RE: BIND DNS Enable audit logs - Authoritative

2019-01-11 Thread Daniel Dawalibi 
Hello 

We edit our zones manually (not through panel interface), is it possible to
log DNS updates in this case?
Logging is already enabled but we are unable to track the updated zones in
the logs
The enabled category on the authoritative Master DNS server  are "xfer-in",
"security", "network", "default", "config", "queries" and "update".

How can we enable the journal files in our case? Is there any impact on the
DNS performance?


Regards
Daniel 

-Original Message-
From: Tony Finch [mailto:d...@dotat.at] 
Sent: Tuesday, January 8, 2019 2:05 PM
To: Daniel Dawalibi
Cc: bind-users@lists.isc.org
Subject: Re: BIND DNS Enable audit logs - Authoritative
Importance: High

Daniel Dawalibi  wrote:
>
> Is it possible to enable the audit logs on BIND DNS so we can track 
> changes performed on the DNS records level (Add/Delete/Modify A,MX,NS,.
records)?

You can get that by default, depending on how the changes were performed.

If you use `nsupdate` or some other dynamic DNS UPDATE client, `named` will
log changes like this ...

08-Jan-2019 11:55:09.826 update: info:
client @0x55b747f47ec0 ::1#5685/key local-ddns:
updating zone 'private.cam.ac.uk/IN':
adding an RR at 'private.cam.ac.uk' SOA primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
08-Jan-2019 11:55:09.826 update: info:
client @0x55b747f47ec0 ::1#5685/key local-ddns:
updating zone 'private.cam.ac.uk/IN':
adding an RR at '.lcil.private.cam.ac.uk' A 172.22.QQ.QQ

The changes are also recorded in the zone's journal, which you can extract
like:

$ named-journalprint /home/named/zone/private.cam.ac.uk.jnl
[...]
del private.cam.ac.uk.  3600IN  SOA primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546944908 1800 900 604800 3600
add private.cam.ac.uk.  3600IN  SOA primary.dns.cam.ac.uk.
hostmaster.cam.ac.uk. 1546948509 1800 900 604800 3600
add .lcil.private.cam.ac.uk. 3600 INA   172.22.QQ.QQ

You might want to use the `ixfr-from-differences` and `max-journal-size`
options if you care about preserving journal contents.

Alternatively, keep your zone contents in `git` or a database that keeps an
audit log :-)

Tony.
--
f.anthony.n.finchhttp://dotat.at/ Mull of Galloway to Mull
of Kintyre including the Firth of Clyde and North
Channel: Northwesterly 4 or 5, occasionally 6 at first in the North Channel,
becoming variable 3 or less. Moderate, becoming smooth or slight. Occasional
rain later. Good, occasionally moderate later.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND DNS Enable audit logs - Authoritative

2019-01-07 Thread Daniel Dawalibi 
Hello

 

Is it possible to enable the audit logs on BIND DNS so we can track changes
performed on the DNS records level (Add/Delete/Modify A,MX,NS,. records)?

 

 

Regards

Daniel 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Unspecified error DNS query

2016-10-07 Thread Daniel Dawalibi 
Hello

 

 

We are getting "Unspecified error" when querying our DNS server (Query:
outlook.live.com)  from  a PC communication with our DNS

We tried to perform the same query from the DNS itself (local host) and we
found that the Dig output is showing with the following message "Truncated,
retrying in TCP mode". 

We also observed that the message size of the requested query
"outlook.live.com" increased recently from MSG SIZE 221 to 770 

Can you please help why we are getting this error (client side) and why the
TCP mode is shown in the dig output since other queries do not show TCP mode
in their output?

 

[root@DNS1 dan]# dig outlook.live.com

;; Truncated, retrying in TCP mode.

 

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> outlook.live.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45725

;; flags: qr rd ra; QUERY: 1, ANSWER: 15, AUTHORITY: 7, ADDITIONAL: 11

 

;; QUESTION SECTION:

;outlook.live.com.  IN  A

 

;; ANSWER SECTION:

outlook.live.com.   881 IN  CNAME
edge-live.outlook.office.com.

edge-live.outlook.office.com. 280 INCNAME
outlook-live-com.a-0010.a-msedge.net.

outlook-live-com.a-0010.a-msedge.net. 160 IN CNAME ipv4.outlook.com.

ipv4.outlook.com.   126 IN  CNAME
outlook.live.com.glbdns2.microsoft.com.

