Re: srv lookup in record
In article you write: >> [@temp3]$ dig +short srv _http-apps._server.test._tcp.marathon.mesos >> 0 1 31024 server.test-usbzr-s3.marathon.mesos. >> 0 1 31852 server.test-z9x84-s3.marathon.mesos. >> 0 1 31790 server.test-k7g8r-s4.marathon.mesos. These SRV records say that the service is on ports 31024, 31852, and 31790 on the respective servers. CNAME does not give you a port number. There is no way to fake SRV using CNAME. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV is not CNAME, was srv lookup in record
In article you write: >On 2020-08-21 16:26, Marc Roos wrote: >> Is it possible to use srv lookups, like eg cname. I do not want to >> create SRV record, I just want to 'get' the ip addresses, that I would >> get vai srv lookup. > >SRV records are more than just pointers to a specific server, there is >also the priority and weight that need to be considered at the >application level. More importantly, SRV records have port numbers. In SIP, which seems to be the largest current use of SRV, as often as not the port number is different from the default 5060. SRV really is not like CNAME. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Invalid class in dns query
In article you write: >Hi all, > >Looking for a temporary work around, while an issue gets resolved. I have a >DNS query coming in with an invalid class requested (65 or 0x41). The only classes ever assigned were 1, 2, 3, 4, and pseudo-classes 254 and 255. What is class 65 supposed to be? Why would anything that wasn't totally broken query for it? R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Best way to force a TC=1 response?
In article you write: >What's the best way to force an A query via UDP to return a TC=1 result: >a really long CNAME chain? I'd suggest lots of records. You could do it with A records but you'd need four times as many $ dig wordy.examp1e.com ;; Truncated, retrying in TCP mode. ; <<>> DiG 9.10.6 <<>> wordy.examp1e.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24856 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 187, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;wordy.examp1e.com. IN ;; ANSWER SECTION: wordy.examp1e.com. 3594IN 2001::1 wordy.examp1e.com. 3594IN 2002::2 wordy.examp1e.com. 3594IN 2003::3 wordy.examp1e.com. 3594IN 2004::4 wordy.examp1e.com. 3594IN 2005::5 wordy.examp1e.com. 3594IN 2006::6 wordy.examp1e.com. 3594IN 2006::7 wordy.examp1e.com. 3594IN 2008::8 wordy.examp1e.com. 3594IN 2009::9 wordy.examp1e.com. 3594IN 200a::a wordy.examp1e.com. 3594IN 200b::b wordy.examp1e.com. 3594IN 200c::c wordy.examp1e.com. 3594IN 200d::d wordy.examp1e.com. 3594IN 200e::e wordy.examp1e.com. 3594IN 200f::f wordy.examp1e.com. 3594IN 2010::10 wordy.examp1e.com. 3594IN 2011::11 wordy.examp1e.com. 3594IN 2012::12 wordy.examp1e.com. 3594IN 2013::13 wordy.examp1e.com. 3594IN 2014::14 wordy.examp1e.com. 3594IN 2015::15 wordy.examp1e.com. 3594IN 2016::16 wordy.examp1e.com. 3594IN 2017::17 wordy.examp1e.com. 3594IN 2018::18 wordy.examp1e.com. 3594IN 2019::19 wordy.examp1e.com. 3594IN 201a::1a wordy.examp1e.com. 3594IN 201b::1b wordy.examp1e.com. 3594IN 201c::1c wordy.examp1e.com. 3594IN 201d::1d wordy.examp1e.com. 3594IN 201e::1e wordy.examp1e.com. 3594IN 201f::1f wordy.examp1e.com. 3594IN 2020::20 wordy.examp1e.com. 3594IN 2021::21 wordy.examp1e.com. 3594IN 2022::22 wordy.examp1e.com. 3594IN 2023::23 wordy.examp1e.com. 3594IN 2024::24 wordy.examp1e.com. 3594IN 2025::25 wordy.examp1e.com. 3594IN 2026::26 wordy.examp1e.com. 3594IN 2027::27 wordy.examp1e.com. 3594IN 2028::28 wordy.examp1e.com. 3594IN 2029::29 wordy.examp1e.com. 3594IN 202a::2a wordy.examp1e.com. 3594IN 202b::2b wordy.examp1e.com. 3594IN 202c::2c wordy.examp1e.com. 3594IN 202d::2d wordy.examp1e.com. 3594IN 202e::2e wordy.examp1e.com. 3594IN 202f::2f wordy.examp1e.com. 3594IN 2030::30 wordy.examp1e.com. 3594IN 2031::31 wordy.examp1e.com. 3594IN 2032::32 wordy.examp1e.com. 3594IN 2033::33 wordy.examp1e.com. 3594IN 2034::34 wordy.examp1e.com. 3594IN 2035::35 wordy.examp1e.com. 3594IN 2036::36 wordy.examp1e.com. 3594IN 2037::37 wordy.examp1e.com. 3594IN 2038::38 wordy.examp1e.com. 3594IN 2039::39 wordy.examp1e.com. 3594IN 203a::3a wordy.examp1e.com. 3594IN 203b::3b wordy.examp1e.com. 3594IN 203c::3c wordy.examp1e.com. 3594IN 203d::3d wordy.examp1e.com. 3594IN 203e::3e wordy.examp1e.com. 3594IN 203f::3f wordy.examp1e.com. 3594IN 2040::40 wordy.examp1e.com. 3594IN 2041::41 wordy.examp1e.com. 3594IN 2042::42 wordy.examp1e.com. 3594IN 2043::43 wordy.examp1e.com. 3594IN 2044::44 wordy.examp1e.com. 3594IN 2045::45 wordy.examp1e.com. 3594IN 2046::46 wordy.examp1e.com. 3594IN 2047::47 wordy.examp1e.com. 3594IN 2048::48 wordy.examp1e.com. 3594IN 2049::49 wordy.examp1e.com. 3594IN 204a::4a wordy.examp1e.com. 3594IN 204b::4b wordy.examp1e.com. 3594IN 204c::4c wordy.examp1e.com.
