RE: blockhole'd IP receiving referral?
allow-recursion { internaldns; externaldns; };
blackhole { blackhats; };
Works for me.
The acls internaldns and externaldns are specific networks/IPs we allow
to do recursion. (Everyone can do lookups for domains for which we are
authoritative but not recursion.) The acl blackhats is IPs/networks
we've seen hitting us over and over and impacted CPU load.
However, even though BIND dropped the queries rather than responding and
the above blackhole worked tcpdump showed they continue to try so I went
ahead and added DROP statements for those to my iptables config just to
drop them at the kernel level.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf
Of Chris Buxton
Sent: Friday, December 18, 2009 5:33 PM
To: lcon...@go2france.com
Cc: bind-users@lists.isc.org
Subject: Re: blockhole'd IP receiving referral?
On Dec 18, 2009, at 12:33 PM, Len Conrad wrote:
bind 9.6.1-P1
named-checkconf /etc/namedb/named.conf
... ok
(in global options)
options {
allow-recursion { mynets; };
blackhole { !mynets; };
};
I could be wrong, but wouldn't that be:
blackhole { ! mynets; any; };
? To my understanding, without the any item, the ACL doesn't match
anything at all - no IP is blackholed.
Of course, if you blackhole anything not local, your server will not be
able to recurse out to the Internet - blackhole applies to the sending
of queries in addition to the receiving of queries. I believe you will
need to settle for allow-query instead of blackhole. Something like
this:
options {
allow-query { mynets; };
};
Again, I could be wrong, but I don't think allow-recursion is needed in
this case.
Chris Buxton
Professional Services
Men Mice
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: single entry to hosted service
You create a zone file that only has the entries for accounting.com. You add that to named.conf. Your other zone files are still in place so you shouldn't need to forward anything else because you're saying this is internal to your network. If a user is sitting at his desk and types: InternalSite1.excample.com to get to one of your internal websites then goes to hosted.accounting.com then tries to go to InternalSite2.example.com then their current stub server setting should use the same resolution setting (e.g. /etc/resolv.conf on UNIX/Linux) to get to InternalSite2 as it used to get to InternalSite1. The above assumes all your workstations etc... always ask your DNS server for any lookup first which is the normal way of doing things. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Dan Letkeman Sent: Monday, December 07, 2009 1:41 PM To: Kevin Darcy Cc: bind-users Subject: Re: single entry to hosted service Yes I do need some kind of dns configuration. We bought a hosted accounting service from a company that has asked us to put a dns entry into our dns servers so that our internal machines only can resolve there hosted service via dns. I guess they don't want to populate there isp's dns servers with all of the dns entries for all of there customers So with my limited knowledge of bind (using webmin to configure it) I need to make an entry like this: 222.222.222.222 A hosted.accounting.com In our internal DNS servers. I don't have any internet side dns, just internal. I'm just a bit unsure on what the best way to do this is, and I don't want to have to append everyone's hosts file on there workstations. I have many master zones for our internal systems, and I have created all of the nessesary records. I have setup slave servers, and the whole bit. So i'm wondering do I need to setup a master zone, and put in the 222.222.222.222 A hosted.accounting.com as an A record, and then have the zone forward everything else? Reason being is because our users will still need to access other sites from the accounting company's domain. Thanks, Dan. On Mon, Dec 7, 2009 at 11:43 AM, Kevin Darcy k...@chrysler.com wrote: Dan Letkeman wrote: Hello, I need to add an entry in our dns servers for a hosted service we purchased. Do I just add a master zone and a single entry? Or is there a better way to add a single entry to forward to a remote server? Maybe I'm not understanding your requirements. If this hosted service uses a name that's already populated in the Internet-facing DNS, why do you need any special DNS configuration at all? Why can't you resolve this like you resolve any other Internet name? Assuming that you _do_ in fact need some special configuration, for some reason, the zone types for (non-root) zones in BIND are: master, slave, forward, and stub. Each of them has benefits and disadvantages, but I'll defer that discussion until and unless it's determined that you need a special DNS configuration at all... - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Proud partner. Susan G. Komen for the Cure. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: bind configuration help
I can't quite agree with that.
While public information is indeed public it is intended to be so for specific
lookups not for zone transfers. Someone external to you asking get a zone
transfer may be looking for what he can exploit. Maybe he can find that
information anyway with enough digging but why make it easy for him?
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy
Sent: Wednesday, November 11, 2009 12:53 PM
To: bind-users@lists.isc.org
Subject: Re: bind configuration help
Holger Honert wrote:
Security issues!
Usually you only want *trusted* clients to use your server recursively.
And you don't really want to allow *any* fetching your hosted zones
for doing something bad, i.e. getting (unwanted!) infos
over your network and infrastructure.
If the infos are public, they're public, the only difference is that
zone transfers are a more efficient way of fetching more than about 2 or
3 records in a single transaction, compared to querying each one
individually.
If you want your network and infrastructure infos to be private, then
put them in a private zone that can't be queried from the Internet at all.
- Kevin
Regards
Holger
Jukka Pakkanen schrieb:
Sorry, but could You specify more accurately what is bad ? This is
my first bind configuration, so probably I've made some mistakes, but
I'd like to do it the right way in the end.:)
On Tue, Nov 10, 2009 at 11:19 PM, Laurent CARON lca...@lncsa.com wrote:
allow-recursion { any; };
bad
allow-transfer { any; };
bad
It's usually a bad idea to allow any to use your server recursively, or
allow any transfer zone data. Like an open dns-server.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
SIGNAL Krankenversicherung a. G., Sitz: Dortmund, HR B 2405, AG Dortmund
IDUNA Vereinigte Lebensversicherung aG für Handwerk, Handel und Gewerbe,
Sitz: Hamburg, HR B 2740, AG Hamburg
Deutscher Ring Krankenversicherungsverein a.G., Sitz: Hamburg,
HR B 4673, AG Hamburg,
SIGNAL IDUNA Allgemeine Versicherung AG, Sitz: Dortmund, HR B 19108,
AG Dortmund
Vorstände: Reinhold Schulte (Vorsitzender),
Wolfgang Fauter (stellv. Vorsitzender), Dr. Karl-Josef Bierth,
Jens O. Geldmacher, Marlies Hirschberg-Tafel,
Michael Johnigk, Ulrich Leitermann, Michael Petmecky,
Dr. Klaus Sticker, Prof. Dr. Markus Warg
Vorsitzender der Aufsichtsräte: Günter Kutz
SIGNAL IDUNA Gruppe Hauptverwaltungen, Internet: www.signal-iduna.de
44121 Dortmund, Hausanschrift: Joseph-Scherer-Str. 3, 44139 Dortmund
20351 Hamburg, Hausanschrift: Neue Rabenstraße 15-19, 20354 Hamburg
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Proud partner. Susan G. Komen for the Cure.