outlook.live.com.glbdns2.microsoft.com. 280 IN CNAME
live-emeaeast3.office365.com.

live-emeaeast3.office365.com. 294 INA   40.101.44.178

live-emeaeast3.office365.com. 294 INA   134.170.68.82

live-emeaeast3.office365.com. 294 INA   40.101.28.178

live-emeaeast3.office365.com. 294 INA   40.101.1.82

live-emeaeast3.office365.com. 294 INA   132.245.79.242

live-emeaeast3.office365.com. 294 INA   40.96.21.34

live-emeaeast3.office365.com. 294 INA   40.101.9.2

live-emeaeast3.office365.com. 294 INA   40.101.60.2

live-emeaeast3.office365.com. 294 INA   40.96.21.50

live-emeaeast3.office365.com. 294 INA   132.245.194.242

 

;; AUTHORITY SECTION:

office365.com.  170080  IN  NS  ns2.msft.net.

office365.com.  170080  IN  NS  ns1a.o365filtering.com.

office365.com.  170080  IN  NS  ns3.msft.net.

office365.com.  170080  IN  NS  ns1.msft.net.

office365.com.  170080  IN  NS  ns4a.o365filtering.com.

office365.com.  170080  IN  NS  ns4.msft.net.

office365.com.  170080  IN  NS  ns2a.o365filtering.com.

 

;; ADDITIONAL SECTION:

ns1.msft.net.   289 IN  A   208.84.0.53

ns2.msft.net.   170080  IN  A   208.84.2.53

ns3.msft.net.   289 IN  A   193.221.113.53

ns4.msft.net.   170080  IN  A   208.76.45.53

ns1a.o365filtering.com. 311 IN  A   157.56.110.11

ns2a.o365filtering.com. 311 IN  A   157.56.116.52

ns4a.o365filtering.com. 311 IN  A   157.55.133.11

ns1.msft.net.   289 IN  2620:0:30::53

ns2.msft.net.   170080  IN  2620:0:32::53

ns3.msft.net.   289 IN  2620:0:34::53

ns4.msft.net.   170080  IN  2620:0:37::53

 

;; Query time: 0 msec

;; SERVER: 127.0.0.1#53(127.0.0.1)

;; WHEN: Fri Oct  7 07:57:41 2016

;; MSG SIZE  rcvd: 770

 

 

Regards

Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Resolving issue on specific domain

2016-07-15 Thread Daniel Dawalibi 
Yes

Dig domainname -> Server failed
Dig domainname ServerIP -> Server failed
Dig domainame localhost -> Resolving properly

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Matus UHLAR - fantomas
Sent: 15 July, 2016 1:02 PM
To: bind-users@lists.isc.org
Subject: Re: Resolving issue on specific domain

On 15.07.16 12:05, Daniel Dawalibi wrote:
>To: 'Matus UHLAR - fantomas' <uh...@fantomas.sk>, 
>bind-users@lists.isc.org

please avoid personal replies. use list-reply whenever possible.

>I already did it as per below output of resolv.conf but problem persists.

do you want to say, even if you run "dig domainname" without @localhost, the
dig sends query to  194.126.10.18 ?

>/etc/resolv.conf
># Generated by NetworkManager
>nameserver 127.0.0.1
>nameserver 194.126.10.18

>-Original Message-
>From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
>Matus UHLAR - fantomas
>Sent: 15 July, 2016 11:58 AM
>To: bind-users@lists.isc.org
>Subject: Re: Resolving issue on specific domain
>
>On 12.07.16 17:13, Daniel Dawalibi wrote:
>>We are facing a weird issue while resolving a specific domain name 
>>from our authoritative DNS server running on BIND 9.10.4-P1
>>
>>Server has only one public IP address.
>>
>>If you try to resolve the domain using either dig or nslookup you will 
>>not get any result whereas if you specify @localhost you will get the 
>>answer
>[...]
>
>>#dig @localhost soa domainname
>[...]
>
>>#dig soa domainname
>>;; SERVER: 194.126.10.18#53(194.126.10.18)
>
>as you can see, in the latter example it's not the localhost 
>(127.0.0.1) but
>194.126.10.18 that gives you answer. That means, 194.126.10.18 does not 
>know the "domainname"
>
>you must add localhost to resolv.conf as first nameserver to get 
>answers from it by default.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Resolving issue on specific domain

2016-07-15 Thread Daniel Dawalibi 
Hello

I already did it as per below output of resolv.conf but problem persists.


