enable audit logs - Authoritative Importance: High Daniel Dawalibi wrote: > > Is it possible to enable the audit logs on BIND DNS so we can track > changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,. records)? You can get that by default, depending on how the changes were performed. If you use `nsupdate` or some other dynamic DNS UPDATE client, `named` will log changes like this ... 08-Jan-2019 11:55:09.826 update: info: client @0x55b747f47ec0 ::1#5685/key local-ddns: updating zone 'private.cam.ac.uk/IN': adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600 08-Jan-2019 11:55:09.826 update: info: client @0x55b747f47ec0 ::1#5685/key local-ddns: updating zone 'private.cam.ac.uk/IN': adding an RR at '.lcil.private.cam.ac.uk' A 172.22.QQ.QQ The changes are also recorded in the zone's journal, which you can extract like: $ named-journalprint /home/named/zone/private.cam.ac.uk.jnl [...] del private.cam.ac.uk. 3600IN SOA primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600 add private.cam.ac.uk. 3600IN SOA primary.dns.cam.ac.uk. hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600 add .lcil.private.cam.ac.uk. 3600 INA 172.22.QQ.QQ You might want to use the `ixfr-from-differences` and `max-journal-size` options if you care about preserving journal contents. Alternatively, keep your zone contents in `git` or a database that keeps an audit log :-) Tony. -- f.anthony.n.finchhttp://dotat.at/ Mull of Galloway to Mull of Kintyre including the Firth of Clyde and North Channel: Northwesterly 4 or 5, occasionally 6 at first in the North Channel, becoming variable 3 or less. Moderate, becoming smooth or slight. Occasional rain later. Good, occasionally moderate later. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND DNS Enable audit logs - Authoritative
Hello Is it possible to enable the audit logs on BIND DNS so we can track changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,. records)? Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unspecified error DNS query
Hello We are getting "Unspecified error" when querying our DNS server (Query: outlook.live.com) from a PC communication with our DNS We tried to perform the same query from the DNS itself (local host) and we found that the Dig output is showing with the following message "Truncated, retrying in TCP mode". We also observed that the message size of the requested query "outlook.live.com" increased recently from MSG SIZE 221 to 770 Can you please help why we are getting this error (client side) and why the TCP mode is shown in the dig output since other queries do not show TCP mode in their output? [root@DNS1 dan]# dig outlook.live.com ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> outlook.live.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45725 ;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 7, ADDITIONAL: 11 ;; QUESTION SECTION: ;outlook.live.com. IN A ;; ANSWER SECTION: outlook.live.com. 881 IN CNAME edge-live.outlook.office.com. edge-live.outlook.office.com. 280 INCNAME outlook-live-com.a-0010.a-msedge.net. outlook-live-com.a-0010.a-msedge.net. 160 IN CNAME ipv4.outlook.com. ipv4.outlook.com. 126 IN CNAME outlook.live.com.glbdns2.microsoft.com. outlook.live.com.glbdns2.microsoft.com. 280 IN CNAME live-emeaeast3.office365.com. live-emeaeast3.office365.com. 294 INA 40.101.44.178 live-emeaeast3.office365.com. 294 INA 134.170.68.82 live-emeaeast3.office365.com. 294 INA 40.101.28.178 live-emeaeast3.office365.com. 294 INA 40.101.1.82 live-emeaeast3.office365.com. 294 INA 132.245.79.242 live-emeaeast3.office365.com. 294 INA 40.96.21.34 live-emeaeast3.office365.com. 294 INA 40.101.9.2 live-emeaeast3.office365.com. 294 INA 40.101.60.2 live-emeaeast3.office365.com. 294 INA 40.96.21.50 live-emeaeast3.office365.com. 294 INA 132.245.194.242 ;; AUTHORITY SECTION: office365.com. 170080 IN NS ns2.msft.net. office365.com. 170080 IN NS ns1a.o365filtering.com. office365.com. 170080 IN NS ns3.msft.net. office365.com. 170080 IN NS ns1.msft.net. office365.com. 170080 IN NS ns4a.o365filtering.com. office365.com. 170080 IN NS ns4.msft.net. office365.com. 170080 IN NS ns2a.o365filtering.com. ;; ADDITIONAL SECTION: ns1.msft.net. 289 IN A 208.84.0.53 ns2.msft.net. 170080 IN A 208.84.2.53 ns3.msft.net. 289 IN A 193.221.113.53 ns4.msft.net. 170080 IN A 208.76.45.53 ns1a.o365filtering.com. 311 IN A 157.56.110.11 ns2a.o365filtering.com. 311 IN A 157.56.116.52 ns4a.o365filtering.com. 311 IN A 157.55.133.11 ns1.msft.net. 289 IN 2620:0:30::53 ns2.msft.net. 170080 IN 2620:0:32::53 ns3.msft.net. 289 IN 2620:0:34::53 ns4.msft.net. 170080 IN 2620:0:37::53 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Oct 7 07:57:41 2016 ;; MSG SIZE rcvd: 770 Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Resolving issue on specific domain