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Name server names
Curious - We have name servers in our primary domain so those are the FQDN names we put at Registrar and at network provider. Is there any reason we can't also have separate external IPs and names pointing to the same DNS servers for our separate domains (NATted in of course)? That is to say does DNS care what the actual hostname of the DNS server is or does it only use the lookups to determine this information? Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- inline: SGK01.jpg___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind-9.6 and Heavy Cpu Load
If this was an existing installation and the CPU load suddenly increased you might want to check where the queries are coming from. Not so long ago I found what appeared to be a brute force attack on DNS server by sending the same queries over and over from the same range of IPs in Romania. Blacklisting that range resolved the issue. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Fajar A. Nugraha Sent: Saturday, September 26, 2009 2:47 PM To: Bind Cc: Bind Users List Subject: Re: Bind-9.6 and Heavy Cpu Load On Sun, Sep 27, 2009 at 1:28 AM, Bind b...@dci.ir wrote: The number of requests is 2700 recieved pps and 2500 transmit pps. also i forced it to use both cpu`s,(in prstat -a command the STATE column,shows named uses cpu0 then after moment it changed to cpu2) but heavy cpu load exists. Assuming: - the numbers you gave are queries per second - your v880 has 1.5GHz Ultra sparc III CPU (or similar) and considering: - BIND's atomic locking performs better on some platform than others (my experience was on x86 vs ppc) - query per second numbers on http://groups.google.com/group/comp.protocols.dns.bind/browse_thread/thr ead/376a455035df10c6 I'd say you're probably cpu bound and there's nothing much you can do about it. You already disabled logging, right? This is just a rough estimate though, YMMV. If you have a 2 or 4-way x86 server you can try it and see if it performs better. -- Fajar ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RHEL backports for dynamic update fix are available
For those of you using the canned RHEL BIND packages they sent out errata information for RHEL3, RHEL4 and RHEL5 overnight. They've backported the fix into the BIND 9 versions used. As noted in QA here the dynamic update issue affects all BIND 9 but only 9.4 on were patched by ISC so if you're using for example the RHEL supplied BIND 9.3 on RHEL5 you need to apply the update from RHN. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
I don't get this at all. Rather than ask WHO is saying it why not post reasonable counter arguments to WHAT they said. Much of what one finds on the internet is anonymous at best but doesn't mean it has no value. Also for all I know they are well respected in certain areas. When I first posted to this list one common ISC poster's attacks on posts turned me off to him but others pointed out that he is with ISC and is knowledgeable in the subject. To me he seemed like a troll annoyed by newbies which often made me wonder why he bothered with the list at all. As I said before I posted those two links after someone on this list talked about a debate as to the value of SPF. The links I posted seemed to have some good points. My question wasn't how much value those two links had but rather whether people on this list think SPF should be used at all. I didn't post an exhaustive list of links but just two that came up quickly when I looked into the debate as suggested. From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Noel Butler Sent: Friday, June 19, 2009 5:25 PM To: bind-users@lists.isc.org Subject: Re: SPF/TXT records My comments below will be to all in general, not to anyone specific and no offence intended to anyone... RE: Advogato: Who? RE: Circlied: Who ? Ok enough of the sarcasm :) Is someone here seriously trying to use those sites as a reason to not do something, might as well reference us to mydogspewsupaftereatinglambbones.com http://www.mydogspewsupaftereatinglambbones.com (dunno if that's a real site, but its name has about as much credence as the ones given). Seriously if you want to show why not, reference a reputable site with reputable commentators. In relation to SPF2, if you use M$'s crap, you do have a slightly better chance of hotmail not losing your mail, so it is worth it if you provide services to anyone else other then yourself (where you *can* play god not affecting anyone else). BUT... do NOT use spf2 enforcement on your side, or you'll find a lot of mailing lists being very quiet :) Cheers Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
Or moreover not to bother with SPF at all as suggested in these documents?: Why you shouldn't jump on the SPF bandwagon: http://www.advogato.org/article/816.html How spammers get around SPF: http://www.circleid.com/posts/782012_spammer_get_around_spf/ -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Bernhardt Sent: Friday, June 19, 2009 12:37 PM To: 'Matus UHLAR - fantomas'; bind-users@lists.isc.org Subject: RE: SPF/TXT records So is the general recommendation in this group to NOT implement an empty SPF2.0 record (i.e., spf2.0/pra) just in case, as recommended in the 5-year-old openspf document referenced below? -Original Message- From: Matus UHLAR - fantomas [mailto:uh...@fantomas.sk] Sent: Friday, June 19, 2009 12:31 AM To: bind-users@lists.isc.org Subject: Re: SPF/TXT records On 18.06.09 16:22, Jeffrey Collyer wrote: M$ has their own take on SPF called Sender ID, which uses a very similar record - v=spf2.0 rather than v=spf1 so be sure to read up on them both before publishing records for one or the other. It has downfalls so I recommend not even studying it, just remember that spf2 is some M$ crap... v=spf1 is just enough for now. http://www.openspf.org/SPF_vs_Sender_ID Hotmail in particular is picky about what it rejects and why. Yes, hotmail uses to reject mail for many strange reasons. But I don't recommend playing with spf2 just to get mail to hotmail, I think there are better ways to get your mail anywhere. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. My mind is like a steel trap - rusty and illegal in 37 states. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
We don't allow all servers to send email at all. They have to specifically be configured to send and relay to the Exchange server which itself must be configured to allow them. The domain, waterinvoice.com is not in general use but is used by one server (and a test server on occasion) to send automated emails to customers that request them. There are no users sending with that domain except in test scenarios. My question actually arose in response to a third party marketing company that is asking us to set up an SPF record for a third domain we purchased. The SPF record for them is fairly straight forward but it made me wonder if I wanted to implement SPF for internally generated emails which hosts should be listed. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Joseph S D Yao Sent: Thursday, June 18, 2009 12:16 PM To: bind-users@lists.isc.org Subject: Re: SPF/TXT records It is all too easy for mail marked as from one of your domains to be forwarded out the other mail server, if your internal mail server lets every server inside forward mail (e.g., error messages) to it. Unless you personally set up mail on all servers, in which case you are a bottleneck. I have a similar thing happening when folks from one domain send e-mail to an old-fashioned alias that just re-sends to all other members of that alias - and the mail gets rejected by SPF. This is not good, and if I don't have control of the originators' SPF records, unsolveable. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