Re: What is the proper way to delegate to a private / hidden sub-domain?
In article you write: >-=-=-=-=-=- > > >On 5/6/20 4:12 PM, John Levine wrote: >> Since they can't access the root servers, how do you expect them to >> do DNS lookups at all? >There is a copy of the root zone in the environment. > >There is also enough net zone for the needed tests. > >DNSSEC is obviously not in play with doctored zones in the labs. Oh, in that case, why don't you just put some adjusted NS entries in your stub .net zone pointing at your internal name servers? Seems a lot easier than fooling around with routing. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is the proper way to delegate to a private / hidden sub-domain?
In article you write: >-=-=-=-=-=- > >On 5/6/20 3:40 PM, John Levine wrote: >> Can clients on the internal network contact hosts in the outside >> world, or is it really disconnected? >It depends on which particular lab is being used and what is being tested. > >I can guarantee that some of the labs will NOT have access to other >networks, much less the Internet. (Some of them even have a protocol >barrier.) Since they can't access the root servers, how do you expect them to do DNS lookups at all? R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is the proper way to delegate to a private / hidden sub-domain?
In article you write: >-=-=-=-=-=- > >On 5/6/20 2:29 PM, Grant Taylor wrote: >> That's one of the hard requirements of what I'm doing. Not doing that >> is not an option. > >To elaborate, the internal clients are in a sequestered network which >will never have outside access to it. As such, the outside world can >never query something from a system in it. Can clients on the internal network contact hosts in the outside world, or is it really disconnected? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is the proper way to delegate to a private / hidden sub-domain?
In article you write: >> This really seems like ordinary split horizon DNS. > >Please explain what you mean by "split horizon DNS" like I'm a n00b, >because obviously my understanding of it differs from what your >understanding seems to be. The DNS server sends different answers depending on the client IP, so on your internal network it sees the private subdomain, everywhere else sees a ENT or NXDOMAIN. If you really have to use physically separate servers for reasons that you can't explain, I suppose putting the two servers at the same IP addresss facing different networks could work, although you're asking for trouble with route leaks anytime someone adjusts a router anywhere near one or the other. Remember that with normal anycast all of the mirrors send identical or at least equivalent answers so the routes are not a security issue. -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is the proper way to delegate to a private / hidden sub-domain?
