Re: 9.18 BIND not iterated over all authoritative nameservers
Doing some checking on this locally trying to understand what may be happening. I stumbled across this: view.bankeasy.com is a cname to view.gtm.bankeasy.com However if I try to dig for gtm.bankeasy.com that is where the oddities show up: dig @ns1.dakotanames.com gtm.bankeasy.com ; <<>> DiG 9.18.18 <<>> @ns1.dakotanames.com gtm.bankeasy.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5025 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;gtm.bankeasy.com. IN A ;; AUTHORITY SECTION: gtm.bankeasy.com. 60 IN SOA bkx-bigip1-out.ffc.local. hos tmaster.bkx-bigip1-out.ffc.local. 2023102501 10800 3600 604800 60 ;; Query time: 52 msec ;; SERVER: 96.2.250.214#53(ns1.dakotanames.com) (UDP) ;; WHEN: Fri Oct 27 18:03:58 CDT 2023 ;; MSG SIZE rcvd: 116 Not sure how this effects things, but the SOA record shows bad info '.local.' I wonder if this is where the issue is. The authoritive nameserver and responsible party records are not resolvable. Maybe someone with more knowledge of DNS and the use of .local. domain name can shed some light on this. Lyle Giese On 10/27/23 10:36, Michael Martinell via bind-users wrote: Hello, At this point I am hoping that somebody might have a workaround so that we can exclude domains from this behavior if they are broken on the far end. Does anybody have a workaround for this? We are a small ISP and run BIND compiled from source. We currently run 9.16.x Every time we try to move forward with 9.18 customers start to complain that they are unable to reach certain websites. This includes banks, universities, and other organizations. I understand the goal is to get all DNS to RFC 6891, but from a practical standpoint, this isn’t working for customers, so we are prevented from upgrading either. Related website: https://gitlab.isc.org/isc-projects/bind9/-/issues/3152 Our source code compile options: ./configure --with-gnu-ld --with-libxml2 --with-json-c --with-openssl=/usr/local/openssl && make && make install && ldconfig When I do a dig against a server running 9.18 I get the following: dig @dns1.itctel.com view.bankeasy.com ; <<>> DiG 9.16.42 <<>> @dns1.itctel.com view.bankeasy.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 46906 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: d8ce8161641fbfdf0100653bcf9ad1fff99d24914278 (good) ;; QUESTION SECTION: ;view.bankeasy.com. IN A ;; Query time: 8 msec ;; SERVER: 2607:d600:1000:330:75:102:161:227#53(2607:d600:1000:330:75:102:161:227) ;; WHEN: Fri Oct 27 09:56:26 CDT 2023 ;; MSG SIZE rcvd: 74 The same command resolves just fine when I run it against 9.16 dig @dns2.itctel.com view.bankeasy.com ; <<>> DiG 9.16.42 <<>> @dns2.itctel.com view.bankeasy.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30969 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: b0ec30c4ddfeacd30100653bcf9ff140c249344242e0 (good) ;; QUESTION SECTION: ;view.bankeasy.com. IN A ;; ANSWER SECTION: view.bankeasy.com. 3133 IN CNAME view.gtm.bankeasy.com. view.gtm.bankeasy.com. 300 IN A 96.2.250.200 ;; Query time: 11 msec ;; SERVER: 2607:d600:9000:330:75:102:160:227#53(2607:d600:9000:330:75:102:160:227) ;; WHEN: Fri Oct 27 09:56:31 CDT 2023 ;; MSG SIZE rcvd: 125 [root@brkr-dns2 bind-9.18.12]# *Michael Martinell* Network/Broadband Technician *Interstate Telecommunications Coop., Inc. *312 4th Street West • Clear Lake, SD 57226 Phone: (605) 874-8313 michael.martin...@itccoop.com www.itc-web.com -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse lookups not working when Internet connection failed.
The queries should work if you query an authoritative dns server for that zone. If you are querying a recursive only server(when Internet connection is down), it won't be able to find the authoritative server and will answer only if it has valid cached answer. Once that cached answer expires or is not there, a recursive only server will fail to give you the answer you seek. That is very dependent on your internal dns setup and the type of dns server you are querying. Lyle Giese On 11/4/22 11:07, David Carvalho via bind-users wrote: Thanks for the replies. My reverse zone file $TTL 86400 @ IN SOA di.ubi.pt. postmaster.di.ubi.pt ( 2020040401 ; serial 28800 ; refresh 3h 7200; retry 1h 604800 ; expire 1w 86400 ) ; ttl 1d ; Servidores de nomes IN NS dns.di.ubi.pt. IN NS dns2.di.ubi.pt. 0.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.0 1.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.1 2.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.2 3.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.3 4.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.4 5.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.5 6.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.6 7.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.7 8.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.8 9.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.9 10.0-28.66.136.193.in-addr.arpa.IN A 193.136.66.10 11.0-28.66.136.193.in-addr.arpa.IN A 193.136.66.11 12.0-28.66.136.193.in-addr.arpa.IN A 193.136.66.12 13.0-28.66.136.193.in-addr.arpa.IN A 193.136.66.13 14.0-28.66.136.193.in-addr.arpa.IN A 193.136.66.14 ; Reverse mapping 1 IN PTR dns.di.ubi.pt. 2 IN PTR dns2.di.ubi.pt. 3 IN PTR geodac.di.ubi.pt. ... -Original Message- From: bind-users On Behalf Of Matus UHLAR - fantomas Sent: 04 November 2022 16:02 To: bind-users@lists.isc.org Subject: Re: Reverse lookups not working when Internet connection failed. On 04.11.22 15:41, David Carvalho via bind-users wrote: We've had an internet failure for a few days last week and as services got online I found the following: Dns queries about my.domain from my.domain worked as expected. Since there was no internet connection, I obviously couldn't query the outside world. Reverse (PTR) Dns queries about my.domain from my.domain didn't work. Now that the internet connection is restored, everything is ok. The reverse entries are in the format "z.y.x.in-addr.arpa."for IP x.y.z Aren't they supposed to work locally when no outside connection is available? if they are properly configured, yes. What could I be missing? can you provide an example of an IP and configured reverse zone, and the zone file? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Support bacteria - they're the only culture some people have. -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Stopping ddos
Just my opinion. Don't rate limit tcp. The RRL feature in Bind only rate limits UDP. UDP is connection-less and the source address can be forged, generating DDOS traffic to a 3rd party. Proper DNS software will fall back to TCP. Because TCP is connection based, much harder to forge source address. Lyle On 8/3/22 08:30, Robert Moskowitz wrote: Thanks. I will look into this. On 8/3/22 07:47, Victor Johansson via bind-users wrote: Hey, I just want to add that there is a better way to do this in iptables with hashlimit. The normal rate limit in iptables is too crude. Below is an example from the rate-limit-chain, to which you simply send all port 53 traffic from the INPUT chain (make sure to exclude 127.0.0.1/127.0.0.53 though :) ). -A INPUT -p udp -m udp --dport 53 -j DNS-RATE-LIMIT -A INPUT -p tcp -m tcp --dport 53 -j DNS-RATE-LIMIT -A DNS-RATE-LIMIT -s 127.0.0.1/32 -m comment --comment "Dont rate-limit localhost" -j RETURN -A DNS-RATE-LIMIT -m hashlimit --hashlimit-upto 100/sec --hashlimit-burst 300 --hashlimit-mode srcip --hashlimit-name DNS-drop --hashlimit-htable-expire 2000 -j ALLOW -A DNS-RATE-LIMIT -m limit --limit 1/sec -j LOG --log-prefix "DNS-drop: " -A DNS-RATE-LIMIT -m comment --comment "ansible[dns rate limiting]" -j DROP //Victor On 8/2/22 23:16, Michael De Roover wrote: For my servers I'm using iptables rules to achieve ratelimiting. They look as follows: -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP -A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource It should be fairly trivial to convert these to use UDP 53, and tweak the timings you want. These rules are intended to allow 4 connections (which normally should be entire SMTP transactions) every 10 minutes. Since I have 2 edge nodes with these rules, that is doubled to 8 connections total. If you're an authoritative name server only, realistically mostly recursors / caching servers would query your servers and not too often. You can easily restrict traffic here. If you're a recursor too, this becomes a bit more complicated. Regarding the legitimate queries, it would be prudent to allow common recursors (Google, Cloudflare, Quad9 etc) to have exceptions to this rule. Just allow their IP addresses to send traffic either unrestricted, or using a more relaxed version of the above. HTH, Michael On Tue, 2022-08-02 at 16:02 -0400, Robert Moskowitz wrote: Recently I have been having problems with my server not responding to my requests. I thought it was all sorts of issues, but I finally looked at the logs and: Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.194.4#11205 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.216.196#64956 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 64.68.114.141#39466 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 209.197.198.45#13280 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 114.29.202.117#41955 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:19 onlo named[6155]: client @0xaa3cad80 62.109.204.22#4406 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:49 onlo named[6155]: client @0xa9420720 64.68.104.9#38518 (.): view external: query (cache) './A/IN' denied Aug 2 15:47:50 onlo named[6155]: client @0xaa882dc8 114.29.202.117#9584 (.): view external: query (cache) './A/IN' denied grep -c denied messages 45868 And that is just since Jul 31 3am. This is fairly recent so I never looked into what I might do to protect against this. I am the master for my domain, so I do need to allow for legitimate queries. Any best practices on this? I am running bind 9.11.4 thanks -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
Yep, that fixed it. Lyle On 6/15/21 2:23 PM, techli...@phpcoderusa.com wrote: Thank you for your help!! The zone file is the one I tool from Plesk when I had keiththewebguy.com parked there. All I did was change the IP addresses. I assume what you want me to do is add keiththewebguy.com to the two records making: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1.keiththewebguy.com. keiththewebguy.com. 86400 IN NS ns2.keiththewebguy.com. From what I have read the SOA - "@ IN SOA ns1.keiththewebguy.com. ..." the ns1.keiththewebguy.com. should be the FQDN? That is the box host name plus the domain correct? Thanks!! On 2021-06-15 07:35, Matus UHLAR - fantomas wrote: On 15.06.21 09:14, Lyle Giese wrote: I think I stumbled upon a problem with the zone records for keiththewebguy.com. It could be the root issue you are having. If I run dig ns +trace keiththewebguy.com I got the following for the last record from your name servers: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1. keiththewebguy.com. 86400 IN NS ns2. this is the problem. OP's NS records point to nonexistent hosts, and these are authoritative, so after each nameserver fetches them, it uses them and fails. Most probably it's the "ns1" and "ns2" in zone end with "." which means that current $ORIGIN (apparently keiththewebguy.com) is not appended to them. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need Help with BIND9
I think I stumbled upon a problem with the zone records for keiththewebguy.com. It could be the root issue you are having. If I run dig ns +trace keiththewebguy.com I got the following for the last record from your name servers: ns1.keiththewebguy.com. 86400 IN A 98.191.108.149 keiththewebguy.com. 86400 IN NS ns1. keiththewebguy.com. 86400 IN NS ns2. ;; Received 129 bytes from 98.191.108.149#53(ns2.keiththewebguy.com) in 84 ms If I run the same query for any other domain I get a fully qualified host name for the name servers(ie ns1.keiththewebguy.com not ns1. ). Lyle Giese LCR Computer Services, Inc. On 6/15/21 9:04 AM, techli...@phpcoderusa.com wrote: On 2021-06-15 01:38, Reindl Harald wrote: Am 15.06.21 um 10:31 schrieb Reindl Harald: Am 14.06.21 um 22:37 schrieb techli...@phpcoderusa.com: keiththewebguy.com [1]. does not actually have the two nameservers required though that is not the problem. (ns1 and ns2 have same IP) I have a VPS that runs Plesk and there is only one name server so for every domain I have hosted on that VPS the domains have the same name server for both host names (at the register) I think some call these glue records. we know that already and it's wrong you can't have proper DNS with only one nameserver you can't have proper DNS with two nameservers in the same network or on the same line if you can't provide the minimum of *two* completly independent nameservers you can't host DNS - it's that easy https://www.iana.org/help/nameserver-requirements Minimum number of name servers There must be at least two NS records listed in a delegation, and the hosts must not resolve to the same IP address. Thanks!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9.10 recursion issues
Why are you using forwarders? These cloudflare servers are not authoritive for cat.com and don't seem to be open resolvers either. Lyle Giese LCR Computer Services, Inc. On 12/4/20 12:48 PM, Wade Blackwell wrote: Good morning from the West Coast, It’s been a while since I’ve setup an authoritative bind server from scratch so I may be missing something very basic. First time in a docker container, besides the point but maybe it plays (this looks like a configuration issue in Bind). I’m getting the following errors when trying to resolve domains external to my own; ---snip--- 17:30:04.843 REFUSED unexpected RCODE resolving './NS/IN': 172.64.32.142#53 04-Dec-2020 17:30:04.859 REFUSED unexpected RCODE resolving 'www.cat.com/A/IN <http://www.cat.com/A/IN>': 172.64.32.142#53 04-Dec-2020 17:30:04.865 REFUSED unexpected RCODE resolving './NS/IN': 172.64.33.136#53 04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving 'E.ROOT-SERVERS.NET//IN <http://E.ROOT-SERVERS.NET//IN>': 172.64.32.142#53 04-Dec-2020 17:30:04.867 REFUSED unexpected RCODE resolving 'G.ROOT-SERVERS.NET//IN <http://G.ROOT-SERVERS.NET//IN>': 172.64.32.142#53 04-Dec-2020 17:30:04.877 REFUSED unexpected RCODE resolving 'www.cat.com/A/IN <http://www.cat.com/A/IN>': 172.64.33.136#53 04-Dec-2020 17:30:04.883 REFUSED unexpected RCODE resolving './NS/IN': 108.162.192.142#53 04-Dec-2020 17:30:04.884 REFUSED unexpected RCODE resolving 'E.ROOT-SERVERS.NET//IN <http://E.ROOT-SERVERS.NET//IN>': 108.162.192.142#53 04-Dec-2020 17:30:04.889 REFUSED unexpected RCODE resolving 'G.ROOT-SERVERS.NET//IN <http://G.ROOT-SERVERS.NET//IN>': 108.162.192.142#53 04-Dec-2020 17:30:04.897 REFUSED unexpected RCODE resolving 'www.cat.com/A/IN <http://www.cat.com/A/IN>': 108.162.192.142#53 04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving 'E.ROOT-SERVERS.NET//IN <http://E.ROOT-SERVERS.NET//IN>': 172.64.33.136#53 04-Dec-2020 17:30:04.906 REFUSED unexpected RCODE resolving './NS/IN': 108.162.193.136#53 ---end--- You’ll notice the above are Cloudflare resolvers (pete/roxy) I get a DNSSEC related error when the same resolution is attempted on the OpenDNS servers ---snip--- 04-Dec-2020 17:30:05.084 validating ./DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.' 04-Dec-2020 17:30:05.085 no valid KEY resolving './DNSKEY/IN': 208.67.220.220#53 04-Dec-2020 17:30:05.108 validating ./DNSKEY: unable to find a DNSKEY which verifies the DNSKEY RRset and also matches a trusted key for '.' 04-Dec-2020 17:30:05.108 no valid KEY resolving './DNSKEY/IN': 208.67.222.222#53 ---end--- Named.conf has the correct sources for queries; ---snip--- acl permit { 172.30.0.0/16 <http://172.30.0.0/16>; ---end--- Named.conf.options has the correct forwarders, recursion and query statements (ignore syntax, pulling partials); ---snip--- forwarders { 108.162.193.136; 172.64.33.136; 108.162.192.142; 172.64.32.142; 173.245.58.142; 208.67.220.220; 208.67.222.222; }; allow-recursion { 172.30.0.0/16 <http://172.30.0.0/16>; allow-query { 172.30.0.0/16 <http://172.30.0.0/16>; ---end--- What am I missing here (flame away…)? -W “Solo puedo explicártelo a ti. No puedo entenderlo por ti” ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL outcome on legitimate traffic...