I'm assuming you mean it would be rejected if you didn't have an SPF record for the company mail server in addition to the record for the home consultancy? I'll look into the SPF debate - I hadn't heard suggestions NOT to use it before - simply had never implemented it because it wasn't high priority. -Original Message- From: Joseph S D Yao [mailto:j...@tux.org] Sent: Thursday, June 18, 2009 12:43 PM To: Jeff Lightner Cc: bind-users@lists.isc.org Subject: Re: SPF/TXT records On Thu, Jun 18, 2009 at 12:22:26PM -0400, Jeff Lightner wrote: We don't allow all servers to send email at all. They have to specifically be configured to send and relay to the Exchange server which itself must be configured to allow them. The domain, waterinvoice.com is not in general use but is used by one server (and a test server on occasion) to send automated emails to customers that request them. There are no users sending with that domain except in test scenarios. My question actually arose in response to a third party marketing company that is asking us to set up an SPF record for a third domain we purchased. The SPF record for them is fairly straight forward but it made me wonder if I wanted to implement SPF for internally generated emails which hosts should be listed. If it has not already been mentioned, please see the furious debate over whether SPF should ever be installed. I'm sure Google can provide plenty of references. The choice is, of course, yours [and your customer's]. Receiving mail servers configured with SPF will reject all mail listed in the [easily edited] mail header from X domain that is not listed in the SPF record for X domain. E.g., if you want all your e-mail to go to your home-consultancy e-mail account, so you set up your laptop to use From: j...@home-consultancy.example but hook it up to the company mail server, and there is an SPF record for home-consultancy.example [which you don't control] that says mail ONLY comes from pegasus.home-consultancy.example - then any e-mail you send via the company's mail server [which has a policy allowing this OBTW], but sent as if from your home office, will be rejected by said mail servers. -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
SPF/TXT records
Question: When one sets SPF/TXT record is it for the relay server/IP that sent the email to the internet or the originating one? For example we have a server (atuprd01.water.com) that can not be reached via the internet. Email originating there is relayed through our MS-Exchange server (if sent with domain water.com) or a Linux Sendmail server (if sent with domain waterinvoice.com). All email sent via exchange goes out an IP separate from incoming mail (MX) IP. All email sent via Sendmail has a separate IP from incoming mail (MX) IP. Should the SPF specify the outbound IP (e.g. 12.44.84.204 for atlsnml2.waterinvoice.com) for the Sendmail server email or the IP/name for atuprd01.water.com? Source/Headers for a test message shown below in case it helps: X-Eon-Dm: dm0208 Return-Path: jllight...@waterinvoice.com Received: from atlsnml2.waterinvoice.com (12.44.84.204 [12.44.84.204]) by dm0208.mta.everyone.net (EON-INBOUND) with ESMTP id dm0208.4a317b14.3b9c1f3 for jclight...@copper.net; Wed, 17 Jun 2009 07:24:11 -0700 Received: from atuprd01.water.com (atuprd01.water.com [10.0.8.120]) by atlsnml2.waterinvoice.com (8.13.8/8.13.8) with ESMTP id n5HEUGY2009868 for jclight...@copper.net; Wed, 17 Jun 2009 10:30:16 -0400 Received: (from jligh...@localhost) by atuprd01.water.com (8.9.3 (PHNE_35484)/8.9.3) id KAA21720 for jclight...@copper.net; Wed, 17 Jun 2009 10:30:13 -0400 (EDT) Date: Wed, 17 Jun 2009 10:30:13 -0400 (EDT) From: jllight...@waterinvoice.com Message-Id: 200906171430.kaa21...@atuprd01.water.com X-Authentication-Warning: atuprd01.water.com: jlightne set sender to jllight...@waterinvoice.com using -r To: jclight...@copper.net Subject: Test from atuprd01 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: SPF/TXT records
Right my relay might want it but if so that would be in my internal view. The Exchange and Sendmail servers only allow relay from specific locations and neither is using SPF to authenticate so far as I know. My question was more related to external view - what do people on the internet expect to see defined as SFP/TXT record to verify it is a valid email? I'm quite certain Sendmail is not sending any water.com email and that Exchange is not sending any waterinvoice.com email based on the Sendmail configuration of atuprd01.water.com - it uses a mailer table to determine which host to relay through specifically based on the domain of the email message sender. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Matus UHLAR - fantomas Sent: Wednesday, June 17, 2009 11:10 AM To: bind-users@lists.isc.org Subject: Re: SPF/TXT records On 17.06.09 10:46, Jeff Lightner wrote: When one sets SPF/TXT record is it for the relay server/IP that sent the email to the internet or the originating one? maybe even both. If the outgoing mail relay checks for SPF, and you don't use SMTP authentication (in which case relays may not check for SPF), you need SPF for originating server to, so the relay doesn't reject the mail imediately. If the relay sends such mail to other servers, its IP should be in SPF too. I have SPF for fantomas.sk: fantomas.sk.43200 IN SPF v=spf1 mx -all it should be checked when someone is trying to send mail with @fantomas.sk as envelope from address. For example we have a server (atuprd01.water.com) that can not be reached via the internet. Email originating there is relayed through our MS-Exchange server (if sent with domain water.com) or a Linux Sendmail server (if sent with domain waterinvoice.com). All email sent via exchange goes out an IP separate from incoming mail (MX) IP. All email sent via Sendmail has a separate IP from incoming mail (MX) IP. Should the SPF specify the outbound IP (e.g. 12.44.84.204 for atlsnml2.waterinvoice.com) for the Sendmail server email or the IP/name for atuprd01.water.com? water.com should have your ms exchange's IP and waterinvoice.com should have your linux servers' IP. Watch out if there is really no email going from water.com via your linux server and no mail coming from waterinvoice.com via your exchange server... I assume -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 99 percent of lawyers give the rest a bad name. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND not talking to syslog daemon
What OS?
On RHEL5 I have to set options in /etc/sysconfig/syslog (separate from
/etc/syslog.conf) like this:
SYSLOGD_OPTIONS=-m 0 -a /var/named/chroot/dev/log
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Wednesday, June 10, 2009 10:17 AM
To: bind-users@lists.isc.org
Subject: BIND not talking to syslog daemon
Good day,
I've run into a bit of an oddity, and I'm hoping someone might have an
idea.
I have a nameserver running BIND 9.3.5-p1 that doesn't want to log to
the syslog daemon. I have 2 identically configured servers, one of them
works, one doesn't.
My logging configuration looks like:
category default{ my_default; default_syslog;
default_debug; };
I don't have a channel defined for default_syslog which means the
daemon should be using the built-in channel, as I understand it.
While logs are seen in my_default, they are just not showing up in
syslog. We have restarted syslog-ng and verified the configuration,
it's the same as the working unit.
Syslog works otherwise on the box from other daemons, just not named.
Our thought is that for some reason the named daemon can't connect to
syslog, or gave up trying.
We cannot reload named on the box right now, so I am looking to see if
anyone has suggestions about what might be causing this, and/or ways to
resolve it without restarting the named daemon.
Thanks in advance,
Todd.
-
This transmission (including any attachments) may contain confidential
information, privileged material (including material protected by the
solicitor-client or other applicable privileges), or constitute
non-public information. Any use of this information by anyone other than
the intended recipient is prohibited. If you have received this
transmission in error, please immediately reply to the sender and delete
this information from your system. Use, dissemination, distribution, or
reproduction of this transmission by unintended recipients is not
authorized and may be unlawful.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Clients sometimes get wrong view
It seems the mydomain.com isn't in the view but presumably in one of the
includes.
So the most likely issues seem to be:
1) You have defined mydomain.com in more than one of the includes
which we can't tell since you didn't provide them.
-OR-
2) The client actually has an unexpected IP (that is you think
they are in the 10.x when they are actually in 192.x or vice-versa or
they don't have an IP in either of the ranges you specified.
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Corey Shaw
Sent: Tuesday, June 09, 2009 1:56 PM
To: bind-users@lists.isc.org
Subject: Clients sometimes get wrong view
OS: Gentoo
Bind Version: 9.6.0-p1
I currently have my Bind server set up with 3 views. It seems that
every now and then I have clients in the office view that try to go to
www.mydomain.com (which should be a public address), but instead they
get the internal address that is defined in the datacenter view
(10.x.x.x). As a result, they can't get to www.mydomain.com. My views
are configured as shown below (yes, all the include files exist and load
properly). They are ordered in my configuration as shown below as well.