In article you write: >> I think one possibility (to avoid anycast) is to have an internal and >> external view for the "example.net" zone, so it can delegate the lab >> zones to different servers internally and externally. > >But how do you do that if the internal and external views are on >different servers with completely different IPs? Don't Do That. >I ask because now you're back to the same issue, just at the parent >domain: How does the net zone delegate to different example zones >depending on if the client is internal or external. > >I don't see any options that avoid anycast. This really seems like ordinary split horizon DNS. -- Regards, John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies", Please consider the environment before reading this e-mail. https://jl.ly ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DoH plugin for BIND
In article you write: >On Sat, 2 May 2020, Michael De Roover wrote: > >> Even if your ISP allows it, chances are that other mail servers will >> reject it ... >My residential-class static IP mail server has never had problems >delivering mail. I've checked it many times over the years on many >blacklist checkers and never had anything but green lights. Your ISP is quite unusual. Count your blessings. The large cable providers in the US and Canada block outgoing port 25 on residential networks. To whoever said that MUAs still default to port 25 submission, you must use different MUAs from the rest of us. All the ones I use default to 587 and 465. R's, John PS: What deoes this have to do with BIND? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Using different OS for Master and Slaves
In article you write: >I suspect the pain he was referring to is not really DNS-specific, but >just due to having to manage servers with different operating systems. >This means using a more diverse set of management tools, different >configuration syntax, etc. I have masters running NSD on FreeBSD and a slave running bind on linux. It's not unduly hard to manage, give or take some kludgery in the scripts that manage the config files, but that's because NSD is different from bind, not because FreeBSD is different from linux. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Proper Way to Configure a Domain which never sends emails
In article you write: >El 20/08/2019 a las 9:28, Marco Davids via bind-users escribió: >> A TXT _dmarc.domain.tld "v=DMARC1; p=reject" might also be useful. >Wouldn't that imply having DKIM set up for the domain? No, of course not. It says that if mail isn't authenticated, reject it. An excellent way to be sure you never get DKIM authentication is not to set up DKIM in the first place. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind has a database option instead of zone files?
In article you write: >-=-=-=-=-=- > >On 1/27/19 8:57 AM, John Levine wrote: >> No. If that's what you want to do, I'd suggest looking at PowerDNS. > >John, why would you recommend PowerDNS over BIND's DLZ options? PowerDNS was designed to serve the data out of databases and its database usage is a lot more mature, particularly if you use MySQL. It's open source and well documented, so feel free to do your own research. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind has a database option instead of zone files?
In article you write: >-=-=-=-=-=- > >Greetings!! >Does Bind has a database option to read zones [if zones are in database] >instead of zone files? if yes , how to setup? can someone help me. No. If that's what you want to do, I'd suggest looking at PowerDNS. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse lookup for classless networks
In article you write: >-=-=-=-=-=- > >On 12/27/18 11:24 AM, John Levine wrote: >> Well, there's those pesky old DNS standards, but we're used to software >> working around screwed up zones. > >Agreed. Which standard(s) does this run afoul of? > >> If the parent delegates a name to a child server, the child server must >> have an SOA at that name, along with whatever else you might want to >> put there. > >Which of the other records that must be there are actually queried as >part of a normal lookup? > >Sure, they should be there or expect failure when someone / something >explicitly looks for the SOA record. Well, yeah, like I said it's wrong but you can often get away with it. The DNS specs are a mess and the SOA at the top is poorly described in 1034 and 1035 (as is a lot of other stuff.) You'll definitely lose if your reverse zones are signed like mine are. >> I see a delegation loop. What's the lookup chain supposed to be for >> 128.0.192.in-addr.arpa? > >192.0.128.0/24 is outside of the zone in question (192.0.2.0/24). ;-) I can't type either. Try 128.2.0.192 which in your example appears to have an NS in the parent zones pointing at yourdomain, and in yourdomain pointing back at the parent. >> PS: What's wrong with using $GENERATE in the parent zone like everyone >> else who uses BIND does? > >There's nothing wrong with $GENERATE per say. I advocate using it. >That being said, I find that $GENERATE, and other similar shortcuts, can >hinder teaching. I don't want someone to have to learn multiple >concepts at the same time (if they aren't already familiar with $GENERATE). I agree that $GENERATE is a kludge, but since we agree that we want to control our own rDNS, it's the kludge that gets the job done. Just use it. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse lookup for classless networks
From: John Levine To: bind-users@lists.isc.org Subject: Re: Reverse lookup for classless networks In-Reply-To: Organization: Taughannock Networks Cc: gtay...@tnetconsulting.net Bcc: johnl-sent X-Headerized: yes Mime-Version: 1.0 Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit In article you write: >1) The parent zone needs to have the delegation like Barry depicted above. >2) The child zone needs to have records for the name being looked up. >Nothing specifically translates to them needing to be in separate zones. Well, there's those pesky old DNS standards, but we're used to software working around screwed up zones. If the parent delegates a name to a child server, the child server must have an SOA at that name, along with whatever else you might want to put there. BIND will generally forgive what you're doing, but I wouldn't expect it to work on other name server software. >I could easily create a zone like this: > >; 1.0.192.in-addr.arpa.zone on local nameservers ns{1,2}.yourdomain.com >$ORIGIN 1.0.192.in-addr.arpa. >0 IN PTR web.yourdomain.com. >1 IN PTR ftp.yourdomain.com. >... >128 IN NS ns1.parent.example. > IN NS ns2.parent.example. >129 IN NS ns1.parent.example. > IN NS ns2.parent.example. >... >In essence, you end up with two independent zones for the same domain >name, 1.0.192.in-addr.arpa, cross delegating /different/ records to each >other. Thus, both are perfectly happy to answer authoritatively with >PTR records for the IPs that they are ""responsible for, while >""delegating (redirecting) to the other name servers for the IPs that >they aren't locally responsible for. I see a delegation loop. What's the lookup chain supposed to be for 128.0.192.in-addr.arpa? R's, John PS: What's wrong with using $GENERATE in the parent zone like everyone else who uses BIND does? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DMARC question