Yes Dig domainname -> Server failed Dig domainname ServerIP -> Server failed Dig domainame localhost -> Resolving properly -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: 15 July, 2016 1:02 PM To: bind-users@lists.isc.org Subject: Re: Resolving issue on specific domain On 15.07.16 12:05, Daniel Dawalibi wrote: >To: 'Matus UHLAR - fantomas' <uh...@fantomas.sk>, >bind-users@lists.isc.org please avoid personal replies. use list-reply whenever possible. >I already did it as per below output of resolv.conf but problem persists. do you want to say, even if you run "dig domainname" without @localhost, the dig sends query to 194.126.10.18 ? >/etc/resolv.conf ># Generated by NetworkManager >nameserver 127.0.0.1 >nameserver 194.126.10.18 >-Original Message- >From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of >Matus UHLAR - fantomas >Sent: 15 July, 2016 11:58 AM >To: bind-users@lists.isc.org >Subject: Re: Resolving issue on specific domain > >On 12.07.16 17:13, Daniel Dawalibi wrote: >>We are facing a weird issue while resolving a specific domain name >>from our authoritative DNS server running on BIND 9.10.4-P1 >> >>Server has only one public IP address. >> >>If you try to resolve the domain using either dig or nslookup you will >>not get any result whereas if you specify @localhost you will get the >>answer >[...] > >>#dig @localhost soa domainname >[...] > >>#dig soa domainname >>;; SERVER: 194.126.10.18#53(194.126.10.18) > >as you can see, in the latter example it's not the localhost >(127.0.0.1) but >194.126.10.18 that gives you answer. That means, 194.126.10.18 does not >know the "domainname" > >you must add localhost to resolv.conf as first nameserver to get >answers from it by default. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Resolving issue on specific domain
Hello I already did it as per below output of resolv.conf but problem persists. /etc/resolv.conf # Generated by NetworkManager nameserver 127.0.0.1 nameserver 194.126.10.18 Regards Daniel -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: 15 July, 2016 11:58 AM To: bind-users@lists.isc.org Subject: Re: Resolving issue on specific domain On 12.07.16 17:13, Daniel Dawalibi wrote: >We are facing a weird issue while resolving a specific domain name from >our authoritative DNS server running on BIND 9.10.4-P1 > >Server has only one public IP address. > >If you try to resolve the domain using either dig or nslookup you will >not get any result whereas if you specify @localhost you will get the >answer [...] >#dig @localhost soa domainname [...] >#dig soa domainname >;; SERVER: 194.126.10.18#53(194.126.10.18) as you can see, in the latter example it's not the localhost (127.0.0.1) but 194.126.10.18 that gives you answer. That means, 194.126.10.18 does not know the "domainname" you must add localhost to resolv.conf as first nameserver to get answers from it by default. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Resolving issue on specific domain
Hello We are facing a weird issue while resolving a specific domain name from our authoritative DNS server running on BIND 9.10.4-P1 Server has only one public IP address. If you try to resolve the domain using either dig or nslookup you will not get any result whereas if you specify @localhost you will get the answer Do you have any explanation about this behavior and what should be done to fix this issue? Examples: #dig @localhost soa domainname ; <<>> DiG 9.9.4-P1 <<>> @localhost soa domainname ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46807 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainname.IN SOA ;; ANSWER SECTION: domainname. 86400 IN SOA xx.idm.net.lb. y.domainname. 1468329403 10800 3600 604800 10800 ;; AUTHORITY SECTION: domainname. 86400 IN NS xx.idm.net.lb. domainname. 86400 IN NS yy.idm.net.lb. #dig soa domainname ; <<>> DiG 9.9.4-P1 <<>> soa domainname ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10964 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;domainname.IN SOA ;; Query time: 0 msec ;; SERVER: 194.126.10.18#53(194.126.10.18) ;; WHEN: Tue Jul 12 17:09:23 EEST 2016 Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: writeable file 'domain.com': already in use