Probably best to ask Paul Vixie for confirmation. I had implemented RRL when it was still an addon and that was what was documented back then. On 12/1/20 10:15 AM, Karl Pielorz wrote: --On 1 December 2020 at 08:24:50 -0600 Lyle Giese wrote: You need to look at the reply named sends when it trips and starts limiting UDP traffic source from a given IP address. It tells the requestor to try again using TCP instead of UDP. So if the requestor is a legit dns server, it will retry using TCP and still get a valid answer. Named does not blindly just drop traffic. Hmmm, I thought it did for RRL limit hits? (i.e. that's the point - to stop sending responses). Documentation for rate-limit seemed a bit patchy e.g. KB aa-00994 references to "See ARM 6.2.15" - which doesn't exist. In fact a lot of the KB documents reference Bind 9.9 - and things have moved on. But I can see it's better explained in the current ARM / Section 4.2.14.19 now. In fact, that entry also covers/says "Legitimate clients react to dropped or truncated response by retrying with UDP or with TCP respectively" - looks like it documents where these are in stats as well (RateDropped / QryDropped et'al) - so I think I'm good to go. -Karl ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RRL outcome on legitimate traffic...
You need to look at the reply named sends when it trips and starts limiting UDP traffic source from a given IP address. It tells the requestor to try again using TCP instead of UDP. So if the requestor is a legit dns server, it will retry using TCP and still get a valid answer. Named does not blindly just drop traffic. Lyle Giese LCR Computer Services, Inc. On 12/1/20 4:58 AM, Karl Pielorz wrote: Hi all, So there's been quite a thread - that originally started as "Bind stats - denied queries" - and morphed into a whole discussion on spoofed UDP, logging, RRL etc. In my original post - I never said the original traffic was likely legitimate in anyway (just so we're clear - I didn't start that aspect of that thread). So, Obviously RRL is pretty much all you can do with this stuff - presumably, if someone throws a lot of queries that 'trip' the RRL - but, say spoofed from another ISP's actual DNS servers/network - the idea is that those IP's legitimate UDP queries will start getting dropped :( - but the other ISP's DNS will then, hopefully switch from UDP to TCP to get an answer? Looking at the distribution of rubbish we're seeing - I'm suspecting some of the limits would have to be 'really low' to catch some of this stuff (i.e. some times we just see 5 queries from an IP, and then nothing for hours - even from within the same /24). Obviously the server can weather a quite a bit of this, and you can't "block everything" (which is - in a circle, why I was asking originally about getting stats for it :) Regards, -Karl ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind stats - denied queries?
Be careful 'rejecting' these outright. These queries are UDP traffic(not TCP) and the source address is easily forged. RRL is the correct way to limit these. Lyle Giese LCR Computer Services, Inc. On 11/30/20 4:12 AM, Marc Roos wrote: Are newer version of bind still logging like this Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to 3.9.41.0/24 Nov 30 10:10:02 ns0 named[1303]: rate-limit: info: limit responses to 35.177.154.0/24 Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to 35.177.154.0/24 Nov 30 10:10:02 ns2 named[1241]: rate-limit: info: limit responses to 3.9.41.0/24 I already reported, that it is not to smart to log 3.9.41.0/24, better could be logged 3.9.41.100/24 so you know the offending ip. -Original Message- From: Karl Pielorz [mailto:kpielorz_...@tdx.co.uk] Sent: Monday, November 30, 2020 11:08 AM To: bind-users@lists.isc.org Subject: Bind stats - denied queries? Hi, We've been seeing a huge increase in 'denied queries' against a couple of Bind servers we look after (Bind 9.16.9) - these are currently logged as: " Nov 30 00:00:00 client @0xX X.X.X.X#48536 (.): query (cache) './ANY/IN' denied " This appears like it might be someone trying (unsuccessfully) to use us as an amplifier / reflector. We've got Bind's statistics file setup - but I can't see there's any entry for these "denied" queries? - As we'd really like to monitor this. If anyone knows what stat these turn up in the statistics file (if at all?) Thanks, -Karl ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: conflicting subdomain delegation
On 11/13/2018 11:04 AM, Frank Liu wrote: Hi, Is there a RFC determining which nameserver to use if there is a conflicting subdomain delegation? eg: In the zone of a.com <http://a.com>, there are two NS delegations: b.a.com <http://b.a.com> NS host1 c.b.a.com <http://c.b.a.com> NS host2 On host1 in zone b.a.com <http://b.a.com>, there is c.b.a.com <http://c.b.a.com> NS host3 As you can see, there is a conflicting delegation for c.b.a.com <http://c.b.a.com>. If I look a name d.c.b.a.com <http://d.c.b.a.com>, will the nameserver host2 or host3 be used? dig +trace seems to go to host2, but bind9 as a resolver goes to host3. (the test was done on a centos7). Any ideas? Thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users I would expect that behavior if the Bind9 resolver was setup to query host1. If bind9 queries a server that is authoritive for b.a.com, I would expect that result. If the bind9 resolver is setup to query a recursive only server(other than host1), I would expect the same behavior as the +trace result. so I think the answer is dependant on how your bind9 resolver is configured. Lyle Giese ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [SOLVED] My Exchange server is now able to send email to httpd.apache.org domain after I added SPF TXT record to my DNS server
The reverse lookup for 118.189.211.120 does not match your HELO greeting and does not match the A record for exchange.teo-en-ming.com. Get your upstream ISP to fix that. Lyle Giese LCR Computer Services, Inc. On 8/13/2018 8:28 PM, Turritopsis Dohrnii Teo En Ming wrote: Good morning from Singapore, Previously the mail server at httpd.apache.org domain rejected all of my emails. I have solved the problem by adding the following Sender Policy Framework (SPF) text (TXT) record to my DNS server: teo-en-ming.com. IN TXT "v=spf1 mx -all" Now my Exchange server is finally able to send emails to the httpd.apache.org domain. Am I an excellent troubleshooter? However, the mail server at freebsd.org is still rejecting my emails. Adding SPF TXT record did not solve the problem for this domain (freebsd.org). Perhaps I need to configure DKIM as well? I have no idea what is DKIM. Please help me to troubleshoot email delivery failure for the freebsd.org domain. Thank you very much. ===BEGIN SIGNATURE=== Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 30 Oct 2017 [1] https://tdtemcerts.wordpress.com/ [2] http://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming ===END SIGNATURE=== ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Fix Reverse DNS?