In article you write: >We have a couple of small domains whose DNS is served by BIND on our dedicated >machines. Almost 3 years ago we had set up DMARC records, >and were getting reports from various MXs every day until a couple of days ago >(Aug 13). Then they suddenly stopped! > >Nothing in the BIND config or zone files was changed, and our Postfix mail >logs (on our dedicated server) don't show *anything* addressed >to our DMARC target since then. (I.e., it's not that our spam filtering is >dropping them.) > >Has anyone ever observed anything like this? I'm getting the usual reports from Google, Yahoo, and other places, as recently as this morning. It's Just You. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In articleyou write: >The target, instead of very quickly rejecting the spam because of the = >lack of a domain or the lack of DNS, instead has to deal with thousands = >of different IPs. That's not how spam filters work. They do filtering based on the IP address sending the spam and maybe the rDNS. It makes no difference whatsoever if there is some other random A record pointing at the spamming host. You can't even tell. >> Botnets are computers with IP addresses. They don't need DNS pointing = >at them to send spam. > >They do to send spam to any mail admin with even half a brain who would = >not accept unauthenticated mail from an IP without an actual domain = >attached. The half a brain generally requires forward and reverse DNS to match before using them. If you know a way to do fast flux rDNS on botnets, I know a lot of people who'd like to talk to you. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In articleyou write: >For the record, the issue is not RBLs or legitimate domains, it is = >spammer scum that set super-low DNS because they are shotgunning spam = >from a a vast botnet and they want to have maximal impact, so you get a = >different IP for every spam they send. It is a way of trying to = >overwhelm a machines tarpits, blacklists, sshguard protections, and = >others. Um, you have it completely backward. Botnets are computers with IP addresses. They don't need DNS pointing at them to send spam. DNSBLs with low TTLs try and list them the moment the first spam hits the spamtraps. There is fast flux DNS for computers running landing pages, but they tend to use a lot of A records at once and don't care about the TTL since they're going for quantity, not quality. >But to answer your question, off-hand, I'd say that any TTL under 60s is = >suspicious and any TTL under 10s is almost certainly intentionally = >abusive. I hope you're not planning to do much spam filtering. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In articleyou write: >As long as you understand the implications of what you're doing? > >The zone owner may be using short TTLs to implement load balancing >and/or quick failover. If you extend the TTLs, your users may experience >poor performance when they try to go to these sites using out-of-date >cache entries. The zone in question is a DNSBL. When an address is added to or removed from a dynamically maintained BL, the short TTL means clients pick it the change promptly. If you want your mail filtering to work reliably, you pay attention to that. Some of Spamhaus' BLs have minimum TTLs of 10 seconds, and they do update that fast (not using BIND, of course.) The person who asked the original question made it quite clear that his goal is use a commercial DNSBL but avoid paying for it, so I don't see any need to offer further help. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
In articleyou write: >you miss the topic > >many DNSBL's have a very short TTL and at the same time a limit of >queries froma single IP until you need to pay for the service This doesn't sound like a technical problem. Is there some reason you shouldn't pay for the service you're using? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: search algorithm in DNS
In articleyou write: >-=-=-=-=-=- > >I am Munkhbaatar, a master course student studying on mechanism and algorithm >of DNS.I want to search algorithm in DNS, but >i have not found the documents clearly explaining this on the web.I guess it's >just a "list search", but I am not >sure.Please tell me the details of the search algorithm. There is no search algorithm, only exact match. See RFCs 1034, 1035, and 2181. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Email & PTR Issues [Solved]
In articleyou write: >> I have issues emailing to certain domains. I use my own mail >> server to deliver mail. It is currently not sending through SMTP >> Relay. The failure says that I have a missing PTR record. For example: I'm amazed that it works at all. Like most ISPs, AT usually blocks port 25 on their consumer broadband. If you want to run your own mail server, get a VPS somewhere. They're cheap, like $5/mo or less if you pay by the year. If you just want your mail to work, get it hosted somewhere. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
This has nothing to do with BIND, but anyway. In articleyou write: >I would personally try to use -all for new domains from the word go. Only if you want your mail to mysteriously disappear. There are a lot of perfectly legitimate ways to send and route mail that SPF cannot describe. Unless your name is Paypal or you are otherwise a giant phish target, -all is not want you want. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
In articleyou write: >> X.TLD IN MX 10 mail.example.com. >> >> is perfectly valid, and quite common for people who don't host their own >> e-mail. > >Okay, but for now each domain will have its one mail server. If you have one host with one IP, I hope you have one mail server since only one process can listen on port 25 on a single IP. Any normal mail server can host mail for many domains. My little 1U server handles 140 different mail domains and it certainly isn't listening on 140 IPs. >> Also, why the wildcard CNAME record? It's definitely not essential to >> your example. > >I believe it will be needed for my wild card TLS certificates. Nope. You can have a *.example.com certificate and set up your DNS and web server for specific names foo.example.com and bar.example.com and however many others you actually use. Unless you have special coding in your web sites to handle arbitrary random domain names, you will probably give people a lot of mysterious 404 pages when they try names you haven't configured. >Good point, I'll change to "?all" instead. Right, -all is asking for trouble. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: reverse dns configuration for IPV4, IPV6+ dns+ mail ?