Do you have the correct syntax to be adjusted on both views? -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ray Bellis Sent: 16 June, 2016 11:04 AM To: bind-users@lists.isc.org Subject: Re: writeable file 'domain.com': already in use On 16/06/2016 07:53, Daniel Dawalibi wrote: > We are upgrading our DNS authoritative BIND version 9.10.4-P1 but we > are facing "writing errors" on the slave zone files that are > transferred from other Master DNS servers. > > Our configuration consists of two views (local and inter) and the > domain is configured in both views sections. > > The problem was solved after removing the zone from one VIEW but is > there any workaround for this issue without removing the zone from the > view section (either Local or Inter)? BIND 9.10.4 doesn't allow you to use the same filename for the same zone in different views (since the content should be different). Simply change the "file" directive in one of the views and you should be fine. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
writeable file 'domain.com': already in use
Hello We are upgrading our DNS authoritative BIND version 9.10.4-P1 but we are facing "writing errors" on the slave zone files that are transferred from other Master DNS servers. Our configuration consists of two views (local and inter) and the domain is configured in both views sections. The problem was solved after removing the zone from one VIEW but is there any workaround for this issue without removing the zone from the view section (either Local or Inter)? BIND configuration file . view "local" in { zone "domain.com"{ type slave; masters { IPsrc; } ; transfer-source IPdest ; file "domain.com"; }; view "internation" in { zone "domain.com"{ type slave; masters { IPsrs; } ; transfer-source IPdes ; file "domain.com"; }; . Errors: Jun 15 09:08:09 DNSAUTH named[17148]: /etc/named.conf:27855: writeable file 'domain.com': already in use: /etc/named.conf:8497 Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Monitor DNS queries toward Root severs
Hello Is there any tool or configuration that allows us to monitor/graph the number of outbound DNS queries toward the Root servers? As you can see in the below examples the first query answered by M root then F root in the second query. ; <<>> DiG 9.7.0-P1 <<>> www.cnn.com +trace ;; global options: +cmd . 450124 IN NS f.root-servers.net. . 450124 IN NS b.root-servers.net. . 450124 IN NS j.root-servers.net. . 450124 IN NS d.root-servers.net. . 450124 IN NS h.root-servers.net. . 450124 IN NS g.root-servers.net. . 450124 IN NS a.root-servers.net. . 450124 IN NS c.root-servers.net. . 450124 IN NS k.root-servers.net. . 450124 IN NS m.root-servers.net. . 450124 IN NS e.root-servers.net. . 450124 IN NS l.root-servers.net. . 450124 IN NS i.root-servers.net. ;; Received 496 bytes from 193.227.177.130#53(193.227.177.130) in 12 ms com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. ;; Received 489 bytes from 202.12.27.33#53(m.root-servers.net) in 68 ms cnn.com.172800 IN NS ns1.timewarner.net. cnn.com.172800 IN NS ns3.timewarner.net. cnn.com.172800 IN NS ns1.p42.dynect.net. cnn.com.172800 IN NS ns2.p42.dynect.net. ;; Received 190 bytes from 192.43.172.30#53(i.gtld-servers.net) in 64 ms www.cnn.com.300 IN CNAME turner.map.fastly.net. ;; Received 64 bytes from 204.74.108.238#53(ns1.timewarner.net) in 61 ms ; <<>> DiG 9.7.0-P1 <<>> www.cnn.com +trace ;; global options: +cmd . 450105 IN NS a.root-servers.net. . 450105 IN NS f.root-servers.net. . 450105 IN NS l.root-servers.net. . 450105 IN NS h.root-servers.net. . 450105 IN NS b.root-servers.net. . 450105 IN NS g.root-servers.net. . 450105 IN NS k.root-servers.net. . 450105 IN NS i.root-servers.net. . 450105 IN NS j.root-servers.net. . 450105 IN NS c.root-servers.net. . 450105 IN NS m.root-servers.net. . 450105 IN NS d.root-servers.net. . 450105 IN NS e.root-servers.net. ;; Received 496 bytes from 193.227.177.130#53(193.227.177.130) in 0 ms com.172800 IN NS j.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. ;; Received 501 bytes from 192.5.5.241#53(f.root-servers.net) in 155 ms cnn.com.172800 IN NS ns1.timewarner.net. cnn.com.172800 IN NS ns3.timewarner.net. cnn.com.172800 IN NS ns1.p42.dynect.net.