/etc/resolv.conf
# Generated by NetworkManager
nameserver 127.0.0.1
nameserver 194.126.10.18


Regards
Daniel

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Matus UHLAR - fantomas
Sent: 15 July, 2016 11:58 AM
To: bind-users@lists.isc.org
Subject: Re: Resolving issue on specific domain

On 12.07.16 17:13, Daniel Dawalibi wrote:
>We are facing a weird issue while resolving a specific domain name from 
>our authoritative DNS server running on BIND 9.10.4-P1
>
>Server has only one public IP address.
>
>If you try to resolve the domain using either dig or nslookup you will 
>not get any result whereas if you specify @localhost you will get the 
>answer
[...]

>#dig @localhost soa domainname
[...]

>#dig soa domainname
>;; SERVER: 194.126.10.18#53(194.126.10.18)

as you can see, in the latter example it's not the localhost (127.0.0.1) but
194.126.10.18 that gives you answer. That means, 194.126.10.18 does not know
the "domainname"

you must add localhost to resolv.conf as first nameserver to get answers
from it by default.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Resolving issue on specific domain

2016-07-12 Thread Daniel Dawalibi 
Hello

 

We are facing a weird issue while resolving a specific domain name from our
authoritative DNS server running on BIND 9.10.4-P1

Server has only one public IP address.

If you try to resolve the domain using either dig or nslookup you will not
get any result whereas if you specify @localhost you will get the answer

Do you have any explanation about this behavior and what should be done to
fix this issue?

Examples:

 

#dig @localhost soa domainname

 

; <<>> DiG 9.9.4-P1 <<>> @localhost soa domainname

; (2 servers found)

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46807

;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; WARNING: recursion requested but not available

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;domainname.IN  SOA

 

;; ANSWER SECTION:

domainname. 86400   IN  SOA xx.idm.net.lb. y.domainname.
1468329403 10800 3600 604800 10800

 

;; AUTHORITY SECTION:

domainname. 86400   IN  NS  xx.idm.net.lb.

domainname. 86400   IN  NS  yy.idm.net.lb.

 

 

 

#dig soa domainname

 

 

; <<>> DiG 9.9.4-P1 <<>> soa domainname

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 10964

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

 

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;domainname.IN  SOA

 

;; Query time: 0 msec

;; SERVER: 194.126.10.18#53(194.126.10.18)

;; WHEN: Tue Jul 12 17:09:23 EEST 2016

 

 

 

Regards

Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: writeable file 'domain.com': already in use

2016-06-16 Thread Daniel Dawalibi 
Do you have the correct syntax to be adjusted on both views?

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Ray Bellis
Sent: 16 June, 2016 11:04 AM
To: bind-users@lists.isc.org
Subject: Re: writeable file 'domain.com': already in use

On 16/06/2016 07:53, Daniel Dawalibi wrote:

> We are upgrading our DNS authoritative BIND version 9.10.4-P1 but we 
> are facing "writing errors" on the slave zone files that are 
> transferred from other Master DNS servers.
> 
> Our configuration consists of two views  (local and inter) and the 
> domain is configured in both views sections.
> 
> The problem was solved after removing the zone from one VIEW but is 
> there any workaround for this issue without removing the zone from the 
> view section (either Local or Inter)?

BIND 9.10.4 doesn't allow you to use the same filename for the same zone in
different views (since the content should be different).

Simply change the "file" directive in one of the views and you should be
fine.

Ray


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

writeable file 'domain.com': already in use

2016-06-16 Thread Daniel Dawalibi 
Hello

 

 

We are upgrading our DNS authoritative BIND version 9.10.4-P1 but we are
facing "writing errors" on the slave zone files that are transferred from
other Master DNS servers.

Our configuration consists of two views  (local and inter) and the domain is
configured in both views sections. 

The problem was solved after removing the zone from one VIEW but is there
any workaround for this issue without removing the zone from the view
section (either Local or Inter)? 

 

BIND configuration file

 

.

 

view "local" in {

 

zone "domain.com"{

type slave; masters { IPsrc; } ; transfer-source IPdest ;

file "domain.com";

};

 

 

view "internation" in {

zone "domain.com"{

type slave; masters { IPsrs; } ; transfer-source IPdes ;

file "domain.com";

};

.