Any ideas on why this may be happening?
view datacenter {
match-clients { 10.x.x.0/24; };
recursion yes;
include /etc/bind/includes/datacenterincludes.conf;
allow-recursion { 10.x.x.0/24; };
zone . IN {
type hint;
file named.ca;
};
zone localhost IN {
type master;
file pri/localhost.zone;
allow-update { none; };
notify no;
};
zone 127.in-addr.arpa IN {
type master;
file pri/127.zone;
allow-update { none; };
notify no;
};
};
view office {
match-clients { 166.x.x.88/29; };
recursion yes;
include /etc/bind/includes/officeincludes.conf;
allow-recursion { 166.x.x.88/29; };
zone . IN {
type hint;
file named.ca;
};
zone localhost IN {
type master;
file pri/localhost.zone;
allow-update { none; };
notify no;
};
zone 127.in-addr.arpa IN {
type master;
file pri/127.zone;
allow-update { none; };
notify no;
};
};
view public {
match-clients { any; };
recursion no;
include /etc/bind/includes/publicincludes.conf;
allow-recursion { none; };
zone . IN {
type hint;
file named.ca;
};
zone localhost IN {
type master;
file pri/localhost.zone;
allow-update { none; };
notify no;
};
zone 127.in-addr.arpa IN {
type master;
file pri/127.zone;
allow-update { none; };
notify no;
};
};
_
Corey Shaw
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind is hanging on CentOS 4.4
At least now it shows all the threads on a single processor. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jesse Cabral Sent: Friday, May 29, 2009 1:57 PM To: 'Jeffrey Reasoner' Cc: bind-users@lists.isc.org Subject: RE: Bind is hanging on CentOS 4.4 Importance: High Good suggestion. I just tried that and re-ran the ./configure --disable-threads Then I killed the named pid and started named: ps -Leo user,pid,ppid,lstart,lwp,nlwp,psr,args |egrep LWP|named USER PID PPID STARTED LWP NLWP PSR COMMAND named14671 1 Fri May 29 13:56:41 2009 146715 0 /usr/sbin/named -u named -t /var/named/chroot named14671 1 Fri May 29 13:56:41 2009 146725 0 /usr/sbin/named -u named -t /var/named/chroot named14671 1 Fri May 29 13:56:41 2009 146735 0 /usr/sbin/named -u named -t /var/named/chroot named14671 1 Fri May 29 13:56:41 2009 146745 0 /usr/sbin/named -u named -t /var/named/chroot named14671 1 Fri May 29 13:56:41 2009 146755 0 /usr/sbin/named -u named -t /var/named/chroot root 14678 3402 Fri May 29 13:56:43 2009 146781 1 egrep LWP|named Still appears to be threaded ? Jesse Cabral Solutions Engineer Micro Technology Solutions, Inc. Phone:508.324.9475 Fax:508.324.4477 21 Father DeValles Blvd, Suite 101, Fall River, MA 02723 www.mtsolutions.net -Original Message- From: Jeffrey Reasoner [mailto:jeff.reaso...@mail.hccanet.org] Sent: Friday, May 29, 2009 1:38 PM To: 'jcab...@mtsolutions.net' Subject: RE: Bind is hanging on CentOS 4.4 Maybe 'make distclean' first and then rerun ./configure? -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc. org] On Behalf Of Jesse Cabral Sent: Friday, May 29, 2009 12:58 PM To: 'Jeff Lightner' Cc: bind-users@lists.isc.org Subject: RE: Bind is hanging on CentOS 4.4 Importance: High I can't seem to get bind reconfigured to run with no threads ? Anyone have any thoughts ? When I rerun ./configure --disable-threads the configure file does not update. Regards, Jesse Cabral Solutions Engineer Micro Technology Solutions, Inc. Phone:508.324.9475 Fax:508.324.4477 21 Father DeValles Blvd, Suite 101, Fall River, MA 02723 www.mtsolutions.net -Original Message- From: Jeff Lightner [mailto:jlight...@water.com] Sent: Friday, May 29, 2009 9:03 AM To: jcab...@mtsolutions.net Subject: RE: Bind is hanging on CentOS 4.4 Yes. That's the way I would read it. Starting with -n 1 means it should all be on one processor even though it is running multiple threads. Try this: ps -Leo user,pid,ppid,lstart,lwp,nlwp,psr,args |egrep LWP|named USER PID PPID STARTED LWP NLWP PSR COMMAND root 2833 1 Wed Jan 14 10:51:40 2009 28331 0 syslogd -m 0 -a /var/named/chroot/dev/log named12622 1 Thu May 14 09:51:36 2009 126225 0 /usr/sbin/named -u named -t /var/named/chroot named12622 1 Thu May 14 09:51:36 2009 126235 0 /usr/sbin/named -u named -t /var/named/chroot named12622 1 Thu May 14 09:51:36 2009 126245 0 /usr/sbin/named -u named -t /var/named/chroot named12622 1 Thu May 14 09:51:36 2009 126255 0 /usr/sbin/named -u named -t /var/named/chroot named12622 1 Thu May 14 09:51:36 2009 126265 1 /usr/sbin/named -u named -t /var/named/chroot root 19429 19079 Fri May 29 08:59:39 2009 194291 0 egrep LWP|named The above shows that I'm running 5 threads (NWLP column) of named and that 4 of them are on processor 0 and the final 1 is on processor 1 (psr column). All are PID 12622 but the LWP (thread ID) is different for each. -Original Message- From: Jesse Cabral [mailto:jcab...@mtsolutions.net] Sent: Thursday, May 28, 2009 4:55 PM To: Jeff Lightner Subject: RE: Bind is hanging on CentOS 4.4 Importance: High Here is some more info: I decided to start named with the -n 1 then I ran ps -eLfc | grep named named26750 1 267504 TS 18 16:42 ?00:00:00 /usr/sbin/named -u named -n 1 -t /var/named/chroot named26750 1 267514 TS 24 16:42 ?00:00:15 /usr/sbin/named -u named -n 1 -t /var/named/chroot named26750 1 267524 TS 24 16:42 ?00:00:00 /usr/sbin/named -u named -n 1 -t /var/named/chroot named26750 1 267534 TS 24 16:42 ?00:00:03 /usr/sbin/named -u named -n 1 -t /var/named/chroot 4TS should be 4 threads. If I run ps -p 26750 -T PID SPID TTY TIME CMD 26750 26750 ?00:00:00 named 26750 26751 ?00:00:20 named 26750 26752 ?00:00:00 named 26750 26753 ?00:00:04 named It appears to be running 4 threads correct ? Jesse Cabral Solutions Engineer Micro Technology Solutions, Inc. Phone:508.324.9475 Fax:508.324.4477 21 Father DeValles Blvd, Suite 101, Fall River, MA 02723 www.mtsolutions.net
RE: Bind is hanging on CentOS 4.4
This may have something to do with the different way Linux does threads compared to UNIX. On my RHEL5 servers I see named humming along quite happily with 5 threads across two processors so it may be the original hang problem had nothing to do with threads. I tried to find something that would document a process apparently running threads when told not to do so but couldn't. There was a change in the way threading is done by Linux between 2.4 and 2.6 kernel and CentOS 4 is based on earlier 2.6 kernel than RHEL5 so its conceivable there is kernel version issue there but if so I didn't find reference to it. Jesse - did you try the --disable-linux-caps mentioned in the link I sent you yesterday?: http://linux-vserver.org/Problematic_Programs -Original Message- From: David Ford [mailto:da...@blue-labs.org] Sent: Friday, May 29, 2009 3:24 PM To: jcab...@mtsolutions.net Cc: Jeff Lightner; bind-users@lists.isc.org Subject: Re: Bind is hanging on CentOS 4.4 Bind and threading don't get along, I have always had to force bind to compile without thread support entirely. Jesse Cabral wrote: So I can understand the original goal, let me re-clarify the objective. The problem of Bind hanging is thought to be caused by an interthread lock. The suggestion is to disables threads. Let me ask this questions, is the goal to disable threads on multi-processors or threads completely ? [...] Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND do not listen on udp port 53
You might want to try man nmap. It specifically states -sS is for checking TCP. There is a -sU for checking UDP. However simpler than using nmap from within a server is using lsof to check activity on a given port: lsof -i :53 From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Manson Sent: Thursday, May 28, 2009 9:28 AM To: bind-users@lists.isc.org Subject: BIND do not listen on udp port 53 Hi, I'm using BIND 9.5.0-P2 (on ubuntu server 8.04). And the bind server do not listen anymore on the udp port. I've updated the /etc/bind/named.conf to add a domain, but didn't touch the /etc/bind/named.conf.options. On localhost, when I use nmap I can see that the udp port is not listed. tho...@ns1:/etc/bind$ sudo nmap -sS localhost [sudo] password for thomas: Starting Nmap 4.62 ( http://nmap.org ) at 2009-05-28 15:17 CEST Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Interesting ports on localhost (127.0.0.1): Not shown: 1709 closed ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 953/tcp open rndc 9102/tcp open jetdirect Nmap done: 1 IP address (1 host up) scanned in 0.175 seconds tho...@ns1:/etc/bind$ Does anyone have an idea of what's going on ? I can't figure out why this stop working as before. Maybe it's trivial, but as it's not my fulltime job to manage these dns servers (and have so much other thing to deal with), so help would be appreciated. Regards, Thomas. Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind is hanging on CentOS 4.4