You don't fix this, AT needs to be told to fix it. I assume you have static IPv4 addresses? You don't seem to have an MX record at all. The way AT will update this is if your MX record(or backup MX record) points to this ip address and then they should honor a request to set the reverse lookup for you. Lyle Giese LCR Computer Services, Inc. On 9/22/2015 2:08 PM, Ron Wingfield wrote: RE: BIND v9.10.2 I have recently converted from a "legacy" DSL service to AT's U-verse . . .has been a painful experience. Heretofore, the following from /var/named/named.conf zone "233.202.162.in-addr.arpa" { type master; file "./zonefiles/db.233.202.162.rev"; }; . . .and the contents of the zone configuration file as follows: $TTL 3h @ IN SOA archaxis.net. root.archaxis.net. ( 2015080601; Serial 3h ; Refresh 1h ; Retry 1w ; Expire 1h ); Negative cashing TTL IN NS ns1.archaxis.net. IN NS ns2.archaxis.net. 1 IN PTR archaxis.net. 1 IN PTR ns1.archaxis.net. 1 IN PTR ns2.archaxis.net. AT (in all of their surliness) is rejecting email from my SMTP (SendMail) server and issuing the following typical complaint: - The following addresses had permanent fatal errors - (reason: 550 5.7.1 Connections not accepted from servers without a valid sender domain.alph161 Fix reverse DNS for 162.202.233.81) - Transcript of session follows - ... while talking to al-ip4-mx-vip1.prodigy.net.: MAIL From:<ron.wingfi...@archaxis.net> <<< 550 5.7.1 Connections not accepted from servers without a valid sender domain.alph161 Fix reverse DNS for 162.202.233.81 554 5.0.0 Service unavailable I am at a loss for resolution of this problem. How am I supposed to "Fix reverse DNS"? The configuration scenario previously worked since 2002. Can someone suggest a fix? Thanks, Ron W. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Installing bind is not very clear for me
On 9/3/2015 12:53 PM, Reindl Harald wrote: Am 03.09.2015 um 19:45 schrieb Leandro: Dear All: While installing bind still have not clear some issues: Im using Centos 6.6 since Im not very comfortable with Centos7 yet. My final goal is to get an updated and stable version and also use json format for the statistics channel. 1) Some bind users recommended to get at least a 9.10 release but: Using yum and repos, founded that 9.8 is available for Centos 6.6. Also , Centos recommend not to build from source when possible the whole purpose why you are using CentOS / RHEL is long-time-support and get critical bugfixes without major changes and compatibility break, not just for named, for any installed software "some people recommend" is not a strong reason for breaking that without any concrete issue Also the package managers for Centos will pull in the bug fixes of later versions of bind without changing the version number in Centos. It's not unique to Centos, but almost any of the heavily managed Linux distros do that. I use SuSE(historical reasons plus I am very familar with it's layout) and have always used source for mission critical Internet facing applications. Lyle Giese ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Info Request
If I remember right, DIG does not know the root servers and asks the local host to retrieve that information and a server at 172.27.254.11(which is RFC 1918 address space) gave you that answer. Is your machine/shop setup with private root servers? Lyle On 2/3/2015 12:50 PM, Linux Addict wrote: I do dig . +trace and the results seem show .new servers. This is causing SERVFAIL for root query. Any ideas? dig . +trace ; DiG 9.7.0-P1 . +trace ;; global options: +cmd . 348510 IN NS b.root-servers.new. . 348510 IN NS h.root-servers.new. . 348510 IN NS l.root-servers.new. . 348510 IN NS f.root-servers.new. . 348510 IN NS m.root-servers.new. . 348510 IN NS k.root-servers.new. . 348510 IN NS i.root-servers.new. . 348510 IN NS e.root-servers.new. . 348510 IN NS g.root-servers.new. . 348510 IN NS j.root-servers.new. . 348510 IN NS c.root-servers.new. . 348510 IN NS d.root-servers.new. ;; Received 405 bytes from 172.27.254.11#53(172.27.254.11) in 1 ms ;; connection timed out; no servers could be reached ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DIG Info Request
172.27.254.11 is giving you that info with the .new name servers. You need to ask whomever manages that server. Look at this line from your +trace output: Received 405 bytes from 172.27.254.11#53(172.27.254.11) in 1 ms Lyle On 2/3/2015 1:13 PM, Linux Addict wrote: Additional info - general: warning: checkhints: unable to find root NS 'b.root-servers.new' in hints I cant seem to find where the .new coming from... On Tue, Feb 3, 2015 at 2:07 PM, Linux Addict linuxaddi...@gmail.com mailto:linuxaddi...@gmail.com wrote: The named.ca http://named.ca seems good. ;; ANSWER SECTION: . 518400 IN NS C.ROOT-SERVERS.NET http://C.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET http://I.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET http://F.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET http://B.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET http://L.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET http://D.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET http://J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET http://K.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET http://E.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET http://A.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET http://M.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET http://G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET http://H.ROOT-SERVERS.NET. On Tue, Feb 3, 2015 at 2:02 PM, Lyle Giese l...@lcrcomputer.net mailto:l...@lcrcomputer.net wrote: If I remember right, DIG does not know the root servers and asks the local host to retrieve that information and a server at 172.27.254.11(which is RFC 1918 address space) gave you that answer. Is your machine/shop setup with private root servers? Lyle On 2/3/2015 12:50 PM, Linux Addict wrote: I do dig . +trace and the results seem show .new servers. This is causing SERVFAIL for root query. Any ideas? dig . +trace ; DiG 9.7.0-P1 . +trace ;; global options: +cmd . 348510 IN NS b.root-servers.new. . 348510 IN NS h.root-servers.new. . 348510 IN NS l.root-servers.new. . 348510 IN NS f.root-servers.new. . 348510 IN NS m.root-servers.new. . 348510 IN NS k.root-servers.new. . 348510 IN NS i.root-servers.new. . 348510 IN NS e.root-servers.new. . 348510 IN NS g.root-servers.new. . 348510 IN NS j.root-servers.new. . 348510 IN NS c.root-servers.new. . 348510 IN NS d.root-servers.new. ;; Received 405 bytes from 172.27.254.11#53(172.27.254.11) in 1 ms ;; connection timed out; no servers could be reached ___ Please visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Why the heck my NS are not working
post the domain name so we can look from out here. Is the name server on a public ip address and your firewall allowing udp tcp port 53 access to talk to named? Lyle On 07/20/14 02:21, Blason R wrote: Hi Guys, Though it may not relevant with BIND but I need help with NS servers which are now hosted inside. I have a domain hosted with godaddy and godaddy were the DNS as well as registrars. Now I have setup my own DNS server inside my network and pointed NS record in godaddy panel which happened properly and I can directly see those my new NS as NS record for my domain. Now I have a A record added on my DNS servers but somehow that hostname is not getting resolved but when I particulary use those NS servers and then query it properly gives me the answer. 1. Does that mean my delegation did not happen properly? 2. Or my queries are not being forwarded to my DNS servers when queried over the internet? 3. Or Do I need to change SOA as well? [As SOA still shows the godaddy NS record] Please help ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer doesn't work when I set allow-update statement
Allow-update makes the zone a dynamic update zone. You have to stop hand editing the zone file. Use nsupdate to make changes to the zone. Lyle Giese LCR Computer Services, Inc. On 04/25/14 15:03, Jeronimo L. Cabral wrote: Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer works OK when I have this config in named.conf.local from master server, add some A records and execute service bind9 reload: zone company.com.ar http://company.com.ar { type master; file /etc/bind/zones/company.com.ar.db; allow-transfer { key company; }; check-names ignore; After that I add the allo-update statement and restart bind9 service: zone company.com.ar http://company.com.ar { type master; file /etc/bind/zones/company.com.ar.db; allow-transfer { key company; }; allow-update { 172.12.88.3; 10.8.91.7;}; check-names ignore; Finally, I add some A records in my company.com.ar http://company.com.ar zone and increment the serial number, then I execute service bind9 reload but the Slave doesn't receive the new records. The only way Slave receives the new records is when I execute service bind9 restart in Master which is not the idea. What is the problem please ??? Thanks a lot, JeLo ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Zone transfer doesn't work when I set allow-update statement
How are you checking for updated info from the master? I recommend dig @ip address of master test.company.com.ar Lyle Giese LCR Computer Services, Inc. On 04/25/14 15:29, Jeronimo L. Cabral wrote: Thanks a lot, but using the allow-update statement, I use nsupdate in order to add a new record: # nsupdate server x.x.x.x zone company.com.ar http://company.com.ar update add test.company.com.ar http://test.company.com.ar 86400 A 1.1.1.1 send quit But the master zone is not refreshed until I execute service bind9 restart (service bind9 reload doesn't refresh the master zone). How can I do in order to add new records using nsupdate without restarting the bind9 service ??? Thanks again !!! On Fri, Apr 25, 2014 at 5:12 PM, Kevin Darcy k...@chrysler.com mailto:k...@chrysler.com wrote: allow-update + manual editing of zone file = bad. Use nsupdate. - Kevin On 4/25/2014 4:03 PM, Jeronimo L. Cabral wrote: Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer works OK when I have this config in named.conf.local from master server, add some A records and execute service bind9 reload: zone company.com.ar http://company.com.ar { type master; file /etc/bind/zones/company.com.ar.db; allow-transfer { key company; }; check-names ignore; After that I add the allo-update statement and restart bind9 service: zone company.com.ar http://company.com.ar { type master; file /etc/bind/zones/company.com.ar.db; allow-transfer { key company; }; allow-update { 172.12.88.3; 10.8.91.7;}; check-names ignore; Finally, I add some A records in my company.com.ar http://company.com.ar zone and increment the serial number, then I execute service bind9 reload but the Slave doesn't receive the new records. The only way Slave receives the new records is when I execute service bind9 restart in Master which is not the idea. What is the problem please ??? Thanks a lot, JeLo ___ Please visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: d root server
Your bind code is old and has the old info in it. D root changed it's ip address. Bind has a built-in hints file, in case you don't setup one and it probably has the old ip address for the D root. http://blog.icann.org/2012/12/d-root/ Lyle Giese LCR Computer Services, Inc. On 08/20/13 15:44, rohan.he...@cwjamaica.com wrote: Edward, Agreed. My concern though is why the following show up in my logs when the IP is already in the root hint file. checkhints: d.root-servers.net/A (199.7.91.13) missing from hints Regards, Rohan On Tue, 20 Aug 2013 14:40:09 -0400 Edward DeLargy eddela...@gmail.com wrote: Rohan, Normally you shouldn't need to. However, sometimes errors happen and we just need to correct them as they come. Regards, Ed On Tue, Aug 20, 2013 at 2:26 PM, rohan.he...@cwjamaica.com wrote: Thanks Edward, I didn't think I needed to edit the downloaded root hint file. In fact the d.root-server.net server is assigned the IP address in the dig output below. I do not know where 128.8.10.90 comes from. dig d.root-servers.net ; DiG 9.7.2-P3 d.root-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 54457 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;d.root-servers.net.IN A ;; ANSWER SECTION: d.root-servers.net. 156446 IN A 199.7.91.13 Regards, Rohan On Tue, 20 Aug 2013 14:20:23 -0400 Edward DeLargy eddela...@gmail.com wrote: Ah..I also just thought of thisensure that you have two seperate IPs for the server in the hints..you may have two entries with the same IP. Regards, Ed On Tue, Aug 20, 2013 at 2:12 PM, rohan.he...@cwjamaica.com wrote: Hello, Why do I still get the following in my logs even after downloading the latest version root hint file. checkhints: d.root-servers.net/A (128.8.10.90) extra record in hints checkhints: d.root-servers.net/A (199.7.91.13) missing from hints Regards, Rohan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Lyle Giese LCR Computer Services, Inc Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. Benjamin Franklin 1775 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: d root server
Have you read the source code for these versions of BIND and examined the set of HINTS that are internal to the code inside BIND? These are loaded before any external HINTS file is loaded up. Lyle On 08/20/13 16:37, rohan.he...@cwjamaica.com wrote: Lyle, Version 9.8.4-P1 is also affected. And the hints file was downloaded during setup. Also note that even a freshly downloaded copy has the old address. Note IP 199.7.91.13 in the following dig output. dig +tcp @a.root-servers.net . ns ; DiG 9.8.4-P1 +tcp @a.root-servers.net . ns ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 6106 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 22 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS f.root-servers.net. . 518400 IN NS h.root-servers.net. . 518400 IN NS g.root-servers.net. . 518400 IN NS c.root-servers.net. . 518400 IN NS m.root-servers.net. . 518400 IN NS k.root-servers.net. . 518400 IN NS l.root-servers.net. . 518400 IN NS i.root-servers.net. . 518400 IN NS e.root-servers.net. . 518400 IN NS d.root-servers.net. . 518400 IN NS j.root-servers.net. . 518400 IN NS b.root-servers.net. . 518400 IN NS a.root-servers.net. ;; ADDITIONAL SECTION: f.root-servers.net. 360 IN A 192.5.5.241 f.root-servers.net. 360 IN 2001:500:2f::f h.root-servers.net. 360 IN A 128.63.2.53 h.root-servers.net. 360 IN 2001:500:1::803f:235 g.root-servers.net. 360 IN A 192.112.36.4 c.root-servers.net. 360 IN A 192.33.4.12 m.root-servers.net. 360 IN A 202.12.27.33 m.root-servers.net. 360 IN 2001:dc3::35 k.root-servers.net. 360 IN A 193.0.14.129 k.root-servers.net. 360 IN 2001:7fd::1 l.root-servers.net. 360 IN A 199.7.83.42 l.root-servers.net. 360 IN 2001:500:3::42 i.root-servers.net. 360 IN A 192.36.148.17 i.root-servers.net. 360 IN 2001:7fe::53 e.root-servers.net. 360 IN A 192.203.230.10 d.root-servers.net. 360 IN A 199.7.91.13 d.root-servers.net. 360 IN 2001:500:2d::d j.root-servers.net. 360 IN A 192.58.128.30 j.root-servers.net. 360 IN 2001:503:c27::2:30 b.root-servers.net. 360 IN A 192.228.79.201 a.root-servers.net. 360 IN A 198.41.0.4 a.root-servers.net. 360 IN 2001:503:ba3e::2:30 Regards, Rohan On Tue, 20 Aug 2013 15:59:41 -0500 Lyle Giese l...@lcrcomputer.net wrote: Your bind code is old and has the old info in it. D root changed it's ip address. Bind has a built-in hints file, in case you don't setup one and it probably has the old ip address for the D root. http://blog.icann.org/2012/12/d-root/ Lyle Giese LCR Computer Services, Inc. On 08/20/13 15:44, rohan.he...@cwjamaica.com wrote: Edward, Agreed. My concern though is why the following show up in my logs when the IP is already in the root hint file. checkhints: d.root-servers.net/A (199.7.91.13) missing from hints Regards, Rohan On Tue, 20 Aug 2013 14:40:09 -0400 Edward DeLargy eddela...@gmail.com wrote: Rohan, Normally you shouldn't need to. However, sometimes errors happen and we just need to correct them as they come. Regards, Ed On Tue, Aug 20, 2013 at 2:26 PM, rohan.he...@cwjamaica.com wrote: Thanks Edward, I didn't think I needed to edit the downloaded root hint file. In fact the d.root-server.net server is assigned the IP address in the dig output below. I do not know where 128.8.10.90 comes from. dig d.root-servers.net ; DiG 9.7.2-P3 d.root-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 54457 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;d.root-servers.net.IN A ;; ANSWER SECTION: d.root-servers.net. 156446 IN A 199.7.91.13 Regards, Rohan On Tue, 20 Aug 2013 14:20:23 -0400 Edward DeLargy eddela...@gmail.com wrote: Ah..I also just thought of thisensure that you have two seperate IPs for the server in the hints..you may have two entries with the same IP. Regards, Ed On Tue, Aug 20, 2013 at 2:12 PM, rohan.he...@cwjamaica.com wrote: Hello, Why do I