 

Errors:

 

Jun 15 09:08:09 DNSAUTH named[17148]:  /etc/named.conf:27855: writeable file
'domain.com': already in use: /etc/named.conf:8497

 

 

 

Regards

Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Monitor DNS queries toward Root severs

2016-05-04 Thread Daniel Dawalibi 
Hello

 

Is there any tool or configuration that allows us to monitor/graph the
number of outbound DNS queries toward the Root servers?

As you can see in the below examples the first query answered by M root then
F root in the second query.

 

; <<>> DiG 9.7.0-P1 <<>> www.cnn.com +trace

;; global options: +cmd

.   450124  IN  NS  f.root-servers.net.

.   450124  IN  NS  b.root-servers.net.

.   450124  IN  NS  j.root-servers.net.

.   450124  IN  NS  d.root-servers.net.

.   450124  IN  NS  h.root-servers.net.

.   450124  IN  NS  g.root-servers.net.

.   450124  IN  NS  a.root-servers.net.

.   450124  IN  NS  c.root-servers.net.

.   450124  IN  NS  k.root-servers.net.

.   450124  IN  NS  m.root-servers.net.

.   450124  IN  NS  e.root-servers.net.

.   450124  IN  NS  l.root-servers.net.

.   450124  IN  NS  i.root-servers.net.

;; Received 496 bytes from 193.227.177.130#53(193.227.177.130) in 12 ms

 

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

com.172800  IN  NS  g.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

;; Received 489 bytes from 202.12.27.33#53(m.root-servers.net) in 68 ms

 

cnn.com.172800  IN  NS  ns1.timewarner.net.

cnn.com.172800  IN  NS  ns3.timewarner.net.

cnn.com.172800  IN  NS  ns1.p42.dynect.net.

cnn.com.172800  IN  NS  ns2.p42.dynect.net.

;; Received 190 bytes from 192.43.172.30#53(i.gtld-servers.net) in 64 ms

 

www.cnn.com.300 IN  CNAME   turner.map.fastly.net.

;; Received 64 bytes from 204.74.108.238#53(ns1.timewarner.net) in 61 ms

 

 

 

; <<>> DiG 9.7.0-P1 <<>> www.cnn.com +trace

;; global options: +cmd

.   450105  IN  NS  a.root-servers.net.

.   450105  IN  NS  f.root-servers.net.

.   450105  IN  NS  l.root-servers.net.

.   450105  IN  NS  h.root-servers.net.

.   450105  IN  NS  b.root-servers.net.

.   450105  IN  NS  g.root-servers.net.

.   450105  IN  NS  k.root-servers.net.

.   450105  IN  NS  i.root-servers.net.

.   450105  IN  NS  j.root-servers.net.

.   450105  IN  NS  c.root-servers.net.

.   450105  IN  NS  m.root-servers.net.

.   450105  IN  NS  d.root-servers.net.

.   450105  IN  NS  e.root-servers.net.

;; Received 496 bytes from 193.227.177.130#53(193.227.177.130) in 0 ms

 

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  g.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

;; Received 501 bytes from 192.5.5.241#53(f.root-servers.net) in 155 ms

 

cnn.com.172800  IN  NS  ns1.timewarner.net.

cnn.com.172800  IN  NS  ns3.timewarner.net.

cnn.com.172800  IN  NS  ns1.p42.dynect.net.

RE: Adding CNAME for the root domain issue

2016-04-27 Thread Daniel Dawalibi 
Hello Barry 

DNS registrar that can offer this option by using  apex/naked/root domain
redirection

Regards
Daniel

-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin
Sent: 27 April, 2016 5:23 PM
To: comp-protocols-dns-b...@isc.org
Subject: Re: Adding CNAME for the root domain issue

In article ,
 "John Levine"  wrote:

> Assuming you mean this (notice the dots):
> 
>  Domain.com.  CNAME  x.y.com.
>  www CNAME x.y.com.
> 
> it should work.  Some people believe that you can't have other records 
> at names below a name with a CNAME, but they are mistaken.

The problem isn't with names *below* the CNAME, it's with other records with
the same name as the CNAME. In particular, the SOA record for domain.com.

You would only be able to do this if you could put the CNAME record in the
parent domain, instead of delegating domain.com to your own server. 
But do any domain registrars support that option?

--
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Adding CNAME for the root domain issue

2016-04-27 Thread Daniel Dawalibi 
Hello John

The below is not working on our BIND version BIND 9.10.0-P2 unless it is 
working on other version

Domain.com.  CNAME  x.y.com.
www CNAME x.y.com.