RE: Adding CNAME for the root domain issue
Hello Barry DNS registrar that can offer this option by using apex/naked/root domain redirection Regards Daniel -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin Sent: 27 April, 2016 5:23 PM To: comp-protocols-dns-b...@isc.org Subject: Re: Adding CNAME for the root domain issue In article, "John Levine" wrote: > Assuming you mean this (notice the dots): > > Domain.com. CNAME x.y.com. > www CNAME x.y.com. > > it should work. Some people believe that you can't have other records > at names below a name with a CNAME, but they are mistaken. The problem isn't with names *below* the CNAME, it's with other records with the same name as the CNAME. In particular, the SOA record for domain.com. You would only be able to do this if you could put the CNAME record in the parent domain, instead of delegating domain.com to your own server. But do any domain registrars support that option? -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Adding CNAME for the root domain issue
Hello John The below is not working on our BIND version BIND 9.10.0-P2 unless it is working on other version Domain.com. CNAME x.y.com. www CNAME x.y.com. Errors returned when adding these records: general: dns_master_load: ourweddingaccount.com.db.inter:13: ourweddingaccount.com: CNAME and other data If we proceed with the below work around by replacing the CNAME with A record, It will resolve but our setup requires a CNAME record. Domain.com. A IPaddress www CNAME x.y.com. Regards Daniel -Original Message- From: John Levine [mailto:jo...@iecc.com] Sent: 27 April, 2016 4:56 PM To: bind-users@lists.isc.org Cc: daniel.dawal...@idm.net.lb Subject: Re: Adding CNAME for the root domain issue Assuming you mean this (notice the dots): Domain.com. CNAME x.y.com. www CNAME x.y.com. it should work. Some people believe that you can't have other records at names below a name with a CNAME, but they are mistaken. On the other hand, this will not work. domain.com. CNAME x.y.com. domain.com. MX 10 server.somewhere To make this work, you need Stephane's hack of copying the A and records. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding CNAME for the root domain issue
Hello We are facing a resolving problem on BIND DNS when adding a CNAME RR for root domain and other records. Do you have any work around since it is not feasible as per the following article http://www.faqs.org/rfcs/rfc1034.html RFC1034 section 3.6.2? Example: Domain.com CNAME x.y.com www CNAME x.y.com Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: g.root-servers.net not reachable anymore
Do you think it is better to remove it from named.root? Is there any impact on the DNS resolving ? Regards Daniel -Original Message- From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] Sent: 14 April, 2016 10:35 AM To: Daniel Stirnimann Cc: Daniel Dawalibi; bind-us...@isc.org Subject: Re: g.root-servers.net not reachable anymore On Thu, Apr 14, 2016 at 08:35:00AM +0200, Daniel Stirnimann <daniel.stirnim...@switch.ch> wrote a message of 14 lines which said: > Looks like you are not alone! > > https://atlas.ripe.net/dnsmon/group/g-root Only broken over UDP. Works on TCP and still replies to traceroute. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
g.root-servers.net not reachable anymore
Hello Anyone experiencing a reach ability issue toward g.root-servers.net? # dig @g.root-servers.net ns ; <<>> DiG 9.7.0-P1 <<>> @g.root-servers.net ns ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached # dig @192.112.36.4 ns ; <<>> DiG 9.7.0-P1 <<>> @192.112.36.4 ns ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS BIND traffic capture ICMP/UDP