The output suggests named is running with threads (I see similar output on my RHEL BIND server). Try running ps -efLm |grep named to get a better look at it. Some time ago they changed the way threads are done in Linux (one of the 2.4.x kernels). The columns LWP and NWLP from the ps -eLf should show thread id and number of threads respectively per the man page but based on what I'm seeing on my RHEL system the latter is showing 0 when in fact there are multiple threads. -Original Message- From: Jesse Cabral [mailto:jcab...@mtsolutions.net] Sent: Thursday, May 28, 2009 3:55 PM To: Jeff Lightner Cc: bind-users@lists.isc.org Subject: RE: Bind is hanging on CentOS 4.4 Importance: High Here is the output from ps -eLf ps -eLf | grep named named32231 1 32231 07 May26 ?00:00:00 /usr/sbin/named -u named -t /var/named/chroot named32231 1 32232 07 May26 ?00:15:04 /usr/sbin/named -u named -t /var/named/chroot named32231 1 32236 07 May26 ?00:15:04 /usr/sbin/named -u named -t /var/named/chroot named32231 1 32237 07 May26 ?00:14:58 /usr/sbin/named -u named -t /var/named/chroot named32231 1 32238 07 May26 ?00:15:06 /usr/sbin/named -u named -t /var/named/chroot named32231 1 32239 07 May26 ?00:00:07 /usr/sbin/named -u named -t /var/named/chroot named32231 1 32240 07 May26 ?00:12:40 /usr/sbin/named -u named -t /var/named/chroot I rebuild named with threads disabled and I still hand a hang afterward. Jesse Cabral Solutions Engineer Micro Technology Solutions, Inc. Phone:508.324.9475 Fax:508.324.4477 21 Father DeValles Blvd, Suite 101, Fall River, MA 02723 www.mtsolutions.net -Original Message- From: Jeff Lightner [mailto:jlight...@water.com] Sent: Thursday, May 28, 2009 1:27 PM To: jcab...@mtsolutions.net Subject: RE: Bind is hanging on CentOS 4.4 The implementation of ps has a lot to do with whether you see threads. You might try: To get info about threads: ps -eLf ps axms -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc. org] On Behalf Of Jesse Cabral Sent: Thursday, May 28, 2009 1:16 PM To: 'JINMEI Tatuya / 神明達哉' Cc: bind-users@lists.isc.org Subject: RE: Bind is hanging on CentOS 4.4 Importance: High I have decided to rebuild named with threads disabled. I will update you on the results. I am hoping that will remedy the issue. Thanks for your support. Jesse Cabral Solutions Engineer Micro Technology Solutions, Inc. Phone:508.324.9475 Fax:508.324.4477 21 Father DeValles Blvd, Suite 101, Fall River, MA 02723 www.mtsolutions.net -Original Message- From: JINMEI Tatuya / 神明達哉 [mailto:jinmei_tat...@isc.org] Sent: Tuesday, May 26, 2009 3:14 PM To: jcab...@mtsolutions.net Subject: Re: Bind is hanging on CentOS 4.4 At Tue, 26 May 2009 09:23:22 -0400, Jesse Cabral jcab...@mtsolutions.net wrote: When I run a ps ax | grep named I only see a single thread for named ? If I was using multi-threads it should show an additional thread for each instance correct ? It depends on the ps implementation. To be sure, you should start named with the -g command line option and see initial log messages on stderr. If you see something like this: 26-May-2009 12:11:39.619 found 1 CPU, using 1 worker thread threads are enabled. If the threads are enabled, the best way to eliminate the possibility of dead lock is to rebuild named --disable-threads. If you cannot do it, maybe you want to try invoking named with the '-n 1' command line option. --- JINMEI, Tatuya Internet Systems Consortium, Inc. p.s. if you don't mind, please cc follow up messages to the bind-users list. Then you can expect more help from others. I'm just back from vacation with so many email backlogs and my responses may be overly delayed. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: two NS servers on a single host
It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: two NS servers on a single host
No worries. Compared to some posts directed my way in various forums (even this list) this was mild and I just wanted to set the record straight. In one list I'm on this kind of response would immediately result in a 3 day thread about why top posting (or bottom posting or in line posting or maybe all 3) is evil and causes cancer. :) -Original Message- From: Bradley Giesbrecht [mailto:b...@pixilla.com] Sent: Wednesday, May 13, 2009 1:17 PM To: Bradley Giesbrecht Cc: Jeff Lightner; bind-users@lists.isc.org Subject: Re: two NS servers on a single host Jeff, my apologies. I read the quoting levels wrong. On May 13, 2009, at 8:01 AM, Bradley Giesbrecht wrote: On May 13, 2009, at 7:29 AM, Jeff Lightner wrote: It is network redundancy only in so far the DOS attack doesn't cause your CPU and memory to get slammed. I would block the block the ip under attack upstream so no cpu or memory issues. I didn't claim anything other then there can be in fact value in having one computer on more then one network. This was in response to your comment This would be completely useless which I disagree with. //Brad If you're doing redundancy you really ought to do the whole thing by getting another server and putting IT on the other network. Then you don't have a single point of failure (unless they're both in the same data center). If you really want to do two different IPs on one host you could probably use views to accomplish this but that would be all within a single BIND setup so your theoretical DOS attack would probably cause both views to have issues. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Bradley Giesbrecht Sent: Wednesday, May 13, 2009 10:22 AM To: Stephane Bortzmeyer Cc: bind-users@lists.isc.org Subject: Re: two NS servers on a single host On May 13, 2009, at 6:51 AM, Stephane Bortzmeyer wrote: On Wed, May 13, 2009 at 09:02:55PM +0800, Tech W. tech...@yahoo.com.cn wrote a message of 34 lines which said: I want to give two NS records for my domain, each NS take each of the IP set in the host. Why? This would be completely useless. RFC 1034 and other documents call for at least two name servers, for redundancy reasons. If the two name servers are on the same host, what's the point? There would be no gain in reliability. If you have ever had the ip for your name server the target of a dos attack you could have blocked traffic to that ip and still had dns. Two networks to same host is network redundancy and has value. //Brad ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: URL Redirection via DNS
Short answer: No Longer answer: Only FQDN can be aliased with CNAME. That's not technically a redirect. (e.g. mike.mydomain.com being CNAME to Ralph.mydomain.com is OK - however you can not make mike.mydomain.com/landingpage do anything because /landingpage is not part of the FQDN so has nothing to do with DNS.) Minor Rant: Why don't web developers know how to do simple URL redirection and quit asking DNS Admins to do it for them? From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Pablo Arturi Sent: Friday, April 24, 2009 10:18 AM To: Binmakhashen, Latif; BIND Mailing List Subject: Re: URL Redirection via DNS Or it's too much complex to me, or you're terrible wrong in concepts. DNS has nothing to do with URL redirection, that's a web server job, or again, it's too much complex to me. :) What would be an example of what you want to do? Hi guys, Is it possible to setup DNS to redirect URLs in the address bar of an IE? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Make changes en mass [done]
Good point.