Errors returned when adding these records:

general: dns_master_load: ourweddingaccount.com.db.inter:13: 
ourweddingaccount.com: CNAME and other data


If we proceed with the below work around by replacing the CNAME with A record, 
It will resolve but our setup requires a CNAME record.

Domain.com.  A  IPaddress
www CNAME x.y.com.




Regards
Daniel
-Original Message-
From: John Levine [mailto:jo...@iecc.com] 
Sent: 27 April, 2016 4:56 PM
To: bind-users@lists.isc.org
Cc: daniel.dawal...@idm.net.lb
Subject: Re: Adding CNAME for the root domain issue

Assuming you mean this (notice the dots):

 Domain.com.  CNAME  x.y.com.
 www CNAME x.y.com.

it should work.  Some people believe that you can't have other records at names 
below a name with a CNAME, but they are mistaken.

On the other hand, this will not work.

  domain.com. CNAME x.y.com.
  domain.com. MX 10 server.somewhere

To make this work, you need Stephane's hack of copying the A and  records.

R's,
John

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Adding CNAME for the root domain issue

2016-04-27 Thread Daniel Dawalibi 
Hello

 

We are facing a resolving problem on BIND DNS when adding a CNAME RR for
root domain and other records.

Do you have any work around since it is not feasible as per the following
article http://www.faqs.org/rfcs/rfc1034.html RFC1034 section 3.6.2?

 

Example:

 

Domain.com  CNAME  x.y.com

www CNAME x.y.com

 

Regards

Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: g.root-servers.net not reachable anymore

2016-04-14 Thread Daniel Dawalibi 
Do you think it is better to remove it from named.root?
Is there any impact on the DNS resolving ?


Regards
Daniel

-Original Message-
From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] 
Sent: 14 April, 2016 10:35 AM
To: Daniel Stirnimann
Cc: Daniel Dawalibi; bind-us...@isc.org
Subject: Re: g.root-servers.net not reachable anymore

On Thu, Apr 14, 2016 at 08:35:00AM +0200,  Daniel Stirnimann
<daniel.stirnim...@switch.ch> wrote  a message of 14 lines which said:

> Looks like you are not alone!
> 
> https://atlas.ripe.net/dnsmon/group/g-root

Only broken over UDP. Works on TCP and still replies to traceroute.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

g.root-servers.net not reachable anymore

2016-04-14 Thread Daniel Dawalibi 
Hello

 

Anyone experiencing a reach ability issue toward g.root-servers.net?

 

# dig @g.root-servers.net ns

 

; <<>> DiG 9.7.0-P1 <<>> @g.root-servers.net ns

; (1 server found)

;; global options: +cmd

;; connection timed out; no servers could be reached

 

# dig @192.112.36.4 ns

 

; <<>> DiG 9.7.0-P1 <<>> @192.112.36.4 ns

; (1 server found)

;; global options: +cmd

;; connection timed out; no servers could be reached

 

 

Regards

Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS BIND traffic capture ICMP/UDP

2016-01-15 Thread Daniel Dawalibi 
Hello

 

We observed an unusual traffic combining ICMP and UDP packets while running
the tcpdump command on the DNS caching server 

Kindly note that only UDP DNS traffic is allowed on this server (ICMP is not
allowed from outside to DNS server)

Any help regarding this issue? Why we are getting ICMP and UDP requests?
Could it be an attack?

 

 

Logs:

 

# tcpdump -n icmp

 

15:41:05.054237 IP 10.151.130.74 > DNSIP: ICMP 10.151.130.74 udp port 52003
unreachable, length 52

15:41:05.064449 IP 10.75.6.36 > DNSIP: ICMP 10.75.6.36 udp port 50162
unreachable, length 52

15:41:05.067953 IP 10.33.10.155 > DNSIP: ICMP 10.33.10.155 udp port 50233
unreachable, length 52

15:41:05.067958 IP 10.75.15.162 > DNSIP: ICMP 10.75.15.162 udp port 53847
unreachable, length 52

15:41:05.072727 IP 10.33.12.219 > DNSIP: ICMP 10.33.12.219 udp port 51024
unreachable, length 52

..

Example: 10.151.130.74 (client source IP)

DNSIP: DNSServer IP

 

Regards

Daniel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reject invalid dns queries

2015-01-20 Thread Daniel Dawalibi 
Hello


Allow-query is only allowed for specified IP defined in the allow-query
statement.