Hello We observed an unusual traffic combining ICMP and UDP packets while running the tcpdump command on the DNS caching server Kindly note that only UDP DNS traffic is allowed on this server (ICMP is not allowed from outside to DNS server) Any help regarding this issue? Why we are getting ICMP and UDP requests? Could it be an attack? Logs: # tcpdump -n icmp 15:41:05.054237 IP 10.151.130.74 > DNSIP: ICMP 10.151.130.74 udp port 52003 unreachable, length 52 15:41:05.064449 IP 10.75.6.36 > DNSIP: ICMP 10.75.6.36 udp port 50162 unreachable, length 52 15:41:05.067953 IP 10.33.10.155 > DNSIP: ICMP 10.33.10.155 udp port 50233 unreachable, length 52 15:41:05.067958 IP 10.75.15.162 > DNSIP: ICMP 10.75.15.162 udp port 53847 unreachable, length 52 15:41:05.072727 IP 10.33.12.219 > DNSIP: ICMP 10.33.12.219 udp port 51024 unreachable, length 52 .. Example: 10.151.130.74 (client source IP) DNSIP: DNSServer IP Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reject invalid dns queries
Hello Allow-query is only allowed for specified IP defined in the allow-query statement. Regards Daniel -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Monday, January 19, 2015 5:21 PM To: bind-users@lists.isc.org Subject: Re: reject invalid dns queries On 19.01.15 16:14, Daniel Dawalibi wrote: Invalid DNS queries : non-existent domains that do not resolve to any IP as mentioned in the below example. you should better not use this definition. We are trying to protect our DNS servers from a number of invalid dns queries targeting our caching server and originated from different source IPs. Is there any way to drop these requests based on the Query Access list from the DNS configuration file (named.conf)? you can NOT know if a hostname exists before you try to resolve it. After that, you can't block it anymore. do you allow recursion for remote clients? (recursion and allow-recursion statemends) Do you allow DNS access from remote clients? (allow-query statement) Perhaps denying remote clients from even accessing your caching server would help you with this problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: reject invalid dns queries
Hello Invalid DNS queries : non-existent domains that do not resolve to any IP as mentioned in the below example. We are trying to protect our DNS servers from a number of invalid dns queries targeting our caching server and originated from different source IPs. Is there any way to drop these requests based on the Query Access list from the DNS configuration file (named.conf)? Example: Default Server: google-public-dns-a.google.com Address: DNS IP invaliddnsqueries.com Server: google-public-dns-a.google.com Address: 8.8.8.8 *** DNS IP can't find invaliddnsqueries.com: Non-existent domain DNS query logs: 19-Jan-2015 15:44:08.519 queries: client IP#49791 (invaliddnsqueries.com): view zones: query: invaliddnsqueries.com IN A + (DNS IP) 19-Jan-2015 15:45:00.214 queries: client IP#49791 (invaliddnsqueries.com): view zones: query: invaliddnsqueries.com IN A + (DNS IP) 19-Jan-2015 15:46:08.100 queries: client IP#49791 (invaliddnsqueries.com): view zones: query: invaliddnsqueries.com IN A + (DNS IP) Regards Daniel -Original Message- From: Warren Kumari [mailto:war...@kumari.net] Sent: Wednesday, January 14, 2015 11:31 PM To: Daniel Dawalibi Cc: bind-users@lists.isc.org Subject: Re: reject invalid dns queries Perhaps if you explained a little more clearly what you are trying to accomplish you might get more replies... What are invalid DNS queries? What are they in the configuration? On Wed, Jan 14, 2015 at 5:53 AM, Daniel Dawalibi daniel.dawal...@idm.net.lb wrote: Hello, Is there any solution to drop the invalid DNS queries from the BIND configuration? Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
reject invalid dns queries
Hello, Is there any solution to drop the invalid DNS queries from the BIND configuration? Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND
Hello We are facing a similar problem by getting an intermittent SERVER FAILS on several domains and specifically during the high traffic. Please note that the IPV6 dual stack is not configured in the Operating system and we are not using any IPV6 option in the BIND configuration file. 1- We compiled several BIND versions on different CentOS platforms CentOS release 5.10 with BIND 9.9.5 and BIND 9.7.2-P2 : Problem Persists CentOS release 5.6 with BIND 9.9.5 and BIND 9.7.2-P2 : Proble Persits 2- We bypassed all network devices (Firewall, Shaper, IPS, LOADBALANCER): Problem persists 3- TCPDUMP performed on the name servers showed the SERVERFAIL in the capture 4- Dig debugging output shows intermittent SERVER FAIL: dig www.mcafee.com HEADER- opcode: QUERY, status: SERVFAIL, id: 49448 ot fo other domains 5- We noticed during our debugging a failure when using dig +trace ;; Received 493 bytes from 192.5.5.241#53(f.root-servers.net) in 64 ms dig: couldn't get address for 'k.gtld-servers.net': failure Regards Daniel Dawalibi Senior Systems Engineer e-mail:daniel.dawal...@idm.net.lb Jisr Al Bacha P.O. Box 11-316 Beirut Lebanon tel +961 1 512513 ext. 366| fax +961 1 510474 tech support 1282 | http://www.idm.net.lb PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL Confidentiality Notice: The information in this document and attachments is confidential and may also be legally privileged. It is intended only for the use of the named recipient. Internet communications are not secure and therefore IDM does not accept legal responsibility for the contents of this message. If you are not the intended recipient, please notify us immediately and then delete this document. Do not disclose the contents of this document to any other person, nor take any copies. Violation of this notice may be unlawful. -Original Message- From: bind-users-bounces+daniel.dawalibi=idm.net...@lists.isc.org [mailto:bind-users-bounces+daniel.dawalibi=idm.net...@lists.isc.org] On Behalf Of Kostas Zorbadelos Sent: Wednesday, March 05, 2014 3:16 PM To: Bind Users Mailing List Subject: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND Greetings to all, we operate an anycast caching resolving farm for our customer base, based on CentOS (6.4 or 6.5), BIND (9.9.2, 9.9.5 or the stock CentOS package BIND 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1) and quagga (the stock CentOS package). The problem is that we have noticed sporadic but noticable SERVFAILs in 3 out of 10 total machines. Cacti measurements obtained via the BIND XML interface show traffic from 1.5K queries/sec (lowest loaded machines) to 15K queries/sec (highest). The problem is that in 3 specific machines in a geolocation with a BIND restart we notice after a period of time that can range between half an hour and several hours SERVFAILs in resolutions. The 3 machines do not have the highest load in the farm (6-8K q/sec). The resolution problems are noticable in the customers ending up in these machines but do not show up as high numbers in the BIND XML Resolver statistics (ServFail number). We reproduce the problem, by querying for a specific domain name using a loop of the form while [ 1 ]; do clear; rndc flushname www.linux-tutorial.info; sleep 1; dig www.linux-tutorial.info @localhost; sleep 2; done | grep SERVFAIL The www.linux-tutorial.info is not the only domain experiencing resolution problems of course. The above loop can run for hours even without issues on low-traffic hours (night, after a clean BIND restart) but during the day it shows quite a few SERVFAILs, which affect other domains as well. During the problem we notice with tcpdump, that when SERVFAIL is produced, no query packet exits the server for resolution. We have noticed nothing in BIND logs (we even tried to raise debugging levels and log all relevant categories). An example capture running the above loop: # tcpdump -nnn -i any -p dst port 53 or src port 53 | grep 'linux-tutorial' tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes 14:33:03.590908 IP6 ::1.53059 ::1.53: 15773+ A? www.linux-tutorial.info. (41) 14:33:03.591292 IP 83.235.72.238.45157 213.133.105.6.53: 19156% [1au] A? www.linux-tutorial.info. (52) Success 14:33:06.664411 IP6 ::1.45090 ::1.53: 48526+ A? www.linux-tutorial.info. (41) 14:33:06.664719 IP6 2a02:587:50da:b::1.23404 2a00:1158:4::add:a3.53: 30244% [1au] A? www.linux-tutorial.info. (52) Success 14:33:31.434209 IP6 ::1.43397 ::1.53: 26607+ A? www.linux-tutorial.info. (41) SERVFAIL 14:33:43.672405 IP6 ::1.58282 ::1.53: 27125+ A? www.linux-tutorial.info. (41) SERVFAIL 14:33:49.706645 IP6 ::1.54936 ::1.53: 40435+ A? www.linux-tutorial.info. (41) 14:33:49.706976 IP6 2a02:587:50da:b::1.48961 2a00:1158:4::add:a3.53: 4287% [1au