broken ISP in china
I am cross posting this as it might be a dns issue, but it effects email directly. And I am quite aware of the 'Great Chinese Firewall' and realized that may be a large part of the issue. LCR's mail filter and mail servers are all in the lcrcomputer.net domain. Recently I moved this domain(lcrcomputer.net) to a registrar that suports DNSSEC and inserted the DS record for this domain. I checked DNSSEC via http://dnsviz.net and http://dnssec-debugger.verisignlabs.com. Both show DNSSEC is working just fine for lcrcomputer.net. However, shortly after that one of my customers stopped receiving email from one of their clients in China. They just brought that to my attention and I tried to email the client in China and got this back: For ro...@x.com.cn mailto:ro...@medtecs.com.cn, Site (x.com.cn/ipv4 address) said: 559 sorry , your helo/ehlo and domain in mail are invalid, you don't connect from there. (#5.5.9) Because this started within 24 hours of when I published the DS record for lcrcomputer.net, I am assuming that this is related. Had anyone else run across this? Or do I have something misconfigured here? I ran with DNSSEC against ISC's lookaside for a long time and published the necessary DNSSEC records and had no problem. This started right after I moved the domain registration and published a DS record for the domain. I had already been publishing DNSSEC records and they checked out against ISC's lookaside stuff for quite a while. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [mailop] broken ISP in china
On 02/18/13 19:02, Tony Finch wrote: Lyle Giese l...@lcrcomputer.net wrote: Recently I moved this domain(lcrcomputer.net) to a registrar that suports DNSSEC and inserted the DS record for this domain. Was it signed before this point? I am wondering if this is a DNS response size problem - was the cause the addition of the DS record, or the addition of DNSKEY and RRSIG records? Tony. The zone was signed before and was registered with ISC's look aside at dlv.isc.org and had been for quite a while(at least a year and maybe two). I made NO changes to the lcrcomputer.net zone itself other than resign the data every 15 days. It appears to have broken on Feb 6th or so and that would have been about the time I inserted the DS record. The only change I have made was insert the DS record into my new registrar for publishing. My customer's zone is not signed, has no DKIM and has no SPF records, never did. But I am happy with this discussion as I get more than one set of eyes looking at what I have done and getting some opinions. So I am getting back that nothing is really wrong.(yea a couple of things I could tweak..) I had forgotten about those pesky SPF records and am happy to get rid of them! I may do the same with the DKIM records also. Thanks to everyone for the feedback. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lame-servers: error (FORMERR) resolving [something]
On 01/11/13 03:05, Daniele wrote: Port 53 is open, I can also telnet it from another box in the same network. Now I think the problem can be on the packets size, because I'm trying every solution but nothing works. 2013/1/9 Lyle Giese l...@lcrcomputer.net mailto:l...@lcrcomputer.net On 01/09/13 08:39, Daniele wrote: 2013/1/9 Phil Mayers p.may...@imperial.ac.uk mailto:p.may...@imperial.ac.uk On 09/01/13 13:53, Daniele wrote: This is the scenario. I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04, virtualized on VirtualBox. The network works properly because if I indicate a different server from my own BIND9 (the first line of '/etc/resolv.conf' is, for example, `nameserver 8.8.8.8`) the lookups and any action on the Internet succeed. No, this assumption is not valid. I meant that I can reach the Internet and, vice versa, the Internet can reach my terminal. ___ Please visithttps://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Recursive queries that named does for a client are different than your machine as a dns client reaching out to Google's recursive service. You need to have UDP TCP port 53 open to your recursive server(the one running named) first of all. And if any network element within your network limits the size of UDP packets, you will have problems with EDNS0 queries. On this box running named, try this: dig +trace www.msn.com http://www.msn.com dig +trace imperial.ac.uk http://imperial.ac.uk After dig gets a copy of the root servers from the local named, it will do the same type of queries that a recursive name server does. Lyle Giese LCR Computer Services, Inc. Saying port 53 is open because you can telnet to it from a local computer is a very limited test. 1) Telnet only use TCP, UDP is the primary/first communication channel DNS uses. 2) The router between this computer and the Internet is not at fault? You have done no tests to prove that one way or the other. Do a couple of dig +trace runs and see what that shows. And try some any queries to a dnssec enable domain. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: lame-servers: error (FORMERR) resolving [something]
On 01/09/13 08:39, Daniele wrote: 2013/1/9 Phil Mayers p.may...@imperial.ac.uk mailto:p.may...@imperial.ac.uk On 09/01/13 13:53, Daniele wrote: This is the scenario. I installed BIND9 via `apt-get` on a newly installed UBUNTU 12.04, virtualized on VirtualBox. The network works properly because if I indicate a different server from my own BIND9 (the first line of '/etc/resolv.conf' is, for example, `nameserver 8.8.8.8`) the lookups and any action on the Internet succeed. No, this assumption is not valid. I meant that I can reach the Internet and, vice versa, the Internet can reach my terminal. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Recursive queries that named does for a client are different than your machine as a dns client reaching out to Google's recursive service. You need to have UDP TCP port 53 open to your recursive server(the one running named) first of all. And if any network element within your network limits the size of UDP packets, you will have problems with EDNS0 queries. On this box running named, try this: dig +trace www.msn.com dig +trace imperial.ac.uk After dig gets a copy of the root servers from the local named, it will do the same type of queries that a recursive name server does. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: First usage of BIND9
On 11/24/12 11:39, Daniele Imbrogino wrote: I'd like to use BIND9 in the simplest way possible: I just want to install it and use it for name resolution of Internet hosts. So, on Ubuntu 12.04, I run sudo apt-get install bind9 bind9utils bind9-doc and then dig @127.0.0.1 http://127.0.0.1 www.amazon.com http://www.amazon.com (for example), but I ALWAYS obtain a SERVFAIL. Why? Is it necessary a configuration for this minimal use, too? Yes, it's necessary to have a named.conf in the proper location and you have to start named. Is named even running? See the ARM for a sample for a caching-only name server, which is what you are asking for. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query (cache) 'domain.com/AAAA/IN' denied
On 10/10/12 20:52, kalin wrote: On 10/10/12 9:41 PM, Árni Birgisson wrote: You have all those allow-*, but in your previous email you have recursion no; which you would have to change to recursion yes;. When you have done this, make sure to restrict it with the allow-recursion so you do not have an open resolver. thanks to you too but same result. options { version ; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion yes; // allow-recursion { any; } allow-transfer { 127.0.0.1; }; }; # dig @ns2. domain.com ; DiG 9.4.2 @ns2 domain.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: REFUSED, id: 55754 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;domain.com.INA ;; Query t i actually have another machine that has bind 9.4.2 and it works as desired without all this options. both machines a meant to be authoritative for domain.com... anything else i can try? thanks... -- Arni - Original Message - From: kalin ka...@el.net To: Lyle Giese l...@lcrcomputer.net Cc: bind-users@lists.isc.org Sent: Thursday, October 11, 2012 1:34:24 AM Subject: Re: query (cache) 'domain.com//IN' denied On 10/10/12 9:17 PM, Lyle Giese wrote: On 10/10/12 20:01, kalin wrote: hi all... # uname -a NetBSD ns2. 5.1 NetBSD 5.1 ... # named -v BIND 9.5.2-P2 i get these in the log: Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#19443: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29333: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20710: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#20122: query (cache) 'domain.net//IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#17725: query (cache) 'domain.net/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#29894: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#47730: query (cache) 'www.domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 38.112.17.138#36976: query (cache) 'domain.org/A/IN' denied Oct 10 16:15:09 ns2 named[29914]: client 156.154.62.145#43827: query (cache) 'domain.org/A/IN' denied . all the domain.net, .org, .com above exist. if i do a dig off a local machine they resolve fine. if the dig is out of this network i get a log entry as above. at this point the named.conf has: options { version ha-ha-ha; directory /etc/namedb; pid-file/var/run/named/pid; dump-file /var/dump/named_dump.db; statistics-file /var/stats/named.stats; allow-query-cache { any; }; allow-query { any; }; recursion no; allow-transfer { 127.0.0.1; }; }; i'm not sure where to look next this machine is on a verizon fios if that really makes any difference... where should i look? thanks These are queries that require recursion and you have that turned off. If you don't want a publicly abused dns server, turn recursion on and restrict recursion to your LAN addresses(Allow-recursion). thanks.. but not good. now i have: allow-query-cache { any; }; allow-query { any; }; allow-recursion { any; } and still those logs. a dig from the outside gets refused... Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Maybe silly question, but after you changed your named.conf, did you restart named? Are there any other named.conf on your system? (your named may be reading a different named.conf other than the one you are editing.) Lyle Giese
Re: Root hints updates
On 09/06/12 07:06, Timothe Litt wrote: In doing some system administration, I realized that I have a tool that might be generally useful - ISC is welcome to add it to contribs. Hopefully the attachment will make it through the mailing list server. This is a script to automagically update the root hints file. There are a bunch of these floating around the internet; most don't work; those that do don't work well. I wrote this several years ago; it's worked for me. It will FTP the new file - or, if you value speed over comments, will fabricate a copy from the existing root servers - yes, it will deal with the case that a root server is renumbered or returns partial data. It acts as a SYS V init script so that it runs on every boot; It's smart enough to requeue itself hourly if it fails to get data. It verifies FTP transfers. It also runs as a cron job monthly to catch any updates. It will log actions to syslog; will also send mail if you like. It preserves file ownership and the timestamp of last download. It knows to run rndc reconfig when it gets a new file. (And not when nothing has changed.) I did some cleanup for this release, but the core logic has run for several years on Fedora and random embedded Linuxes. For me, it's install forget. README: Install it (or create a link to it) in /etc/init.d/ as update_root. E.g. if it's in /usr/local/sbin, then ln -sf ../../../usr/local/sbin/update_root /etc/init.d/ Then execute /etc/init.d/update_root setup and /etc/init.d/update_root Create a /etc/sysconfig/update_root file if you want a non-default configuration. The most useful configuration variables are: # Undefined uses FTP (default) #USEDNS=yes # Root file name HINT=ROOT.HINT # named control address (undef for none) NAMEDRNDC=127.0.0.1 # Root file owner DEFAULTOWNER=named:named (When there's no file; normally copies from old) # Define for e-mail recipient (default is undef = none) #TO=hostmas...@example.com # Cron directories CRONMONTHLY=/etc/cron.monthly CRONHOURLY=/etc/cron.hourly # No IPV6? This may speed FTP connections. WGET=$WGET -4 Other parameters are in the first ~80 lines of the script. The script commands are: start - check for update (default if no command) setup - run chkconfig and link to monthly queue (don't if you use crontab) status - list current file One caution: Do not copy the script using copy paste; there are places where literal tabs and spaces are important. [Some environments have very limited regexps.] It's freely redistributable, with the usual caveat that there is no warranty or promise of support that you use it at your own risk. Enjoy. Timothe Litt ACM Distinguished Engineer - This communication may not represent the ACM or my employer's views, if any, on the matters discussed. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Nice script. Now my pet peeve timeGRIN. This file: http://www.internic.net/domain/named.root indicates the named.root file should be available at ftp.internic.net or rs.internic.net. It's only at ftp.internic.net. This page has a pointer to root hints file(via FTP) that does not work either. The http version shows the above mistake. It's not available at rs.internic.net. http://www.iana.org/domains/root/files Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Corrupt zone transfer
On 06/29/12 10:10, Danny Horne wrote: Hi all, I currently run two Bind 9.9.* nameservers (details below), I've just added a slave zone to the Windows one, the Linux one being the master. The zone transferred, however, seems to be corrupt in that when opened in Notepad it contains what I can only describe as gobbledegook. The master zone file was created with Vim if that's any help. *Master server* Linux (CentOS) Bind 9.9.0 *Slave server* Windows Server 2003 64 Bit Bind 9.9.1-P1 Try dig @slave axfr example.com I bet this will look right. The slave zone is probably in raw format. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
No valid trust anchors for '.' - solved