The serial number should be updated since the zone file is being
updated. The sed command could be used to do that as well.
for zonefile in `ls *.com`
do sed -e s/604800/709600/ -e
s/200[0-9][0-1][0-9][0-9][0-9][0-9][0-9]/2009032401/ $zonefile
${zonefile}.new
mv $zonefile ${zonefile}.old
mv ${zonefile}.new $zonefile
done
The above does the same expiration value replacement as earlier and also
changes the serial number to current day (2009032401 as of this
writing). This substitution is based on the preferred serial number
syntax of:
CCYYMMDDsq where sq is a sequence number (01 being first). It assumes
all the zone files have a current serial number using that in the
current decade (2000s) and no sequence number higher than 99. The
pattern would have to be adjusted if those assumptions weren't valid.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Alan Clegg
Sent: Tuesday, March 24, 2009 4:31 PM
To: bind-users@lists.isc.org
Subject: Re: Make changes en mass [done]
John D. Vo wrote:
Thanks Jeff. I prefer your way better, more eloquent than the brute
force method I did.
To this point, nobody has updated the serial.
AlanC
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Internal and External view on same slave server? - RESOLVED
Justin Dixon sent an email suggesting:
Use TSIG to select the correct view...Example at below URL from the BIND
FAQ on www.isc.org.
https://www.isc.org/node/282
I didn't actually do the TSIG setup (need to do that one of these
days...). However, the rest of the link indicated steps close to what
I had done. I had an internal facing NIC with an alias IP already as
well as an external (internet) facing NIC.I did not have the
notify-source statement however so added that. Even after that I
still had issues.
Robert Davis sent an email suggesting:
Read Cricket Liu's _DNS BIND Cookbook_, 3.19: Setting Up a Slave Name
Server for a Zone in Multiple Views.
I found an online preview that included that section.
After reviewing that and my named.conf files a few times I realized I'd
set allow-transfer { watercom; }; in each of my zone definitions and
watercom was an acl for the primary (rather than the alias) IPs of the
internal facing NICs. I created a new ACL For the alias IPs and
removed this from each of the zones. I then added the original line to
the external view and a new line saying allow-transfer {
watercomaliasips; }; to the internal zone. This worked fine.
This morning I found that I'd accidentally disabled recursion for
internal users because the link above seemed to suggest query-source for
view should be the same IP as the transfer-source and notify-source. It
turns out that is not correct. The query-source is the IP in the server
that queries others (e.g. queries the root servers) so should be the
external facing NIC rather than either the primary or alias IP on the
internal facing NIC. After correcting that recursion worked for
internal users. (External users can't do recursion because I'd
explicitly turned that off in the global options last year.)
Thanks Robert and Justin for taking the time to respond.
From: Jeff Lightner
Sent: Friday, March 13, 2009 4:15 PM
To: bind-users@lists.isc.org
Subject: Internal and External view on same slave server?
We recently decided to create internal and external views for some
zones. This worked fine on the master server.
However, initiating zone transfer on slave from master it loaded all the
zone names I'd created but put exactly the same information into both
sets. This information was for the internal view which is the first
one in both named.conf files.
On doing some research I saw mention of needing to configure different
slaves for internal and external view. This mentioned need for
separate IPs.
Since I can't just build a new slave server I instead opted to create an
alias IP using the same NIC as primary IP. Of course the question there
is how to force the transfer request to come from the primary IP or the
alias IP dependent on which view the zone is in.
Further research suggested use of the transfer-source option in the view
to specify the IP to be used to request the transfer. I added this.
Also I already had allow-transfer for the primary IP. I left that in
the external view zone entries in named.conf. I then created a separate
allow-transfer in the internal view zone entries to use the alias IP.
On checking logs I'm seeing REFUSED from the master in the slave's logs
but I am seeing the slave's alias IP making the request on the master.
I don't see the slave's primary IP making requests on the master.
Is what I'm trying to do possible?
If not can someone explain why? Given that I'm restricting the IP
allowed to transfer and the IP requesting the transfer it seems this
should be working. At worst it seems it should only have quit working
for one view but its not working for either one.
If it is possible can someone let me know how they've achieved it?
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Internal and External view on same slave server?
We recently decided to create internal and external views for some zones. This worked fine on the master server. However, initiating zone transfer on slave from master it loaded all the zone names I'd created but put exactly the same information into both sets. This information was for the internal view which is the first one in both named.conf files. On doing some research I saw mention of needing to configure different slaves for internal and external view. This mentioned need for separate IPs. Since I can't just build a new slave server I instead opted to create an alias IP using the same NIC as primary IP. Of course the question there is how to force the transfer request to come from the primary IP or the alias IP dependent on which view the zone is in. Further research suggested use of the transfer-source option in the view to specify the IP to be used to request the transfer. I added this. Also I already had allow-transfer for the primary IP. I left that in the external view zone entries in named.conf. I then created a separate allow-transfer in the internal view zone entries to use the alias IP. On checking logs I'm seeing REFUSED from the master in the slave's logs but I am seeing the slave's alias IP making the request on the master. I don't see the slave's primary IP making requests on the master. Is what I'm trying to do possible? If not can someone explain why? Given that I'm restricting the IP allowed to transfer and the IP requesting the transfer it seems this should be working. At worst it seems it should only have quit working for one view but its not working for either one. If it is possible can someone let me know how they've achieved it? Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named with DLZ
RedHat does have prebuilt packages on RHEL5.x. On my 5.2 server I have: bind-chroot-9.3.4-6.0.3.P1.el5_2 system-config-bind-4.0.3-2.el5 bind-libs-9.3.4-6.0.3.P1.el5_2 bind-9.3.4-6.0.3.P1.el5_2 bind-utils-9.3.4-6.0.3.P1.el5_2 You can install the latest packages with yum yum install bind-chroot system-config-bind bind-libs bind bind-utils I'm running the chroot'ed BIND configuration - it isn't required but I'd recommend it. I'm not sure any of these have DLZ support built in as I don't use it. On scanning RedHat's support site I found no mention of DLZ so you may need to build your own. FYI: Although the base BIND version for above packages is 9.3.4 the RedHat people have backported security fixes from later BIND versions into their version. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Scott Haneda Sent: Thursday, February 26, 2009 7:53 PM To: BIND Users Mailing List Subject: named with DLZ I have been talked with getting named with DLZ support on Red Hat 5.2 Enterprise. I have never worked on Red Hat or with RPM, can someone point me to the rpm I need? Any other basic pointers? I was thinking to just build it out myself, but if there is a confident stable rpm, I might as well learn that as well. Thanks. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Change my primary DNS server safely...