Regards
Daniel
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR -
fantomas
Sent: Monday, January 19, 2015 5:21 PM
To: bind-users@lists.isc.org
Subject: Re: reject invalid dns queries

On 19.01.15 16:14, Daniel Dawalibi wrote:
Invalid DNS queries : non-existent domains that do not resolve to any 
IP as  mentioned in the below example.

you should better not use this definition.

We are trying to protect our DNS servers from a number of invalid dns  
queries targeting our caching server and originated from different 
source  IPs.  Is there any way to drop these requests based on the 
Query Access  list from the DNS configuration file (named.conf)?

you can NOT know if a hostname exists before you try to resolve it. After
that, you can't block it anymore.

do you allow recursion for remote clients? (recursion and allow-recursion
statemends)
Do you allow DNS access from remote clients? (allow-query statement)

Perhaps denying remote clients from even accessing your caching server would
help you with this problem.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: reject invalid dns queries

2015-01-19 Thread Daniel Dawalibi 
Hello

Invalid DNS queries : non-existent domains that do not resolve to any IP as 
mentioned in the below example.
We are trying to protect our DNS servers from a number of invalid dns queries 
targeting our caching server and originated from different source IPs. Is there 
any way to drop these requests based on the Query Access list from the DNS 
configuration file (named.conf)? 


Example:

Default Server:  google-public-dns-a.google.com
Address:  DNS IP

 invaliddnsqueries.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

*** DNS IP can't find invaliddnsqueries.com: Non-existent domain


DNS query logs:

19-Jan-2015 15:44:08.519 queries: client IP#49791 (invaliddnsqueries.com): view 
zones: query: invaliddnsqueries.com IN A + (DNS IP)
19-Jan-2015 15:45:00.214 queries: client IP#49791 (invaliddnsqueries.com): view 
zones: query: invaliddnsqueries.com IN A + (DNS IP)
19-Jan-2015 15:46:08.100 queries: client IP#49791 (invaliddnsqueries.com): view 
zones: query: invaliddnsqueries.com IN A + (DNS IP)


Regards
Daniel
-Original Message-
From: Warren Kumari [mailto:war...@kumari.net] 
Sent: Wednesday, January 14, 2015 11:31 PM
To: Daniel Dawalibi
Cc: bind-users@lists.isc.org
Subject: Re: reject invalid dns queries

Perhaps if you explained a little more clearly what you are trying to 
accomplish you might get more replies...
What are invalid DNS queries? What are they in the configuration?



On Wed, Jan 14, 2015 at 5:53 AM, Daniel Dawalibi daniel.dawal...@idm.net.lb 
wrote:
 Hello,





 Is there any solution to drop the invalid DNS queries from the BIND 
 configuration?







 Regards

 Daniel


 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
 unsubscribe from this list

 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users



--
I don't think the execution is relevant when it was obviously a bad idea in the 
first place.
This is like putting rabid weasels in your pants, and later expressing regret 
at having chosen those particular rabid weasels and that pair of pants.
   ---maf

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

reject invalid dns queries

2015-01-14 Thread Daniel Dawalibi 
Hello,

 

 

Is there any solution to drop the invalid DNS queries from the BIND
configuration?

 

 

 

Regards

Daniel 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Sporadic but noticable SERVFAILs in specific nodes of an anycast resolving farm running BIND

2014-03-06 Thread Daniel Dawalibi 
Hello

We are facing a similar problem by getting an intermittent SERVER FAILS on
several domains and specifically during the high traffic.
Please note that the IPV6 dual stack is not configured in the Operating
system and we are not using any IPV6 option in the BIND configuration file.

1- We compiled several BIND versions on different CentOS platforms 
CentOS release 5.10 with BIND 9.9.5 and BIND 9.7.2-P2 : Problem Persists
CentOS release 5.6 with BIND 9.9.5 and BIND 9.7.2-P2 : Proble Persits

2- We bypassed all network devices (Firewall, Shaper, IPS, LOADBALANCER):
Problem persists

3- TCPDUMP performed on the name servers showed the SERVERFAIL in the
capture

4- Dig debugging output shows intermittent SERVER FAIL:
 
dig www.mcafee.com
HEADER- opcode: QUERY, status: SERVFAIL, id: 49448  ot fo other domains