I stumbled across an issue with an error message that was misleading and from what I could Google, undocumented. I am posting this to document this issue for others that may stumble across this issue in the future. Background: I am building a new server to replace an old system and add some functionality for system backups. The system hosts one of our DNS servers. I downloaded 9.8.3-P1 and installed it and copied over named.conf, rndc.conf and a couple of other key files. But since this server is a slave for all zones, I did not copy any zone files. And yes, I am running two views. Upon first run of named, I noticed the clock error and realized I had not started up NTP yet and found the system clock on the new system a day in the future. I corrected that and restarted the system(init 6). Then I got a new error message from named that was quite puzzleing: No valid trust anchors for '.'! Googling for this did not lead to anything that proved useful and the error persisted. I am comparing notes between the old system that I took the named.conf from and this new system. I am failing to find anything useful. Until I noticed the serial number for the managed-keys-zone. It did not match the serial number that the old server showed. How does one correct this? I stopped named on the new server, deleted the two .mkeys files and their related .jnl files and restarted named. Presto, problem fixed. I got the right serial number now and no more error messages about 'No valid trust anchors'. It looks like the .mkeys files are dynamic zones and failed to update properly when the time was foobared and failed to self-correct when restarted with the correct date, until I deleted the .mkeys and related .jnl files. Maybe named needs a warning that the date/time stamp on the zone files is in the future? There may have been more related error messages, but when starting named, a lot of messages are logged and it's easy to overlook/miss some key error messages during the first start of named. And after I discovered the date/time issue, I did not go back to the logs and look at the first boot error messages and focused on the last restart of named set of messages. Lyle Giese LCR Computer Services, Inc. Related error messages: Jun 9 22:29:21 ns1a named[6252]: zone 78.0.10.in-addr.arpa/IN/chase: refresh: failure trying master 184.175.161.68#53 (source 0.0.0.0#0): clocks are unsynchronized Jun 8 22:33:31 ns1a named[6444]: using built-in DLV key for view external Jun 8 22:33:31 ns1a named[6444]: set up managed keys zone for view external, file '3c4623849a49a53911c4a3e48d8cead8a1858960bccdea7a1b978d73ec2f06d7.mkeys' Jun 8 22:33:32 ns1a named[6444]: managed-keys-zone ./IN/external: No valid trust anchors for '.'! Jun 8 22:33:32 ns1a named[6444]: managed-keys-zone ./IN/external: 0 key(s) revoked, 1 still pending Jun 8 22:33:32 ns1a named[6444]: managed-keys-zone ./IN/external: All queries to '.' will fail Jun 8 22:33:32 ns1a named[6444]: managed-keys-zone ./IN/external: No valid trust anchors for 'dlv.isc.org'! Jun 8 22:33:32 ns1a named[6444]: managed-keys-zone ./IN/external: 0 key(s) revoked, 1 still pending Jun 8 22:33:32 ns1a named[6444]: managed-keys-zone ./IN/external: All queries to 'dlv.isc.org' will fail Jun 8 22:33:32 ns1a named[6444]: managed-keys-zone ./IN/external: loaded serial 3 Jun 8 22:33:32 ns1a named[6444]: running ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarders
On 05/28/12 05:49, Amira Othman wrote: Hi all I configured bind9 on centos 5.8 server that has postfix mail server running on. When I added my ISP DNS ips to forwarders the mail server stopped sending mails and gives me DNS error requires that all mail servers must have a PTR record with a valid Reverse DNS entry. Currently your mail server does not fill that requirement. But I didn't change mail server configuration and its MX record points to one of ISP DNS as I am still using their DNS. What's wrong on my configuration or what's missing? I also can't nslookup my DNS server although I added reverse zone in my zones. Should I have PTR in registrar also or it's just in my DNS server? Regards ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Amira, I am assuming you are talking about cairosource.com. Your forwarders have nothing to do with your issues. It looks like you are sending email from ip address 184.107.204.250. This has no reverse lookup. Iweb-hosting.com is the authority for this reverse lookup as the ip address is delegated to them. If this is the only ip addres assigned to you, ask iweb-hosting to add a proper reverse lookup for this ip address. Further your MX record for cairosource.com has a TTL of 300 seconds and the A record also has a TTL of 300 seconds for msrv.cairosource.com. This low TTL makes it look like you have a dynamic ip address. Most RBL's require a minimium of 12 hrs and recommend 24 hour TTL on these two records. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Host command timing out sporadically
Using dig +trace, dig is trying to accomplish the recursion that named would do for you. This tells us your local copy of named is answering requests as that is where you received the list of root servers from. But when dig tries to ask the root name servers how to find gmail.com, dig is unable to contact or get an answer from the root name servers. This indicates one of two problems. 1) firewall rules are not permitting both udp and tcp port 53 traffic(which I doubt since it works sometimes). 2) your Internet connection is congested and dropping or delaying your traffic to the point, dig gives up trying. But the use of dig +trace shows much more diagnostic information which points us to the real issue you have. Lyle Giese LCR Computer Services, Inc. On 05/02/12 16:36, Paul Marais wrote: Thanks Lyle, You're right - I started using the host command because it was giving me the error I found in the postfix logs... but as I just discovered dig +trace also give me the error... I am seeing lots of mailed messages to gmail accounts... and when I do a trace I get the following: ; DiG 9.7.3 +trace mx gmail.com http://gmail.com ;; global options: +cmd .501632INNSm.root-servers.net http://m.root-servers.net. .501632INNSc.root-servers.net http://c.root-servers.net. .501632INNSh.root-servers.net http://h.root-servers.net. .501632INNSb.root-servers.net http://b.root-servers.net. .501632INNSe.root-servers.net http://e.root-servers.net. .501632INNSj.root-servers.net http://j.root-servers.net. .501632INNSk.root-servers.net http://k.root-servers.net. .501632INNSg.root-servers.net http://g.root-servers.net. .501632INNSf.root-servers.net http://f.root-servers.net. .501632INNSi.root-servers.net http://i.root-servers.net. .501632INNSl.root-servers.net http://l.root-servers.net. .501632INNSa.root-servers.net http://a.root-servers.net. .501632INNSd.root-servers.net http://d.root-servers.net. ;; Received 320 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms ;; connection timed out; no servers could be reached If I leave the trace off, I see no error messages... but I get no answer and I do see a warning: ; DiG 9.7.3 mx gmail.com http://gmail.com ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 5 ;; WARNING: recursion requested but not available On May 2, 2012, at 1:42 PM, Lyle Giese wrote: On 05/02/12 12:12, Paul Marais wrote: Hi, I'm having an issue where my postfix server is having trouble with some lookups. When I type 'hosthostname', 80% of the time I get decent reply speed, but for 20% I get a 5 second delay, or even a timeout. My nameserver is configured to only allow recursion for hosts on my local network, and I have my ISP dns in my forwarders. My resolv.conf has 127.0.0.1, my internal ip, and the ip for my isp DNS Any help will be greatly appreciated. Thanks Paul Don't use host. It's not telling us what is going wrong and it's only doing an A record lookup of host name. Postfix does an MX lookup for the domain and then an A record lookup for the mail server(s) in the MX records. Learn to use dig. Do this: dig mx example.com http://example.com If the answer is mail.example.com http://mail.example.com do this: dig mx example.com http://example.com if either fail do this: dig +trace mx example.com http://example.com or dig +trace mail.example.com http://mail.example.com And see if you can catch the failure and then we can do more for you. The other side of this may be that your Internet connection is overloaded and you are dropping packets or it's taking too long for the query to get out and get the response. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Host command timing out sporadically
If you have recursion turned off, then no it won't forward. It tells your named that if it doesn't already know the answer, tell the client I don't know and won't ask anyone else. But what about the second scenerio below? You check on scenerio 1, but you have not addressed #2. Besides, the recursion setting in named is immaterial when doing dig +trace. Once dig gets the addresses of the root server, it stops asking your local copy of named and starts asking the root servers for itself and does not rely any further on named. Lyle On 05/02/12 18:59, Paul Marais wrote: I checked the firewall and I have rules to allow tcp udp on port 53. Is there anything I can do to get more information on why no connection is made to the root servers. I'm a bit confused.. if I have recursion off shouldn't my local named be forwarding the request to the name server in my forwarders section of the named options. On May 2, 2012, at 3:48 PM, Lyle Giese wrote: Using dig +trace, dig is trying to accomplish the recursion that named would do for you. This tells us your local copy of named is answering requests as that is where you received the list of root servers from. But when dig tries to ask the root name servers how to find gmail.com http://gmail.com, dig is unable to contact or get an answer from the root name servers. This indicates one of two problems. 1) firewall rules are not permitting both udp and tcp port 53 traffic(which I doubt since it works sometimes). 2) your Internet connection is congested and dropping or delaying your traffic to the point, dig gives up trying. But the use of dig +trace shows much more diagnostic information which points us to the real issue you have. Lyle Giese LCR Computer Services, Inc. On 05/02/12 16:36, Paul Marais wrote: Thanks Lyle, You're right - I started using the host command because it was giving me the error I found in the postfix logs... but as I just discovered dig +trace also give me the error... I am seeing lots of mailed messages to gmail accounts... and when I do a trace I get the following: ; DiG 9.7.3 +trace mx gmail.com http://gmail.com/ ;; global options: +cmd .501632INNSm.root-servers.net http://m.root-servers.net/. .501632INNSc.root-servers.net http://c.root-servers.net/. .501632INNSh.root-servers.net http://h.root-servers.net/. .501632INNSb.root-servers.net http://b.root-servers.net/. .501632INNSe.root-servers.net http://e.root-servers.net/. .501632INNSj.root-servers.net http://j.root-servers.net/. .501632INNSk.root-servers.net http://k.root-servers.net/. .501632INNSg.root-servers.net http://g.root-servers.net/. .501632INNSf.root-servers.net http://f.root-servers.net/. .501632INNSi.root-servers.net http://i.root-servers.net/. .501632INNSl.root-servers.net http://l.root-servers.net/. .501632INNSa.root-servers.net http://a.root-servers.net/. .501632INNSd.root-servers.net http://d.root-servers.net/. ;; Received 320 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms ;; connection timed out; no servers could be reached If I leave the trace off, I see no error messages... but I get no answer and I do see a warning: ; DiG 9.7.3 mx gmail.com http://gmail.com/ ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 5 ;; WARNING: recursion requested but not available On May 2, 2012, at 1:42 PM, Lyle Giese wrote: On 05/02/12 12:12, Paul Marais wrote: Hi, I'm having an issue where my postfix server is having trouble with some lookups. When I type 'hosthostname', 80% of the time I get decent reply speed, but for 20% I get a 5 second delay, or even a timeout. My nameserver is configured to only allow recursion for hosts on my local network, and I have my ISP dns in my forwarders. My resolv.conf has 127.0.0.1, my internal ip, and the ip for my isp DNS Any help will be greatly appreciated. Thanks Paul Don't use host. It's not telling us what is going wrong and it's only doing an A record lookup of host name. Postfix does an MX lookup for the domain and then an A record lookup for the mail server(s) in the MX records. Learn to use dig. Do this: dig mx example.com http://example.com/ If the answer is mail.example.com http://mail.example.com/ do this: dig mx example.com http://example.com/ if either fail do this: dig +trace mx example.com http://example.com/ or dig +trace mail.example.com http://mail.example.com/ And see if you can catch the failure and then we can do more for you. The other side of this may be that your Internet connection is overloaded and you are dropping packets or it's taking too long for the query to get out and get the response. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users
Re: Configuring CNAME for nosslsearch.google.com
On 4/16/2012 3:30 AM, Phil Mayers wrote: On 04/15/2012 11:40 PM, Tobias Krais wrote: Hi Ben, hmm. How can I manage what google suggests: Information for school network administrators about the No-SSL option To utilize the no SSL option for your network, configure the DNS entry for www.google.com to be a CNAME for nosslsearch.google.com. Source: http://support.google.com/websearch/bin/answer.py?hl=enhlrm=enanswer=186669. You can find this quite at the end of the document. How can I realize such a configuration in bind? As you've been told, you can't. CNAMEs can't live at zone apex, so you can't a CNAME at the zone apex of www.google.com. And if you create google.com as a zone, all other hostnames will be blackholed, including nosslsearch.google.com. I don't know why Google have made that suggestion; it's a bad suggestion, that's not supported by many nameservers. I personally think it's a bad idea to try and disable SSL search for your users too, but that's your decision. unbound might be able to to this, with a transparent local-zone and local-data override for www.google.com. ___ Or did they really mean, create a hosts file on the local machine that contains... Or in your proxy server redirect www.google.com to nosslsearch.google.com DNS server software is not very supportive of doing this for good reasons. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Recursive queries fail after bind has been running for a few hours
I don't look at debug logs and may be WAY off base. But the time period for the log seems to be about 10 seconds start to finish in the failed query. However line 56 indicates that it timed out the query after 30 seconds. That just doesn't add up to me for some reason. Or is there 20 seconds of preceeding logs missing when the query started? Lyle Giese LCR Computer Services, Inc. On 03/12/12 15:05, Mr X wrote: Hey there I'm having a bizarre issue with 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 - recursive queries stop functioning after bind has been running for a few hours. It's a very low volume system (dev), maybe a few queries per hour at most. It's not due to cache filling or anything like I've dealt with in the past. I suspect it's related to DNSSEC and root-server validation but I could use another set of eyes on my debug log. Sorry for posting from a inconspicuous e-mail address. My employer asks that I'm careful about the information I disclose on public mailing lists. You can see my debug log during a failed query http://pastebin.com/5hh05WjM Successful query here http://pastebin.com/H9qSQcyG If you would like to see my config, I can include portions, but it's huge so please let me know exactly what parts you're looking for. - Brian ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Master/slave configuration