RE: intermittent resolving problem for some domains
Hello I am able to reach the root servers and I can resolve other domains. ; DiG 9.8.0 . ns ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32217 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518187 IN NS i.root-servers.net. . 518187 IN NS d.root-servers.net. . 518187 IN NS g.root-servers.net. . 518187 IN NS f.root-servers.net. . 518187 IN NS m.root-servers.net. . 518187 IN NS h.root-servers.net. . 518187 IN NS j.root-servers.net. . 518187 IN NS c.root-servers.net. . 518187 IN NS b.root-servers.net. . 518187 IN NS l.root-servers.net. . 518187 IN NS e.root-servers.net. . 518187 IN NS a.root-servers.net. . 518187 IN NS k.root-servers.net. ;; ADDITIONAL SECTION: a.root-servers.net. 604587 IN A 198.41.0.4 a.root-servers.net. 604603 IN 2001:503:ba3e::2:30 b.root-servers.net. 604587 IN A 192.228.79.201 c.root-servers.net. 604587 IN A 192.33.4.12 d.root-servers.net. 604767 IN A 199.7.91.13 d.root-servers.net. 604767 IN 2001:500:2d::d e.root-servers.net. 604587 IN A 192.203.230.10 f.root-servers.net. 604587 IN A 192.5.5.241 f.root-servers.net. 604587 IN 2001:500:2f::f g.root-servers.net. 604587 IN A 192.112.36.4 h.root-servers.net. 604587 IN A 128.63.2.53 h.root-servers.net. 604587 IN 2001:500:1::803f:235 i.root-servers.net. 604765 IN A 192.36.148.17 i.root-servers.net. 604765 IN 2001:7fe::53 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Feb 19 16:38:34 2014 ;; MSG SIZE rcvd: 512 Best Regards, Daniel Dawalibi -Original Message- From: Niall O'Reilly [mailto:niall.orei...@ucd.ie] Sent: Wednesday, February 19, 2014 1:22 PM To: Daniel Dawalibi Cc: bind-users@lists.isc.org Subject: Re: intermittent resolving problem for some domains At Wed, 19 Feb 2014 00:33:11 +0200, Daniel Dawalibi wrote: Kindly note that the number of recursive clients is increasing during the problem : recursive clients: 3700/14900/15000 I think it's likely that you have a connectivity problem. I'ld suggest checking whether your server which is giving these messages can reach any of the root servers or even any of the external Internet. Best regards, Niall O'Reilly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
intermittent resolving problem for some domains
Hello We are facing an intermittent resolving problems on several domains. While debugging the issue we found the below failures Can you please help? Kindly note that the number of recursive clients is increasing during the problem : recursive clients: 3700/14900/15000 1- dig: couldn't get address for 'k.gtld-servers.net': failure ;; global options: printcmd . 518011 IN NS f.root-servers.net. . 518011 IN NS g.root-servers.net. . 518011 IN NS h.root-servers.net. . 518011 IN NS i.root-servers.net. . 518011 IN NS j.root-servers.net. . 518011 IN NS k.root-servers.net. . 518011 IN NS l.root-servers.net. . 518011 IN NS m.root-servers.net. . 518011 IN NS a.root-servers.net. . 518011 IN NS b.root-servers.net. . 518011 IN NS c.root-servers.net. . 518011 IN NS d.root-servers.net. . 518011 IN NS e.root-servers.net. ;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms com.172800 IN NS k.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. ;; Received 493 bytes from 192.5.5.241#53(f.root-servers.net) in 64 ms dig: couldn't get address for 'k.gtld-servers.net': failure 2- named_dump.db ; ns1lo6.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure] ; ns2nj.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure] ; ns2dc2.example.com [v4 TTL 167] [v6 TTL 2] [v4 not_found] [v6 nxrrset] ; ns2lo6.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure] ; ns1nj.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure] 3- ServerFAIL ; DiG 9.8.0 www.example.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 58716 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 Regards Daniel ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users