5- We noticed during our debugging a failure when using dig +trace

;; Received 493 bytes from 192.5.5.241#53(f.root-servers.net) in 64 ms

dig: couldn't get address for 'k.gtld-servers.net': failure



Regards 

Daniel Dawalibi
Senior Systems Engineer
e-mail:daniel.dawal...@idm.net.lb

Jisr Al Bacha P.O. Box 11-316 Beirut Lebanon
tel +961 1 512513 ext. 366| fax +961 1 510474
tech support 1282 | http://www.idm.net.lb
 




PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL
Confidentiality Notice: The information in this document and attachments is
confidential and may also be legally privileged. It is intended only for the
use of the named recipient. Internet communications are not secure and
therefore IDM does not accept legal responsibility for the contents of this
message. If you are not the intended recipient, please notify us immediately
and then delete this document. Do not disclose the contents of this document
to any other person, nor take any copies. Violation of this notice may be
unlawful.


-Original Message-
From: bind-users-bounces+daniel.dawalibi=idm.net...@lists.isc.org
[mailto:bind-users-bounces+daniel.dawalibi=idm.net...@lists.isc.org] On
Behalf Of Kostas Zorbadelos
Sent: Wednesday, March 05, 2014 3:16 PM
To: Bind Users Mailing List
Subject: Sporadic but noticable SERVFAILs in specific nodes of an anycast
resolving farm running BIND


Greetings to all,

we operate an anycast caching resolving farm for our customer base, based on
CentOS (6.4 or 6.5), BIND (9.9.2, 9.9.5 or the stock CentOS package BIND
9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1) and quagga (the stock CentOS
package).

The problem is that we have noticed sporadic but noticable SERVFAILs in
3 out of 10 total machines. Cacti measurements obtained via the BIND XML
interface show traffic from 1.5K queries/sec (lowest loaded machines) to 15K
queries/sec (highest). The problem is that in 3 specific machines in a
geolocation with a BIND restart we notice after a period of time that can
range between half an hour and several hours SERVFAILs in resolutions. The 3
machines do not have the highest load in the farm (6-8K q/sec). The
resolution problems are noticable in the customers ending up in these
machines but do not show up as high numbers in the BIND XML Resolver
statistics (ServFail number).

We reproduce the problem, by querying for a specific domain name using a
loop of the form

while [ 1 ]; do clear; rndc flushname www.linux-tutorial.info; sleep 1; dig
www.linux-tutorial.info @localhost; sleep 2; done  | grep SERVFAIL

The www.linux-tutorial.info is not the only domain experiencing resolution
problems of course. The above loop can run for hours even without issues on
low-traffic hours (night, after a clean BIND restart) but during the day it
shows quite a few SERVFAILs, which affect other domains as well.

During the problem we notice with tcpdump, that when SERVFAIL is produced,
no query packet exits the server for resolution. We have noticed nothing in
BIND logs (we even tried to raise debugging levels and log all relevant
categories). An example capture running the above
loop: 

# tcpdump -nnn -i any -p dst port 53 or src port 53 | grep 'linux-tutorial'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535
bytes

14:33:03.590908 IP6 ::1.53059  ::1.53: 15773+ A? www.linux-tutorial.info.
(41) 
14:33:03.591292 IP 83.235.72.238.45157  213.133.105.6.53: 19156% [1au] A?
www.linux-tutorial.info. (52)  Success

14:33:06.664411 IP6 ::1.45090  ::1.53: 48526+ A? www.linux-tutorial.info.
(41)
14:33:06.664719 IP6 2a02:587:50da:b::1.23404  2a00:1158:4::add:a3.53:
30244% [1au] A? www.linux-tutorial.info. (52)  Success

14:33:31.434209 IP6 ::1.43397  ::1.53: 26607+ A? www.linux-tutorial.info.
(41)  SERVFAIL

14:33:43.672405 IP6 ::1.58282  ::1.53: 27125+ A? www.linux-tutorial.info.
(41)  SERVFAIL

14:33:49.706645 IP6 ::1.54936  ::1.53: 40435+ A? www.linux-tutorial.info.
(41)
14:33:49.706976 IP6 2a02:587:50da:b::1.48961  2a00:1158:4::add:a3.53: 4287%
[1au

RE: intermittent resolving problem for some domains

2014-02-19 Thread Daniel Dawalibi 
Hello

I am able to reach the root servers and I can resolve other domains.