On linux boxes, adding options rotate to the /etc/resolv.conf helps. Lyle Giese LCR Computer Services, Inc. On 03/07/12 06:54, Bostjan Skufca wrote: Problem is, most of client resolvers (not resolving nameservers, but resolvers on workstations etc) query first specified nameserver first, then after timeout start with the others. You should create a HA IP for such uses. b. On 7 March 2012 10:23, ro...@free.fr mailto:ro...@free.fr wrote: Dear community, I use bind on my network as DNS Server. Running bind 1:9.6.ESV.R4+dfsg-0+lenny4 on Debian Lenny. The setup is quite usual : one master server with one slave server. The slave sync the zone from the master. I discover that when the master is down I have some trouble to access to internet and to local domain which are managed by the master server. Symptoms are : slow browsing and some website can't be reached, seems to be a timeout issue. (the server didn't answer in time). I saw that for unreachable website, the issue was DNS as my tcpdump didn't get any http request. How can I troubleshoot this issue ? Regards, ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CVE-2012-1033 (Ghost domain names) mitigation
On 02/09/12 09:56, Matus UHLAR - fantomas wrote: Questions: (1) It looks to me like if the ghost name is in our DNS RPZ zone, then that 'fixes' the problem for that name. Is this correct? Ghost domain could be redelegated to a new owner and become absolutely legal. On 09.02.12 07:36, John Hascall wrote: Caveat Emptor -- if you buy a former TDSS (or someother evil) domain, that's just too bad. unfortunately, RPZ or DNSSEC - solving this problem depends on while world using them, so with this flaw in DNS protocol we're screwed still. When you buy a domain, just check if it's blacklisted anywhere if you want to avoid this (2) It also looks like restarting bind flushes the cache and that prevents the repopulation of the local cache with names which are ghosts (new different ghost names could, of course, be created).Is this correct? AFAIK 'rndc flush' will do the same. Thanks - we're doing a nightly restart for other reasons. what? This is just my opinion, but this is not a bug. It's the side effect of a desirable feature called caching. Yea, we can brainstorm how to mitigate the effect, but in order to mitigate a problem, we have to know that there is a problem(revoked or bad domain). 1) How would we(as dns server operators) know when a domain name is revoked? (Gee sounds like what the US government wants to do and it seems the community does not like that idea and I agree it's a bad idea to put the US DHS in charge of that list.) 2) Restart or flush our DNS cache frequently? Let's assume the A record TTL is 24 hrs. And if we decide to flush the cache once a day? That leaves a whole bunch of time that we are open to this and not much remaining time for the record in cache. I fail to see the benefit here. The idea to flush just the 'bad' domain fails due to #1, IMHO. 3) Maybe I don't understand DNS cache and it's relationship with DNSSEC yet. But if my server caches a good answer (verified via DNSSEC), why would my server recheck the DNSSEC records until the TTL has elapsed? My thinking(and I could be quite wrong here) is that my server will cache a good verified answer and DNSSEC does not seem to help here. Please let me know where I am wrong here if I am. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Name resolution issue on one domain
From that machine, do a dig +trace fpdns.googlecode.com and analyze those results. Then try dig @ns1.google.com fpdns.googlecode.com And repeat for the other authoritive name servers for that zone. And realize that the 'issue' might be transitive, in other words here one minute, gone the next and that server cached an answer when the problem was present. I can think of several things outside your control or your network that can cause this issue. Route to one of Google's name servers down. Your Internet connection was full and that traffic was dropped or delayed enough to time out the query. Lyle Giese LCR Computer Services, Inc. On 01/12/12 08:11, babu dheen wrote: Hi, I can see only below line in the logs which is no more useful. Actully i would like to find out where exactly DNS query is blocked during query process /*client 127.0.0.1#46547: view localhost_resolver: query: fpdns.googlecode.com IN A + */ Regards babu --- On *Thu, 12/1/12, Matus UHLAR - fantomas /uh...@fantomas.sk/* wrote: From: Matus UHLAR - fantomas uh...@fantomas.sk Subject: Re: Name resolution issue on one domain To: bind-users@lists.isc.org Date: Thursday, 12 January, 2012, 4:00 PM On 12.01.12 15:37, babu dheen wrote: We have two gateway DNS server running in BIND. One DNS is using one ISP link and another DNS server is using another ISP link. Today i tried to resolve below URL from one DNS its not working whereas the same lookup is working fine another DNS. Non-authoritative answer: Name:googlecode.l.google.com Address: 173.194.69.82 Aliases: fpdns.googlecode.com Any idea as to why one GW DNS is not giving result. Except this domain, all other domain name lookup happening on the same DNS server. How can i find out the exact reason? Start with searching in logs of the second server. -- Matus UHLAR - fantomas, uh...@fantomas.sk http://in.mc1373.mail.yahoo.com/mc/compose?to=uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity... ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org http://in.mc1373.mail.yahoo.com/mc/compose?to=bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
On 01/03/12 07:53, Peter Andreev wrote: 2012/1/2 Matus UHLAR - fantomasuh...@fantomas.sk: On 21.12.11 19:21, Peter Andreev wrote: I think that if server is authoritative - and - slave-only it should use system resolver rather than querying by itself. 2012/1/2 Matus UHLAR - fantomasuh...@fantomas.sk: BIND will not use system resolver. BIND is the resolver. Relying on other resolver could cause troubles. If BIND does not need to resolve, it will not. If it needs, don't block it. On 02.01.12 16:42, Peter Andreev wrote: I understood your point, however it differs from mine. Matus, I'm afraid we won't find consent on this topic. So I offer you to stop this discussion. Thank you for suggestions and happy new year! I don't see your point now. I'm afraid that you will have to live with the fact that you can not disable sending queries from BIND when it needs them, you can only prevent it by configuring BIND (so it will not need them) or firewall such packets so they will not get outside (which may break its functionality). My point: I need my servers to answer with authoritative data only. I need them to not perform anything else. Only get query - send authoritative response. Where in this scenario BIND has to resolve something? In which scenario (except master notifies) BIND has to resolve something? Maybe ISC will patch BIND to use system resolver for internal queries, but I doubt so. Maybe you can do it but imho it's not worth trying. Maybe you can set up forward only; and forwarders {}; so BIND will forward all recursive queries it generates to your recursive servers. But the way you are trying to get over this, I'm afrait you will fail and that's what I am trying to tell you. I'm free to replace BIND with another authoritative DNS implementation. Let me ask this question another way. How do you plan to block BIND from making any queries outside the server? If you want me to log any queries that I don't answer(refused in the logs), I think the default is to look up the reverse of the querying IP address. Do you want to block that type of traffic also? Do you want to block this traffic at the application level or in IPTables? If you block this traffic via IPTables or an external firewall, lots of things at the OS level get grumpy. For instance, I want to attach to the server using VNC or SSH for maintanence. By default, they want to do do a reverse lookup of your ip address before allowing access. Now you wait for that query to time out before you can do your work. That's just a PITA. And if Bind does want to do any lookups(reverse lookups, go query the root servers for something), now you are forcing it to timeout rather than doing the lookup and continuing on it's way. Very inefficient use of resources and will cause delays for legit queries. BIND was designed to be a multipurpose application and as such, it wants and is happier being able to do lookups as needed. You are asking for a specific use case and ISC is not into generating special builds for special or specific use cases unless you contract with them to build and maintain your special build of BIND. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain Issue
On 11/09/11 15:59, trm asn wrote: On Wed, Nov 9, 2011 at 3:15 PM, Matus UHLAR - fantomas uh...@fantomas.sk mailto:uh...@fantomas.sk wrote: Now I have only one question: On 08.11.11 20:27, trm asn wrote: The moment I have done the rndc reload example.com http://example.com, the domain and all subdomain were became not resolvable. what does the named's log say? -- Is there any thing wrong if I declare my zone like this as below... $TTL 300 @ IN SOA ns4.example.com. postmaster.example.com. ( 200806 ; Serial Number 10800 ; Refresh after 3 hours 3600; Retry after 1 hour 604800 ; Expire after 1 week 300 ) ; Minimum TTL of 1 day ; Name servers IN NS ns4.example.com IN NS ns2.example.com IN NS ns1.example.com testINNS ns1973.hostgator.com testINNS ns1974.hostgator.com INA203.39.45.19 INMX mail.goole.com wwwINCNAME example.com aINA203.39.45.20 bINA203.39.45.21 /\ *Tarak* * Where are your A records for your name servers, ns1.example.com, ns2,example.com and ns4.example.com? And please answer the question above, what does the named's log say when starting up? Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Subdomain Issue
On 11/10/11 12:24, trm asn wrote: On Thu, Nov 10, 2011 at 8:28 PM, Lyle Giese l...@lcrcomputer.net mailto:l...@lcrcomputer.net wrote: On 11/09/11 15:59, trm asn wrote: On Wed, Nov 9, 2011 at 3:15 PM, Matus UHLAR - fantomas uh...@fantomas.sk mailto:uh...@fantomas.sk mailto:uh...@fantomas.sk mailto:uh...@fantomas.sk wrote: Now I have only one question: On 08.11.11 20:27, trm asn wrote: The moment I have done the rndc reload example.com, the domain and all subdomain were became not resolvable. what does the named's log say? -- Is there any thing wrong if I declare my zone like this as below... $TTL 300 @ IN SOA ns4.example.com. postmaster.example.com. ( 200806 ; Serial Number 10800 ; Refresh after 3 hours 3600; Retry after 1 hour 604800 ; Expire after 1 week 300 ) ; Minimum TTL of 1 day ; Name servers IN NS ns4.example.com IN NS ns2.example.com IN NS ns1.example.com testINNS ns1973.hostgator.com testINNS ns1974.hostgator.com INA203.39.45.19 INMX mail.goole.com wwwINCNAME example.com aINA203.39.45.20 bINA203.39.45.21 /\ *Tarak* * Where are your A records for your name servers, ns1.example.com http://ns1.example.com, ns2,example.com http://example.com and ns4.example.com http://ns4.example.com? And please answer the question above, what does the named's log say when starting up? Lyle Giese LCR Computer Services, Inc. ns4 named[3073]: client 116.48.39.92#61358: update 'example.com/IN' denied ns4 named[3073]: client 116.48.39.92#64924: updating zone 'example.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) Above are the logs, it's flooded with those error messages . /\ Tarak the first error basically states the zone is not setup for Dynamic DNS updates or at least not from the ip address 116.48.39.92. And that is setup in named.conf, not the zone file(the zone file is what is posted here). The second error is a result of the first error. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: several master ip's for a slave zone
On 11/05/11 03:21, kalpesh varyani wrote: How does this feature address the risk that data provided by one master might get overwritten by another? Regards, Kalpesh On Fri, Nov 4, 2011 at 4:08 AM, Anand Buddhdev ana...@ripe.net mailto:ana...@ripe.net wrote: On 03/11/2011 23:14, hugo hugoo wrote: Hi Hugo, I have seen that for a slave zone, it is possible to configure several master IP's. Why this possibility? How does it works if several master zone can be used for the zone transfer? This allows for resiliency. In case one of the master servers is unreachable, BIND can try the next master in the list. Anand Buddhdev RIPE NCC ___ When you have more than one master, the serial number is used to determine which Master has the most current version of the zone by the slaves. The slaves actually ask for the SOA record from each Master when refreshing. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC and forward zones
On 11/1/2011 11:23 AM, Phil Mayers wrote: On 01/11/11 16:14, vinny_abe...@dell.com wrote: resolution fail since NXDOMAIN is the valid answer... done, end of story. I thought the forwarder type would bypass this but apparently I am wrong. Is there some other way to handle this for non-existent domains just for testing purposes? Don't do this. Use a domain you own, and can put a valid (insecure) delegation into. It might be possible with type static-stub in bind 9.8, but I don't think so; I think it'll have the same effect. A work-around (and it has some side effects and could be undesirable, just be aware of the side effects of doing this) is to declare .internal as a master zone in your DNS servers and then delegate policydomain.internal to your Windows AD servers in your .internal zone. I am not saying this is a perfect answer, but it worked for me in a similar situation. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with nic.it
On 09/20/11 02:20, Lucio Crusca wrote: Hello *, I'm new here though I've been using bind for about 10 years. I've just transferred a domain under the .it TLD for the first time. Here in Italy we have nic.it that regulates the .it domain names registrations and transfers. The domain transfer went ok, and now I have access to the control panel of the domain where I can set the NS records. I'd like to set those NS records to a Linux box running bind9 (9.7.0.dfsg.P1-1ubuntu0.3). However nic.it is refusing to change the NS records, because the new receiving nameservers are failing some automatic checks nic.it performs before changing the NS records. My hosting provider (the one where I transferred the domain) should tell me exactly what checks are failing, but, being the first time I have such problems, I don't know how long they will take to give me those informations. I've waited for 4 days until now. Hence I wonder if there existed any public DNS checker that could check a DNS which is not the NS pointed server yet, so that I could check the new DNS myself before submitting a new NS record change and going through the hassle of waiting nic.it automated checks, eventual failure and assistance from my hosting provider. Is there such a thing? TIA Lucio. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Just a quick question, have you registered your name servers with your domain registrar? nic.it may be looking for the necessary glue records. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bug in Bind 9.8 or am I doing something wrong?