In articleyou write: >>* IP with *one* PTR >>* the A-Record for the PTR matches >>* smtp_helo_name of your MTA matches the same name > >Even this is not required. In fact, requiring this breaks SMTP RFC. >The only requirement on helo name is that host must exist and be canonical, >which means it has to point to A or record. Regardless of what the RFC says, if an IP doesn't have matching forward/backward DNS that is an extremely strong indication that it's a random computer in a botnet and few people will accept mail from it. As others have noted, it doesn't matter what the forward/backward name is so long as at least one pair of A and PTR match. You do want the HELO name to resolve correctly, again, again non-resolving HELO is a very strong indication of a bot. Yes, we know the SMTP specs say otherwise but they haven't been updated since bot spam became such a problem. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: High performance DNS server configuration?
>Problem is procmail + postfix with rbl's (zen.spamhaus.org and others). > >Really big problem are spam botnet's and some day we can get over 5-6 >million messages per day or even more. > >Procmail/postfix is doing every check per msg at localdns (localdns => >rbl's) server and average check time is 1-2 sec per message and it's >too much. I agree that bind is likely not the best DNS cache for this purpose. You might look at unbound. More importantly, at that query volume you should be running a local copy of rbndnsd and rsync'ing the DNSBLs. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Request reverse dns mapping advice
>1. pick a primary domain from the list of virtual hosts (example2.com) >2. use the "real" host name of the server (juvat.example1.com) >3. the mail server name (mail.example1.com) >4. the dns server name (ns2.example1.com) >5. another domain from the virtual hosts list (example 3.com) Publish a PTR with the mail server name, forget about the rest of them. On today's Internet, you want your mail server to EHLO with a name that has matching forward and reverse DNS with the server's IP. If you don't, you look unnecessarily like a spambot. Everyone knows that web servers and DNS servers have multiple names, and neither should be sending unsolicited traffic, so matching rDNS doesn't matter. Opinions vary on how well it works to return multiple PTRs. My advice is don't borrow trouble you don't need. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about dynamic IPv6-PTR-Generation
>It is true at first glance the regex-esque syntax in our I-D may seem a >bit complex but I don't believe anywhere near the complexity of NAPTR None of the complexity of NAPTR is in the DNS or the DNS servers; it's all in the applications that use NAPTR. For DNS servers, NAPTR is just a record it handles the way it does any other normal record, like A or HINFO. This draft requires every DNS server to change the semantics of wildcards, change the way DNSSEC signatures are computed, and introduces new RRTYPEs that don't work in existing servers the way RFC 3597 says they should. Ain't gonna happen. Really, if you want to do generic rDNS for IPv6, use a specialized server like we do for DNSBLs. rbldnsd is open source, everyone uses it, so you can start with that. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about dynamic IPv6-PTR-Generation
PS: >I understand rwhois exists but it is much more complicated to manage >than DNS and for the most part is only used at the RIR level for >reverse IP namespace. This would probably be a good time to read up on RDAP. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about dynamic IPv6-PTR-Generation
>beginning of DNS. It allows address space to be "tagged" and >organized in a manner that just makes sense. We'll have to agree to violently disagree at this point. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about dynamic IPv6-PTR-Generation
>Though, if you want to participate in the cargo cult of generic PTRs, >you don't need the complexity of draft-woodworth-bulk-rr's regex-driven >templates in your nameserver. Knot DNS's "minimal viable product" >implementation is ~300 SLOC and uses a hardcoded template. Having looked at the draft, I agree that its complexity and the multiple changes it makes to exisitng DNS semantics make it dead on arrival. My suggestion if you really want to do this is to use a specialized server. People who serve DNSBLs use a specialized server called rbldnsd. You give it CIDR ranges of addresses and it synthesizes DNSBL records, including patching the addresses into TXT records so they can return stuff like this: 4.3.2.1.bl.bad.example TXT "Blocked -- see http://www.bad.example?ip=1.2.3.4; where the 1.2.3.4 was plugged in on the fly. rDNS and DNSBLs are quite similar in DNS function, so you could probably modify rbldnsd to generate PTR records with patterns in the same way. Then just delegate your rDNS zones to it. Since v6 rDNS breaks names on 4-bit boundaries, even if your delegations are rather irregular, it's not all that many delegations. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about dynamic IPv6-PTR-Generation
>A very popular option is to only create or delegate IPv6 PTR entries for >hosts with static address assignments, and to return NXDOMAIN for >address space used for dynamic address assignments. I talk to a lot of large providers at M3AAWG and that's the consensus about what to do. If it doesn't have a static address, it's not a server and it doesn't need rDNS. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