In your case it sounds like you're going to have two external IPs. If so I'd leave the Apache server with BIND running and add the new server as first one at the registrar. That way anyone that has your old server cached will continue to get to it. Any new queries hopefully would cache your new server. After you're sure the new server is up and running for a few days you can stop BIND on the old one (to reduce load on it). -Original Message- From: Thomas Manson [mailto:dev.mansontho...@gmail.com] Sent: Friday, February 27, 2009 10:06 AM To: Jeff Lightner Cc: bind-users@lists.isc.org Subject: Re: Change my primary DNS server safely... Hi Jeff, Actually, I've Postfix/Apache2/Bind (primary DNS) on the same machine which is hosted by one company. I want to dedicate a server to be the primary DNS. This server is hosted by another company. (the first server will be re installed soon but will stay in the original hosting company). The secondary DNS is already a dedicated server. So my new primary DNS is ready and the old server will still be running (at least for the apache2 service). Should I let BIND running on the old server or stop it ? (whould it be annoying if the old ip still answer to query ?) Regards, Thomas. On Fri, Feb 27, 2009 at 14:50, Jeff Lightner jlight...@water.com wrote: Not sure where the trepidation comes in here. Hopefully you ARE running a slave server as well so if the primary isn't reachable the slave would resolve lookups until you fixed any problem. Here we've moved our servers from one network provider to another so had to change the IPs of the master and the slave at the Network registrars. We did those one at a time. That is to say we first did the slave and once we were sure it was resolving correctly and had allowed time for everyone's caches to clear (we waited 3 days/72 hours) then we moved the master. We've also completely replaced both our primary and slave by installing new servers and setting them with the IPs. There again we did it by doing one at a time. For those there was no propagation time since the IP stayed the same. If you're simply moving your master to a new IP (as the outside world sees it) then you'll have to allow time for the caches to clear as we did. If you're simply moving it to a new IP internally then your network folks should be able to NAT that IP to the same external IP your prior server had. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Thomas Manson Sent: Thursday, February 26, 2009 8:04 PM To: bind-users@lists.isc.org Subject: Change my primary DNS server safely... Hello, I need to change the primary DNS server which manage hundreds of domains. I've setup the new machine so that it has the correct named configuration for each domains (script generated). I plan to change the IP behind the ns0.mydomain.com so that it points to the new machine. As I feel it's a bit risky to do that, if you have any suggestion, I'll be glad to hear it. Thanks, Thomas. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Deny query from a single IP
The point in the ACL is it allows you to grow the list of servers
without cluttering up the Options section.
-Original Message-
From: Prabhat Rana [mailto:prana9...@yahoo.com]
Sent: Thursday, February 26, 2009 12:43 PM
To: Eric C. Davis; Jeff Lightner
Cc: bind-users@lists.isc.org
Subject: RE: Deny query from a single IP
Thanks Eric. Using blackhole option sounds like feasible option to block
a IP address. Instead of using the acl can I just use the option
blackhole
blackhole { xx.xx.xx.xx; };
The idea is to user file::tail perl module in a script to tail the stat
file continuously and if the condition occurs then pick the source IP
address and insert the line
blackhole { xx.xx.xx.xx; };
in the named.conf under options and reload the configuration.
During these attacks we've experienced that named basically hangs
because it gets flooded with queries. With the blackhole option the
recursion part to internet from such queries can be avoided but we can't
avoid the incoming queries from the attacker. So we will need to test
this is determine how effective is it.
--- On Thu, 2/26/09, Jeff Lightner jlight...@water.com wrote:
From: Jeff Lightner jlight...@water.com
Subject: RE: Deny query from a single IP
To: Eric C. Davis e...@mail.rockefeller.edu, prana9...@yahoo.com
Cc: bind-users@lists.isc.org
Date: Thursday, February 26, 2009, 10:38 AM
That being said you CAN do what you asked:
Create an ACL in named.conf:
# Blackhats ACL - zones to be used in blackhole statement -
will prevent
# them from being allowed to query and will not respond to
them.
acl blackhats {
xx.xx.xx.xx;
};
(Where you put the specific IP in place of the
xx.xx.xx.xx.)
Then in options section add a line to use the ACL:
blackhole { blackhats; };
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Eric
C. Davis
Sent: Thursday, February 26, 2009 11:24 AM
To: prana9...@yahoo.com
Cc: bind-users@lists.isc.org
Subject: Re: Deny query from a single IP
It is better do this with a real IPS rather than use your
DNS server to
do this. You should avoid having any unwanted traffic hit
you DNS
servers ever.
Eric
Prabhat Rana wrote:
Hello,
I have BIND 9.5running on a Solaris10 box. It provides
recursive DNS
service. I'm trying to implement a script where it
reads the BIND stats
file for all the incoming queries and if there are too many
queries from
a single user (source IP) it will block queries from that
particular IP.
In order for this to occur is there a parameter similar to
allow-query
that I can inject into the named.conf to block query from a
single IP
address when this condition occurs? Basically I'm
trying to add a tool
to detect potential DOS attacks where we see too many
queries from one
single IP. Any other suggestions would also be appreciated.
Thanks
Prabhat.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Please consider our environment before printing this e-mail
or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged
or confidential information and is for the sole use of the
intended recipient(s). If you are not the intended
recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be
unlawful. If you have received this electronic transmission
in error, please reply immediately to the sender that you
have received the message in error, and delete it. Thank
you.
--
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you have
received this electronic transmission in error, please reply immediately to the
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting
I'm with Josh on this. The only things that we have that would have both internal and external addresses are servers. For the domain I'm speaking of those are hard assigned addresses not DHCP so there is no dynamic update being done. We simply send an email to the Windoze Admins asking them to add the internal IP to their DNS records for our servers as we build them. We have VLAN ranges for different kinds of servers (e.g. UNIX VLAN, Linux VLAN etc...). There should be no need to add external IPs for all your desktops unless you're doing something weird. (Every user has his own web server maybe?. For the desktops (which are in their own VLANs) and VPN connections there are DHCP entries that go into the Windoze DNS servers dynamically but those never go into the BIND DNS servers because we're not expecting queries from outside our network to find specific desktops. In the event we have a need for outsiders (e.g. vendors) who have a need to get to internal connections they typically set up a VPN connection for them so they use the Windoze DNS. The firewall is used to restrict which systems they can actually access. -Original Message- From: Baird, Josh [mailto:jba...@follett.com] Sent: Friday, February 06, 2009 10:13 AM To: wiskbr...@hotmail.com; Jeff Lightner; bind-users@lists.isc.org Subject: RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting In my case, we let AD/MSDNS do dynamic updates.. no dynamic updates are necessary with BIND. Not sure I understand your split lookups - but your external authoritative nameservers should NOT allow recursion. Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of wiskbr...@hotmail.com Sent: Friday, February 06, 2009 9:09 AM To: jlight...@water.com; bind-users@lists.isc.org Subject: RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices ForCoexisting Thanks for the reply. My DMZ, or external lookups, are all performed via one of six BIND-9 servers. The product that we use is based on BIND-8, though they've recently come out with a BIND-9 version. If I split my lookups and have internal lookups pointed at the MS DNS servers, and non-authoritative lookups to my external servers (running BIND-9), then shouldn't this address the issues you spoke of? How are you able to allow for the windoze boxes to automatically add entries? In other words, a strong case they made is that they must presently maintain two databases, AD *and* DNS. With MS DNS, they say, this is not the case whereby when you add an entry or join a host, that entry is automatically added in DNS. In there a way to do this in BIND? Thanks again, .vp Subject: RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting Date: Fri, 6 Feb 2009 09:49:42 -0500 From: jlight...@water.com To: wiskbr...@hotmail.com; bind-users@lists.isc.org I don't see why it is either/or. Here we have Windoze DNS servers for internal lookups and Linux/BIND 9 DNS servers for external lookups. The internal servers refer all queries they aren't authoritative for to the external ones which in turn refer all queries for domains we don't own to the root servers. The only gotcha is that we have some domains that we want to present different IPs for internally (10.x.x.x) or externally (12.x.x.x). On the Windoze DNS servers they have our primary domain with those internal addresses and on the BIND DNS servers we have those external addresses. Of course you could do it all with just BIND servers running views but this is the way I inherited the BIND servers here. We don't seem to have the headaches your Windoze team is moaning about. Hopefully you are running redundant (master/slave) BIND servers? Also I'd suggest upgrading to BIND 9 once you've got all the rest of this quieted down. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of wiskbr...@hotmail.com Sent: Friday, February 06, 2009 9:25 AM To: bind-users@lists.isc.org Subject: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting Hello; My site is presently using a product derived from BIND-8 for internal DNS only. For years our Windows team has been arguing that they want to be non-dependent on the non-MS DNS servers; which they say causes them much grief on firmwide shutdown/bootups. Well, their concerns have fallen on ears of those who can make that decision and it now appears as though we must either come up with good reasons why we should retain BIND, or a BIND derived product, or simply a plan to allow MSDNS and BIND to coexist at all. Can anyone provide me, or point me at, any good docs on this subject, I am certain that their a tons of stuff out there, I need simple, to the point type of stuff. Also, can anyone think of any good reason why our internal, non-public