I was following Mark Andrew's discussion with a user about DNSSEC and played with it here and found an issue. Not sure if I am doing something wrong or if there is a bug somewhere. We have a Windows AD domain and use Bind 9.8 on our Linux servers for most DNS resolution. In order to politely setup things, I forwarded the queries for AD zones to the Windows server: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In the global option section, I have: dnssec-enable yes; dnssec-validation auto; dnssec-lookaside auto; And as a general option, I added: include /etc/bind.keys; Under Bind 9.8.0-P4 and Bind 9.8.1 (compiled from source with no special options under SLES 10), resolution of a valid record in the forwarded zone fails when I added the above dnssec options: ; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 58140 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;chasew8s1.corp.chaseprod.local.IN A ;; AUTHORITY SECTION: . 10794 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2011090600 1800 900 604800 86400 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 6 08:43:25 2011 ;; MSG SIZE rcvd: 123 If I comment out dnssec-validation auto and the include for bind.keys, the resolution for the forwarded zone works: ; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7529 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 13, ADDITIONAL: 3 ;; QUESTION SECTION: ;chasew8s1.corp.chaseprod.local.IN A ;; ANSWER SECTION: chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.102.10 chasew8s1.corp.chaseprod.local. 2599 IN A 10.0.100.205 ;; AUTHORITY SECTION: . 517399 IN NS l.root-servers.net. . 517399 IN NS d.root-servers.net. . 517399 IN NS k.root-servers.net. . 517399 IN NS i.root-servers.net. . 517399 IN NS a.root-servers.net. . 517399 IN NS g.root-servers.net. . 517399 IN NS m.root-servers.net. . 517399 IN NS b.root-servers.net. . 517399 IN NS j.root-servers.net. . 517399 IN NS f.root-servers.net. . 517399 IN NS h.root-servers.net. . 517399 IN NS e.root-servers.net. . 517399 IN NS c.root-servers.net. ;; ADDITIONAL SECTION: j.root-servers.net. 604029 IN 2001:503:c27::2:30 l.root-servers.net. 604031 IN A 199.7.83.42 m.root-servers.net. 604061 IN A 202.12.27.33 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Sep 6 08:42:47 2011 ;; MSG SIZE rcvd: 351 Is this a bug or am I doing something wrong? Thanks, Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bug in Bind 9.8 or am I doing something wrong?
On 9/6/2011 9:13 AM, Tony Finch wrote: Lyle Giesel...@lcrcomputer.net wrote: zone chaseprod.local{ type forward; forwarders {10.0.100.205;};}; This seemed to work until I added some stuff for DNSSEC to my named.conf. In order to forward a zone in the presence of DNSSEC validation, the zone has to have a valid delegation in the public DNS. You can't use forwarding to splice some private namespace onto the public DNS. There is a new static-stub zone type which should avoid this problem, though it has a number of other differences from a forwarding configuration. Tony. Changing zone to: zone chaseprod.local{ type static-stub; server-addresses {10.0.100.205;};}; And adding back in the DNSSEC stuff, it's still broke, but the output from dig changes. ; DiG 9.8.0-P4 @127.0.0.1 chasew8s1.corp.chaseprod.local ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reached Very informative. But if I disable DNSSEC, resolution using a static-stub zone does work. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Seemingly random ServFail issues on a caching server
On 8/31/2011 8:40 AM, Florian CROUZAT wrote: Florian CROUZAT wrote on 2011-08-25: Hi list, On a few domains (we'll consider only one domain for this example) I encounter sometimes (seemingly randoms) ServFails while resolving domain names. A client (192.168.147.2) asks my caching server (192.168.151.100) to resolve a target (www.leclercdrive.fr) Here are the relevant logs: Aug 24 17:14:19 ns named[24929]: 24-Aug-2011 17:14:19.377 queries: info: client 192.168.147.2#34502: view internal: query: www.leclercdrive.fr IN A + Aug 24 17:14:19 ns named[24929]: 24-Aug-2011 17:14:19.380 queries: info: client 192.168.147.2#34502: view internal: query: www.leclercdrive.fr IN A + Aug 24 17:14:19 ns named[24929]: 24-Aug-2011 17:14:19.382 queries: info: client 192.168.147.2#34502: view internal: query: www.leclercdrive.fr IN A + A tcpdump on the local side of the NS server shows the A request and the instant ServFail. A tcpdump on the external side of the NS server shows no traffic at all in this case meaning it fails internally and doesn't even try to forward the A request to the Internet. 17:14:19.377608 IP 192.168.147.2.34502 192.168.151.100.53: 26340+ A? www.leclercdrive.fr. (37) 17:14:19.378845 IP 192.168.151.100.53 192.168.147.2.34502: 26340 ServFail 0/0/0 (37) 17:14:19.380607 IP 192.168.147.2.34502 192.168.151.100.53: 52628+ A? www.leclercdrive.fr. (37) 17:14:19.381383 IP 192.168.151.100.53 192.168.147.2.34502: 52628 ServFail 0/0/0 (37) 17:14:19.382605 IP 192.168.147.2.34502 192.168.151.100.53: 58933+ A? www.leclercdrive.fr. (37) 17:14:19.383406 IP 192.168.151.100.53 192.168.147.2.34502: 58933 ServFail 0/0/0 (37) A few minutes before, or later, it worked just fine, see: 17:15:58.736177 IP 192.168.147.2.34502 192.168.151.100.53: 49610+ A? www.leclercdrive.fr. (37) 17:15:58.784470 IP 192.168.151.100.53 192.168.147.2.34502: 49610 3/3/6 CNAME[|domain] The TTL of the www.leclercdrive.fr entry is 300 - which seems short to me - maybe the ServFail happens when a request is treated at the exact time of the TTL reaching zero and the cache entry beeing flushed ? I tried flushing the cache using rndc but the first request after that worked just fine (of course...) Any ideas/hints are welcome. The DNS server runs 1:9.5.1.dfsg.P3-1+lenny1 cat /etc/debian_version = 5.0.4 (I have no control on the version of the tools) I found in my logfiles a few other domains where the ServFails happen, their respective TTL are all different, from 300 sec to 86400. I still have no idea at all how to resolve this issue and as far as I investigated, I haven't been able to identify a pattern in those ServFails. I'm not even sure the TTL is involved since I saw two ServFail separated in time by less than the TTL value of the entry... Florian The authorative name servers for leclercdrive.fr are a.dns.gandi.net, b.dns.gandi.net and c.dns.gandi.net. I don't know how big gandi.net is, but traceroutes to those servers end up going through Level3 in Baltimore, MD from here. They did have a hurricane go through there and I would not be surprised if traffic levels have been a bit high for the last few days. Lyle ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Caching Issue
On 07/25/11 09:22, Sathyan Arjunan (sarjunan) [CONTRACTOR] wrote: Recent days, I am facing frequent caching issues with my DNS servers which are responsible for recursive lookup to external queries. As a temporary solution, we used to refresh the named daemon to clear the cache. To isolate this issue we upgraded the BIND to “BIND 9.7.3” but even after the upgrade issue repeats. If I do a nslookup for “*mail.sin.gpi-g.com*”, it fails. *nslookup mail.sin.gpi-g.com** *Server: dnsserver Address: x.x.x.x#53 *** server can't find mail.sin.gpi-g.com: SERVFAIL* To fix this I have to restart the named daemon in caching DNS server. Once I restart, the lookup resolves well. However the issue appears again in few days. Any thoughts? nslookup mail.sin.gpi-g.com Server: dnsserver Address: x.x.x.x#53 Non-authoritative answer: Name: mail.sin.gpi-g.com Address: 203.175.163.180 Regards, --Sathyan Simple ask both nameservers for the domain sin.gpi-g.com and you get different answers. They have serious DNS problems. Lyle Giese LCR Computer Services, Inc. dig @192.5.6.30 sin.gpi-g.com ; DiG 9.7.3 @192.5.6.30 sin.gpi-g.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 24506 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;sin.gpi-g.com. IN A ;; AUTHORITY SECTION: gpi-g.com. 172800 IN NS nameserver1.gpi-g.com. gpi-g.com. 172800 IN NS nameserver2.gpi-g.com. ;; ADDITIONAL SECTION: nameserver1.gpi-g.com. 172800 IN A 202.169.51.115 nameserver2.gpi-g.com. 172800 IN A 202.182.61.51 ;; Query time: 95 msec ;; SERVER: 192.5.6.30#53(192.5.6.30) ;; WHEN: Mon Jul 25 19:15:22 2011 ;; MSG SIZE rcvd: 115 dig @202.169.51.115 mail.sin.gpi-g.com ; DiG 9.7.3 @202.169.51.115 mail.sin.gpi-g.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 6393 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mail.sin.gpi-g.com.IN A ;; ANSWER SECTION: mail.sin.gpi-g.com. 38400 IN A 203.175.163.180 ;; AUTHORITY SECTION: sin.gpi-g.com. 38400 IN NS nameserver2.gpi-g.com. ;; ADDITIONAL SECTION: nameserver2.gpi-g.com. 14400 IN A 202.182.61.51 ;; Query time: 300 msec ;; SERVER: 202.169.51.115#53(202.169.51.115) ;; WHEN: Mon Jul 25 19:15:48 2011 ;; MSG SIZE rcvd: 94 dig @202.182.61.51 mail.sin.gpi-g.com ; DiG 9.7.3 @202.182.61.51 mail.sin.gpi-g.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 3923 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mail.sin.gpi-g.com.IN A ;; Query time: 301 msec ;; SERVER: 202.182.61.51#53(202.182.61.51) ;; WHEN: Mon Jul 25 19:16:02 2011 ;; MSG SIZE rcvd: 36 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind time up.
On 07/23/11 09:33, Vbvbrj wrote: On 23.07.2011 17:24, Lyle Giese wrote: On 07/23/11 03:22, Vbvbrj wrote: Hello. I have a server at home, that runs Bind 9 dns and routes internal traffic to internet. Its working fine. When I'm out of home, I disconnect my home switch. In bind log appears no longer listening on 192.168.0.1#53. After a return to home and connecting switch, BIND does not respond to internal lan for long time till BIND start listening. Or I have to reload BIND service or reload configs with rndc. How to tell BIND to not stop listening on cable disconnected adapters? Thank you Why are you doing this? That is disruptive to the NIC inside the OS and that gets passed on to BIND. If you are just doing this for security reasons, disconnecting the cable to your Internet connection might accomplish the same thing and not be as disruptive. Lyle I'm disconnecting all in-house electrical device except for my server and some devices. I'm doing this for electrical economy. So, the home switch is not used while I'm out, I disconnect it too. Your server takes alot more power than a switch does. Lyle ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind time up.