>> You would only be able to do this if you could put the CNAME record >> in the parent domain, instead of delegating domain.com to your own >> server. But do any domain registrars support that option? > >And would the registry (here, Verisign) accept it? As far as I know, >no. This smells a lot like the bundled variant problem, in which you register one name but get a bunch of lexically related names along with it, and in some cases the related names are active. For example, if you register ex�mple.cat, you also get example.cat without the accent. Their implementation is terrible, a DNAME at the 2LD. There's been a lot of discussion about how you might make this work better, such as BNAME which is supposed to combine CNAME and DNAME. There's better places to discuss this, of course, since I think we can assume that should such features be standardized, BIND will implement them. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Adding CNAME for the root domain issue
Assuming you mean this (notice the dots): Domain.com. CNAME x.y.com. www CNAME x.y.com. it should work. Some people believe that you can't have other records at names below a name with a CNAME, but they are mistaken. On the other hand, this will not work. domain.com. CNAME x.y.com. domain.com. MX 10 server.somewhere To make this work, you need Stephane's hack of copying the A and records. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: frequent queries to root servers
>If chained CNAMEs work for you, more power to you. But don't be >surprised if they fail unexpectedly at some point. If they don't, you'll have a lot of unhappy users since there's a whole lot of the Internet they won't be able to see. Try www.apple.com and www.microsoft.com, both of which have three chained CNAMES through Akamai. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cloud DNS providers for secondary DNS
>My more specific question is this: If I'm a site on the internet looking for a >server in my domain for the first time, I query the TLD >servers for a list of name servers for my domain and pick one to query. >Suppose I pick one that has the correct zone information and can >answer the query, but that specific NS is not listed in the zone record. I >believe that's called a LAME nameserver, correct? Not sure I understand your question. If you're looking for, say, www.blah.example, you (actually your DNS cache that does the recursive lookups) ask the example TLD servers for www.blah.example, and it answers with some NS records that say that the blah.example domain is handled by some set of servers. Then the cache looks up the address of one of the servers if it doesn't have it already, and asks it for www.blah.example. If the server doesn't know the answer, i.e., it doesn't handle the blah.example zone, that's a lame delegation. At that point most caches will try other servers to try and find a non-lame one so it's not fatal, but it's not a great idea either. Extra complication ensues when the server's name is within the zone, e.g., the server for blah.example is ns.blah.example. In that case, the A or record(s) for ns.blah.example are copied into the upper level zone (the TLD in this case) as "glue" that are returned in the additional section of the answer, so caches can use it to handle the request. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cloud DNS providers for secondary DNS
>Am 30.12.2015 um 03:12 schrieb Luis Daniel Lucio Quiroz: >> You could use dyndns for that, but it is not free. > >do the provide anycast? Yes, of course. Dyn is one of the largest DNS providers in the world. Their basic secondary service is $40/yr. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cloud DNS providers for secondary DNS
>IN NS ns1.mydomain.com. >IN NS ns2.mydomain.com. >IN NS ns1.d-zone.ca <== Addition >IN NS ns2.d-zone.ca <== Addition These questions would, as always, be easier to answer if you gave us the actual names rather than inventing other names that may or may not be similar to the real ones. If your servers are not authoritative for d-zone.ca, which in this case they very likely aren't, there is no benefit from putting their A or records into your zones, since nobody will ask for them. Just add the NS records to your own zones, and add them to the list that the registrar uploads to the TLD zone and it will work. If you're using nameservers with names within your own zone you have to set up glue records, but in this case you don't. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF RR type
In article mailman.348.1401978387.26362.bind-us...@lists.isc.org you write: Are SPF RR types finally dead or not? I�ve read through rfc7208 it appears that they are: They're dead as in nobody looks at them other than legacy software that hasn't been updated. The SPF record was a screwup from beginning to end. By the time 4408 came out, there was already a lot of running SPF software using the badly designed TXT record. The mail community never wanted the SPF record but it was added reluctantly to 4408 due to filibustering by the DNS crowd. There was never a plausible transition plan for publishing SPF records, and by the time 7208 came out it was clearly time to put type 99 out of its misery.* It's extremely unlikely that the RRTYPE will ever be reused, so you can publish them if you want, but don't expect anyone to pay attention to them. Perhaps they can be reused for steganography. R's, John * - Mark doubtless feels differently. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Point domain name of my zone to name in somebody else's zone?