RE: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting
I don't see why it is either/or. Here we have Windoze DNS servers for internal lookups and Linux/BIND 9 DNS servers for external lookups. The internal servers refer all queries they aren't authoritative for to the external ones which in turn refer all queries for domains we don't own to the root servers. The only gotcha is that we have some domains that we want to present different IPs for internally (10.x.x.x) or externally (12.x.x.x). On the Windoze DNS servers they have our primary domain with those internal addresses and on the BIND DNS servers we have those external addresses. Of course you could do it all with just BIND servers running views but this is the way I inherited the BIND servers here. We don't seem to have the headaches your Windoze team is moaning about. Hopefully you are running redundant (master/slave) BIND servers? Also I'd suggest upgrading to BIND 9 once you've got all the rest of this quieted down. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of wiskbr...@hotmail.com Sent: Friday, February 06, 2009 9:25 AM To: bind-users@lists.isc.org Subject: Case For Microsoft DNS v. BIND 9 - Or Best Practices For Coexisting Hello; My site is presently using a product derived from BIND-8 for internal DNS only. For years our Windows team has been arguing that they want to be non-dependent on the non-MS DNS servers; which they say causes them much grief on firmwide shutdown/bootups. Well, their concerns have fallen on ears of those who can make that decision and it now appears as though we must either come up with good reasons why we should retain BIND, or a BIND derived product, or simply a plan to allow MSDNS and BIND to coexist at all. Can anyone provide me, or point me at, any good docs on this subject, I am certain that their a tons of stuff out there, I need simple, to the point type of stuff. Also, can anyone think of any good reason why our internal, non-public accessible network, should not just be allowed to run either a mixed BIND/MS-DNs setup? The slave/cache/whatever-but not master, would have to be BIND. The case the windows team made was ease of adding entries, you simply add into the MMC, or even easier, when you join a host into a domain, it adds itself. Thanks all, .vp ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal
What?! And all this time I just assumed it was the Martian Sand variety that was being spoken of on all the save the whales bumper stickers. Maybe Al will end up winning the Darwin Award for another one of his avante garde ideas. He'll decide that the conventional wisdom that exhausting his engine through a tail pipe instead of into the cabin is the cause of global warming and modify his car... -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Danny Thomas Sent: Saturday, January 31, 2009 2:18 AM To: bind-users@lists.isc.org Subject: Re: BIND 9.6 Flaw - CNAME vs. A Record in MX Records are NOT Illegal Al Stu wrote: History is fraught with individuals or a few being ridiculed for putting forth that which goes against the conventional wisdom of the masses and so called experts, only to be vindicated once the masses and so called experts get their head out where the sun is shining and exposed to the light of day. Once upon a time the world was 'flat'. For some of you, apparently is still is 'flat'. and for every Einstein, Columbus, etc, there have been untold people whose beliefs were not accepted. So whenever I see this line of argument advanced in a simplistic way, particularly with a hint of an heroic struggle against orthodoxy, I can't help thinking that the odds of heretical views being vindicated is pretty low. One belief yet to be accepted is the existence of Martian sand whales. *really plonk* ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Please consider our environment before printing this e-mail or attachments. -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to modify A records on the slave when master is down?
Huh? sftp uses secure transport as does scp and both use the same keys as ssh. I can see no way in which ftps would be viewed as superior. Exactly how are you losing RSA keys and if you do aren't you more concerned that you can no longer ssh into the box? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alberto Colosi/SI/RM/GSI/it Sent: Wednesday, December 03, 2008 5:25 PM To: Mike Bernhardt Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: How to modify A records on the slave when master is down? better to use an ftps then an sftp. use vsftpd with SSL compile option GNU lftp lftp is really simple and can be configured to bypass RSA CA verify sso to allow selfsigned and many other settings. The difference is that if you lose RSA keys or in all cases, using the RSA keys to allow SCP, you could have a command line session too if used with SSH instead. The main difference is a bit of security more ;) --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS Member of IBM Information Security WW CoP Mike Bernhardt [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 03/12/2008 22.59 To [EMAIL PROTECTED], [EMAIL PROTECTED] cc Subject RE: How to modify A records on the slave when master is down? What we used to do is we had 2 masters. After an update was done on one of them, we ran a perl script that would scp the db files to the other and then send rndc reload to itself and the other master. That way both were always up to date. It seems like if you had one master and one slave at each datacenter, this would work very well. After the down datacenter comes back up, simply run the script from the up-to-date master. I can send you the perl script to save you some time if you want. The main trick was getting scp to work with rsa keys so no password is required (although it could work fine with a password if you're running the script manually). Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, November 21, 2008 9:10 PM To: [EMAIL PROTECTED] Subject: How to modify A records on the slave when master is down? Hello. I have two geographically different datacenters. Each datacenter has two instances of BIND. There is one master out of these four. The zones will have multiple A records (pointing to the two datacenters to provide some minimal amount of redundancy and load balancing) What I want to do is put together a plan for when the master either fails or the master becomes unavailable. So if your master fails, or more likely, it becomes unavailable, and I need to change the A records on the other slaves, how do you do it? Can I have a master in each datacenter and a slave in each datacenter, but a change made to any master propagates to all slaves? For that matter, can I just have four masters and be done with it? It doesnt make sense that I could have multiple masters.. but I have no idea how to solve this problem. If datacenter A goes down for three days, i want to be able to modify the slave A records to stop pointing to the bad datacenter. And when the datacenter comes back up and the old master is alive, I want everything to work. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: ISC launches new website and mailing list manager
That reminds me of the debate over V chips/parental controls. People that DON'T want something think it is the responsibility of others not to send it to them rather than THEIR own responsibility to block it with the tools they have. If you don't want HTML just set up a rule in your mail client that blocks it. If your mail client doesn't allow you to setup rules then you probably need to use something created in the current millennium. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lars Hecking Sent: Tuesday, November 18, 2008 7:54 AM To: bind-users@lists.isc.org; [EMAIL PROTECTED] Subject: Re: ISC launches new website and mailing list manager The mailing list conversion requires a little explanation: * The new one-stop page for all the lists under isc.org is https://lists.isc.org/mailman/listinfo Now, can it be configured to strip or reject html rubbish? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential information and is for the sole use of the intended recipient(s). If you are not the intended recipient, any disclosure, copying, distribution, or use of the contents of this information is prohibited and may be unlawful. If you have received this electronic transmission in error, please reply immediately to the sender that you have received the message in error, and delete it. Thank you. -- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