;  DiG 9.8.0  . ns
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 32217
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14

;; QUESTION SECTION:
;.  IN  NS

;; ANSWER SECTION:
.   518187  IN  NS  i.root-servers.net.
.   518187  IN  NS  d.root-servers.net.
.   518187  IN  NS  g.root-servers.net.
.   518187  IN  NS  f.root-servers.net.
.   518187  IN  NS  m.root-servers.net.
.   518187  IN  NS  h.root-servers.net.
.   518187  IN  NS  j.root-servers.net.
.   518187  IN  NS  c.root-servers.net.
.   518187  IN  NS  b.root-servers.net.
.   518187  IN  NS  l.root-servers.net.
.   518187  IN  NS  e.root-servers.net.
.   518187  IN  NS  a.root-servers.net.
.   518187  IN  NS  k.root-servers.net.

;; ADDITIONAL SECTION:
a.root-servers.net. 604587  IN  A   198.41.0.4
a.root-servers.net. 604603  IN  2001:503:ba3e::2:30
b.root-servers.net. 604587  IN  A   192.228.79.201
c.root-servers.net. 604587  IN  A   192.33.4.12
d.root-servers.net. 604767  IN  A   199.7.91.13
d.root-servers.net. 604767  IN  2001:500:2d::d
e.root-servers.net. 604587  IN  A   192.203.230.10
f.root-servers.net. 604587  IN  A   192.5.5.241
f.root-servers.net. 604587  IN  2001:500:2f::f
g.root-servers.net. 604587  IN  A   192.112.36.4
h.root-servers.net. 604587  IN  A   128.63.2.53
h.root-servers.net. 604587  IN  2001:500:1::803f:235
i.root-servers.net. 604765  IN  A   192.36.148.17
i.root-servers.net. 604765  IN  2001:7fe::53

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Feb 19 16:38:34 2014
;; MSG SIZE  rcvd: 512



Best Regards,
Daniel Dawalibi
-Original Message-
From: Niall O'Reilly [mailto:niall.orei...@ucd.ie] 
Sent: Wednesday, February 19, 2014 1:22 PM
To: Daniel Dawalibi
Cc: bind-users@lists.isc.org
Subject: Re: intermittent resolving problem for some domains

At Wed, 19 Feb 2014 00:33:11 +0200,
Daniel Dawalibi wrote:
 
 Kindly note that the number of recursive clients is increasing during 
 the problem : recursive clients: 3700/14900/15000

  I think it's likely that you have a connectivity problem.

  I'ld suggest checking whether your server which is giving these
  messages can reach any of the root servers or even any of the
  external Internet.

  Best regards,
  Niall O'Reilly

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

intermittent resolving problem for some domains

2014-02-18 Thread Daniel Dawalibi 
Hello

 

We are facing an intermittent resolving problems on several domains.  While
debugging the issue we found the below failures 

Can you please help?

Kindly note that the number of recursive clients is increasing during the
problem : recursive clients: 3700/14900/15000

 

1-  dig: couldn't get address for 'k.gtld-servers.net': failure

;; global options:  printcmd

.   518011  IN  NS  f.root-servers.net.

.   518011  IN  NS  g.root-servers.net.

.   518011  IN  NS  h.root-servers.net.

.   518011  IN  NS  i.root-servers.net.

.   518011  IN  NS  j.root-servers.net.

.   518011  IN  NS  k.root-servers.net.

.   518011  IN  NS  l.root-servers.net.

.   518011  IN  NS  m.root-servers.net.

.   518011  IN  NS  a.root-servers.net.

.   518011  IN  NS  b.root-servers.net.

.   518011  IN  NS  c.root-servers.net.

.   518011  IN  NS  d.root-servers.net.

.   518011  IN  NS  e.root-servers.net.

;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

 

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  g.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

;; Received 493 bytes from 192.5.5.241#53(f.root-servers.net) in 64 ms

 

dig: couldn't get address for 'k.gtld-servers.net': failure

 

 

2-  named_dump.db

 

; ns1lo6.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure]

; ns2nj.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure]

; ns2dc2.example.com [v4 TTL 167] [v6 TTL 2] [v4 not_found] [v6 nxrrset]

; ns2lo6.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure]

; ns1nj.example.com [v4 TTL 167] [v6 TTL 167] [v4 failure] [v6 failure]

 

 

3-  ServerFAIL 

 

;  DiG 9.8.0  www.example.com

;; global options: +cmd

;; Got answer:

;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 58716

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

 

 

Regards

Daniel 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users