DNSMadeEasy calls this an ANAME record, internally they just lookup the destination's IP and cache it, updating it as needed. It works, but it would be nice if this could be done in DNS. Sadly, it can't, and probably won't in our lifetimes. I do a similar thing in my DNS crudware, a pseudo-entry in the zone, every time the background update script runs, it does A and lookups and puts the results in the real zone, bumping the SOA serial if the result changed since last time. It's a crock, but one that we all seem to want. I suppose we could invent something like an ANAME (that's A and name), that worked like a restricted CNAME and does an indirect lookup only for A or requests. Or overimplement it with a bitmap of the RR types to indirect for. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Variable SOAs in negative responses
For addresses that aren't listed, some of the NXDOMAINs are a lot less likely to change than others, e.g, the address of an outbound mail server at a large mail provider is unlikely ever to be listed, but a random host at a hosting provider in India, who knows. So he'd like to have the TTLs on some of those NXDOMAINs be longer than others, by putting a different TTL in the SOA in the authority section. If you know those IPs, why do you check them for being listed at all? The DNSBL operator knows the IPs belong to large mail providers. The clients don't, and are checking them because they're getting mail from them. If any IP starts spamming, why to give it longer time to appear in the blacklists? I don't think this makes sense at all... Most DNSBLs try to avoid false positives. The chances that Gmail (or whoever) would suddenly start sending so much spam that it would swamp the real mail and make them worth listing are extremely low. I realize there are DNSBLs that list on the merest whiff of spam and don't care if they block legitimate mail. That's not what we're talking about here. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Variable SOAs in negative responses
A friend (really) asks this question: they have some DNSBLs, which get a lot of queries. Sometimes the answer has A or TXT records, meaning the corresponding address is listed in the DNSBL, sometimes it's NXDOMAIN which means the address isn't. For addresses that aren't listed, some of the NXDOMAINs are a lot less likely to change than others, e.g, the address of an outbound mail server at a large mail provider is unlikely ever to be listed, but a random host at a hosting provider in India, who knows. So he'd like to have the TTLs on some of those NXDOMAINs be longer than others, by putting a different TTL in the SOA in the authority section. The DNS server isn't BIND, coding this up is easy enough. The question is what's likely to break at the other end. Question: what will BIND's cache do if there are inconsistent SOAs for NXDOMAINS in the same zone? Bonus question: how does this answer change if we ever do DNSSEC? (Since the server alrady generates the RRs on the fly, you can assume it will do online signing.) TIA and all that, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we do a sub-domain delegation with godaddy?
I mean I have example.com hosted with Go Daddy while I need sub-domain ftp.example.com to be delegated to my internal BIND server. Does any one know how do I do it in Go Daddy? The easiest approach in the long run is to move the DNS for the whole domain to your own DNS servers. Large cheap hosting services like Godaddy do not deal well with exceptions. Pointing the 2LD at your servers is normal, delegating a subdomain is an exception. If you have web or other hosting there, you can still point the DNS records back at them as needed. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regardign CNAME
the DNAME already recommended by Dave Warren is what you want: xyz.gov.in.DNAME xyz.in. Except that DNAME only applies to names under xyz.gov.in, not to xyz.gov.in itself. There are a variety of ways to deal with this but in practice: another possibility is to include the same file to zone files for both domains as Leonard Mills recommended. is the easiest way to do it if you're using BIND. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Query regardign CNAME
xyz.gov.in. DNAME xyz.in. On 01.01.14 18:16, John Levine wrote: Except that DNAME only applies to names under xyz.gov.in, not to xyz.gov.in itself. Usually because xyz.gov.in must already have SOA and NS records and therefore it's not possible to redirect it easily. That's what DNAME does, regardless of where in the DNS tree it is. It redirects the subtree under the DNAME but not name where the DNAME is. You can put other RRs (except CNAME of course) at the same name as the DNAME. I found single DNAME easier than playing with $INCLUDE. If it does what you want, sure. In the frequent case that it doesn't, you need to do something else. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TXT Record Format with multiple records?
Please forgive my ignorance, and sorry about all the details. I have not been able to find a detailed specification. TXT records haven't changed since RFC 1034 and 1035. You can have multiple strings per record, and multiple records per name. At the application level, some applications glom multiple strings per record together, some treat them separately. There are a few obscure designs that combine multiple TXT records at the same name, but you're unlikely to run into any of them. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: TXT Record Format with multiple records?
How, precisely, is the second (or third) string added? plugh.example TXT foo bar ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Amplification Attacks... and a trivial proposal
OK. I just want to be clear here, and make sure that I have properly understood what you have said. Would it be correct, then, to say that at the present moment you are not actually able to produce, cite, or describe, with any particularity or specificity, even one individual specific incident in which 512 byte packets were used to perpetrate any individual, effective, and successful DDoS attack which actually resulted in some actual service being denied, and that you are likewise unable to relate any specifics about any such purported attack which was in any other way worthy of note? No. In any reflector attack, the bad guys blast out the requests and the reflectors send back what they send back. Since there are still plenty of DNS caches that don't do EDNS0, some of the traffic is big packets, some is smaller. The victims of the attacks for some reason always have something more pressing to do than to collect detailed statistics on the distribution of the incoming packets, so nobody knows what fraction is what. More to the point, I know you can do arithmetic. The bad guys have botnets of 100,000 hosts or more, and there are at least that many open resolvers (think random networked printers and such) so a factor of 4 in the amplification ratio isn't important. When Doug said they were switching to chargen, he wasn't kidding. There's an unlimited number of things on the net that will respond to incoming packets. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Amplification Attacks... and a trivial proposal
The entire problem is fundamentally a result of the introduction of EDNS0. Wwouldn't you agree? No, that just makes it a little easier. You pound the patoot out of someone with 512 byte packets just as much as you can with 4K packets, just by making your attacking botnet bigger. The real solution is BCP 38, to keep spoofed packets out of the network in the first place. With widely implemented BCP 38, open resolvers wouldn't matter since you could only DoS yourself, or at worst someone else on your own network segment. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Amplification Attacks... and a trivial proposal
The real solution is BCP 38... I agree completely John. I cannot do otherwise. But I have to ask the obvious elephant-in-the-room question... How is that comming along so far? Based on discussions I've had with people who work at large networks and in policy positions in various governments (not all in the US), a lot faster than it it was even a few months ago. If we're going to ask people to update their networks, I'd rather concentrate on an update that will really work, rather than some plan B that sorta kinda helps, and gives people the excuse that since they did that they don't have to do BCP 38. Also, a fair amount is just education. I ran a spoofer test on my server and found the network wide open. I talked to the guy who runs the hosting center today and he said oops, he thought it was set to do ingress filtering. So it will in a few days when he gets his router configs updated. R's, John ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Amplification Attacks... and a trivial proposal
So, may I infer that rather than being put off until the end of the century, which seemed to be the previous implementation timeline, pervasive implementation of BCP 38 may now be expected at around the time that 32-bit UNIX clocks are anticipated to wrap-around to negative? Perhaps, but I think that's still a lot sooner than a yet-to-be-designed hack to DNS servers will be widely used. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? This is a religious argument. Please, leave it alone. And, If I might add, adding a tag to the subject like [bind-users] would be extremely nice. It's twelve years after RFC 2919 and people are still using mail software that can't filter on List-ID? Aw, come on. In gmail, it takes about 15 seconds to add a rule to apply a label to mail with a particular list-ID. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
I've not been keeping up with the IETF; is there a document that describes what looks like a de facto standard of using _pname labels with TXT RRs that is being followed by at least DMARC and DANE in *._tcp.example.com, *._smimecert.example.com, and _dmarc.example.com No, but Dave Crocker is working on one. Is SRV the precedent being followed? Yes. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: spf ent txt records.
It is or would have been, very little cost to publish SPF records. Not until we fix the provisioning problem. (News flash: in 99.9% of the Internet, people do not edit master files with vi.) In the early days of SPF, it was remarkably hard to get TXT records provisioned, even though TXT records have been part of the DNS since the beginning. People had to go to their hosting companies, and the places that produce the web software they use, and persuade them to handle TXT, since in most cases it's just A, MX, and maybe CNAME. Having gone through that pain, nobody has any interest in going through it again for new rrtypes. I can assure you that the vast majority of the provisioning software that people use handles only a small subset of existing defined rrtypes. I have a draft about a DNS master file extension language with the goal being that DNS servers and particularly provisioning software can be updated by adding lines to configuration files rather than by rewriting code. Vixie (now a co-author) had the clever idea of publishing the config info in a well known place in the DNS so the configuration can be automatic. https://datatracker.ietf.org/doc/draft-levine-dnsextlang/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users