On 07/23/11 11:13, Vbvbrj wrote: On 23.07.2011 19:00, Lyle Giese wrote: On 07/23/11 09:33, Vbvbrj wrote: On 23.07.2011 17:24, Lyle Giese wrote: On 07/23/11 03:22, Vbvbrj wrote: Hello. I have a server at home, that runs Bind 9 dns and routes internal traffic to internet. Its working fine. When I'm out of home, I disconnect my home switch. In bind log appears no longer listening on 192.168.0.1#53. After a return to home and connecting switch, BIND does not respond to internal lan for long time till BIND start listening. Or I have to reload BIND service or reload configs with rndc. How to tell BIND to not stop listening on cable disconnected adapters? Thank you Why are you doing this? That is disruptive to the NIC inside the OS and that gets passed on to BIND. If you are just doing this for security reasons, disconnecting the cable to your Internet connection might accomplish the same thing and not be as disruptive. Lyle I'm disconnecting all in-house electrical device except for my server and some devices. I'm doing this for electrical economy. So, the home switch is not used while I'm out, I disconnect it too. Your server takes alot more power than a switch does. Lyle When I'm out, I don't need the switch on. I may need the information on server. Named was written to expect to connect to an assigned ip address by port(default TCP UDP 53). When booting a server, I have found that network services have to be up and availible or named when it starts and fails to find the ip addresses it's assigned to in /etc/named.conf, will fail to startup and just exit. I consider this to be normal behavior. Named says I am expected to provide services on port 53(tcp and udp) on these ip addresses, if I can not do that, I can not supply the services expected, so I will exit. When I experience this, it fails to find any addresses to attach to, not just fail to attach to one of several assigned. Named was programed to work in a always connected environment. So when it's told that a network interface that it's attached to disappear, I don't think it' named's job to sit around and look for it to come back online. That's not what it is expected to do in a normal environment. Maybe you think that's a feature that should be added, but most of us don't need that. We put named on a computer that is always on and always attached to all of it's assigned networks. IMHO, that's just added fluff that is unnecessary and will add bloat to named. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the dig
On 7/19/2011 1:16 AM, Feng He wrote: On Tue, Jul 19, 2011 at 1:50 PM, Marc Lampomarc.la...@eurid.eu wrote: the list cannot be built-in, because some organisations work with an internal root. The local caching name server is the only one to know those new root's.) I don't think so. BIND 9 has the built-in root list. BIND is the name of a collection of DNS related software and consists of many pieces, which named and dig are but two of them. To the best of my knowledge, only named has a root list built-in, which can be overwritten by the proper use of config directives in named.conf. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS propagation between views
On 07/08/11 16:06, Joseph L. Casale wrote: Hm, are you using the same zonefile for both your versions of the zone, trying to share it between multiple views? If you are - don't. Views are an abomination, giving people plenty of rope to hang themself with AND plenty of chances to shoot themselves in the feet :D Ahh, yes you are right, I am sharing a zone file between views. How does one achieve acl matches without the use of views? I have a split dns setup specifically on this bind instance and don't know how to achieve this without views? Thanks! jlc You can have views and separate zone files. You need to plan and it helps to read the FAQs at ISC about this. http://www.isc.org/faq/item/191 http://www.isc.org/faq/item/182 Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DDNS propagation between views
On 07/08/11 19:45, Joseph L. Casale wrote: You can have views and separate zone files. You need to plan and it helps to read the FAQs at ISC about this. http://www.isc.org/faq/item/191 Didn't even think about it that way, ok. http://www.isc.org/faq/item/182 How does one actually do away with views if that was an approach? Docs suggest acl's can be used outside a views clause, so I presume the use of allow-query directives would facilitate this. Just curious as it was mentioned... Thanks for the pointers! jlc ___ ACL's determine what services you will render to that client. But I don't think you can change an answer based on ACL's. In other words, you can restrict recursive queries, but you can not give answer 1 to question A while using acl's to give answer 2 to question A. This requires views and you separate the clients by 'acl's' inside the views clause. You could use separate named processes with separation by listening to different IP address to do the same thing. Using views, you probably need to understand TSIG to get zone transfers straight. I don't think it's hard, but you do need to get your thought patterns in order. Lyle ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: questions on the dig info
On 07/08/11 20:07, Feng He wrote: Hello list, $ dig www.qq.com ns @ns1.qq.com ; DiG 9.4.2-P2.1 www.qq.com ns @ns1.qq.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 50734 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.qq.com.IN NS ;; ANSWER SECTION: www.qq.com. 86400 IN NS ns-tel1.qq.com. www.qq.com. 86400 IN NS ns-tel2.qq.com. ;; AUTHORITY SECTION: qq.com. 86400 IN NS ns4.qq.com. qq.com. 86400 IN NS ns1.qq.com. qq.com. 86400 IN NS ns2.qq.com. qq.com. 86400 IN NS ns3.qq.com. ;; Query time: 7 msec ;; SERVER: 219.133.62.252#53(219.133.62.252) ;; WHEN: Sat Jul 9 08:58:38 2011 ;; MSG SIZE rcvd: 144 $ dig www.qq.com ns @ns-tel1.qq.com ; DiG 9.4.2-P2.1 www.qq.com ns @ns-tel1.qq.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 44393 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.qq.com.IN NS ;; AUTHORITY SECTION: qq.com. 86400 IN SOA ns1.qq.com. webmaster.qq.com. 1293074536 300 600 86400 86400 ;; Query time: 7 msec ;; SERVER: 121.14.73.115#53(121.14.73.115) ;; WHEN: Sat Jul 9 08:59:07 2011 ;; MSG SIZE rcvd: 78 I have two questions against the two dig info above. First, why ns1.qq.com (which is the authority nameserver for the zone of qq.com, not www.qq.com) returns the authority answer for www.qq.com's NS query? and even includes a AA flag in the response. qq.com zone is the parent to the subdomain www.qq.com, so it has to have knowledge of the name servers for the www.qq.com subdomain. That is how a recursive name server finds www.qq.com. Second, why ns-tel1.qq.com (which is the authority nameserver for the zone of www.qq.com) returns nothing for this zone's NS query? Misconfiguration of ns-tel1.qq.com or it's not allowed to give you that answer. Hard to tell from here. The view from here does not show ns-tel1.qq.com to be authorative for www.qq.com. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: a death loop with DNS query
On 7/6/2011 5:52 AM, Feng He wrote: When I dig this: dig s1.mytest.blogchina.org +trace I got many these info: mytest.blogchina.org. 600 IN NS ns1.dnsv5.com. mytest.blogchina.org. 600 IN NS ns2.dnsv5.com. ;; BAD (HORIZONTAL) REFERRAL ;; Received 95 bytes from 183.60.59.217#53(ns1.dnsv5.com) in 6 ms mytest.blogchina.org. 600 IN NS ns1.dnsv5.com. mytest.blogchina.org. 600 IN NS ns2.dnsv5.com. ;; BAD (HORIZONTAL) REFERRAL ;; Received 95 bytes from 112.90.143.36#53(ns1.dnsv5.com) in 116 ms mytest.blogchina.org. 600 IN NS ns2.dnsv5.com. mytest.blogchina.org. 600 IN NS ns1.dnsv5.com. ;; BAD (HORIZONTAL) REFERRAL ;; Received 95 bytes from 180.153.162.153#53(ns2.dnsv5.com) in 27 ms mytest.blogchina.org. 600 IN NS ns2.dnsv5.com. mytest.blogchina.org. 600 IN NS ns1.dnsv5.com. ;; BAD (HORIZONTAL) REFERRAL ;; Received 95 bytes from 221.130.12.61#53(ns2.dnsv5.com) in 165 ms mytest.blogchina.org. 600 IN NS ns2.dnsv5.com. mytest.blogchina.org. 600 IN NS ns1.dnsv5.com. ;; BAD (HORIZONTAL) REFERRAL ;; Received 95 bytes from 122.225.217.194#53(ns2.dnsv5.com) in 24 ms mytest.blogchina.org. 600 IN NS ns1.dnsv5.com. mytest.blogchina.org. 600 IN NS ns2.dnsv5.com. What does this death loop mean? How it happened? Thanks. That is not a loop at all. If you do an A record query for ns1.dnsv5.com and ns2.dnsv5.com, you get four A records returned each. However at least from here and it appears from where you are doing the querys, these name servers are not responding. So Dig is just trying all A records returned. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/02/11 04:48, Markus Feldmann wrote: Am 01.07.2011 22:43, schrieb Lyle Giese: I don't know dyndns.com services that well. I don't know what they support or do not support directly. I added two Hosts at dyndns.org test-feldland.dyndns.org and feldland.dyndns.org both would have the same IP, could this work? At the weekend my server is down. Again, I am not 100% familar with dyndns's Terms of Services. I do not know if you have a free or paid account with them, it matters in what TOS you fall under. As long as dyndns has the correct ip address in their database and are willing to serve that data, yes you could reach your web services via feldland.dyndns.org and test-feldland.dyndns.org. You may have to adjust your virtual host settings accordingly, but that is outside the scope of this list. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/02/11 04:37, Markus Feldmann wrote: Am 01.07.2011 22:43, schrieb Lyle Giese: On 07/01/11 14:13, Markus Feldmann wrote: Am 01.07.2011 18:35, schrieb Lyle Giese: You are right in that you only need one host at dyndns.org to update your ip address, but you want to have two different websites. The proper way to do that is with CNAME entries pointing to the host you are updating at connect time. Do i need to open my firewall for port 53? :-( Is there another way? maybe to add two virtual hosts at dyndns.org with the same IP? regards Markus I don't know dyndns.com services that well. I don't know what they support or do not support directly. Using an example, I have lcrcomputer.com. If I setup a dynamic dns host with dyndns.org and wanted two host names pointing there, I would do this: 1) setup a dynamic host at dyndns: host.dyndns.org 2) in the LCRCOMPUTER.COM zone I would add two entries: host1.lcrcomputer.com. in cname host.dyndns.org. host2.lcrcomputer.com. in cname host.dyndns.org. In which zone file? db.feldland.lan or in db.192.168.0 ? or in both? db.192.168.0 is for reverse lookups. Mapping ip addresses to a host name. 192.168.0.x is part of RFC1918 reserved ip addresses and should never be exposed to the Internet. db.feldland.lan is a private internal to your lan domain that is not registered anywhere and therefore nobody out on the Internet should be looking for hosts there. In my example, LCRCOMPUTER.COM is a legal and registered domain name on the Internet. And would it be possible to only allow the DNS-Server at dyndns.org and my provider to contact my bind9 server and not to the rest of the world? Or does it make no sense for name resolving? We have not established a sane question for them to ask of your name server. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/01/11 05:02, Markus Feldmann wrote: Hi All, i have a private Network with a Debian Lenny Server/Router and the Services BIND9.7.3(DDNS)/DHCP4.1.1/PPPOE3.8/CUPS1.4.4/APACHE2.2.16 and Kernel 2.6.37.2. My Problem is that he can not resolve himself and regardless from which PC i do a ping i can not resolve my two name-based-virtual hosts. Furhter on i do not know how to setup my network at the best dynamically? When my pppd program dials in it gets two nameservers which he shall save in /etc/resolv.conf or not? When i save this two nameservers in /etc/resolv.conf i have problem too resolve my local network, but when pppoe does not save these two nameservers, i have problem to resolve internet names from my server view. Further on i can not reach my two virtual Apache Hosts www.feldland.dyndns.org, test.feldland.dyndns.org, but i can reach feldland.dyndns.org which leads me to test.dyndns.org. Here are my named-based-virtual hosts defind with port 80: /etc/apache2/sites-enabled/umleiten -- http://paste.pocoo.org/show/425695/ All request will be redirected to Port 443: cat /etc/apache2/sites-enabled/standard-ssl -- http://pastebin.com/BPZDTMGF DDNS/DHCP-Service seems to work. So i post not all configs but only the involved configs i think. /etc/resolv.conf: domain feldland.lan search feldland.lan nameserver 0.0.0.0 nameserver 192.168.2.1 /etc/host.conf: order hosts,bind multi on /hostname: feld-server /etc/hosts: 127.0.0.1 localhost 192.168.0.186 feld-server.feldland.lan feld-server /etc/networks: default 0.0.0.0 loopback 127.0.0.0 link-local 169.254.0.0 My DNS-server shall only be presentative for my local network regardless from which Client or Server in my Network and all other Internet request shall be redirected to my Arcor DNS Server. Further on i post some commands which evidence my problem: Some nslookup -- http://pastebin.com/aLKay6F9 Some dig -- http://pastebin.com/WfCrssMD Any hints or ideas? regards Markus Markus, To be sure, you know that nslookup and dig do NOT use the search parameter in /etc/resolv.conf. So when you do an nslookup or dig query, you have to use the fully qualified domain name(FQDN). PING uses the search parameter in /etc/resolv.conf, so that can be a source of confusion for you. You have not posted your named.conf or the contents of any local zone files you may be using. Those are important for troubleshooting this issue. It would appear that you setup the dyndns client on your debian box to update feldland.dyndns.org. But how and where do you update the other two? www.feldland.dyndns.org and test.feldland.dyndns.org Or did you forget to create those at dyndns.org? Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the reference
On 07/01/11 03:47, Jeff Peng wrote: Hello, Please see this reference: $ dig mydots.net @j.gtld-servers.net ; DiG 9.4.2-P2.1 mydots.net @j.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydots.net.IN A ;; AUTHORITY SECTION: mydots.net. 172800 IN NS ns1.dnsbed.com. mydots.net. 172800 IN NS ns2.dnsbed.com. ;; ADDITIONAL SECTION: ns1.dnsbed.com. 172800 IN A 74.117.233.4 ns2.dnsbed.com. 172800 IN A 204.152.196.108 ;; Query time: 196 msec ;; SERVER: 192.48.79.30#53(192.48.79.30) ;; WHEN: Fri Jul 1 16:23:05 2011 ;; MSG SIZE rcvd: 106 j.gtld-servers.net gives the reference info about the domain mydots.net. It says the dns servers for mydots.net is ns[1-2].dnsbed.com, following with two NS's IP addresses. My question is, when other BIND Cache get this reference, will it use the IP addresses directly? Or will it use the IP addresses get from the authoritative server? I ask this because, when the IP addresses get from reference, are different from the ones get from the authoritative server, what will be happened? Thanks for your kind helps. Jeff, Think about this scenerio: example.com uses ns1.example.com and ns2.example.com for it's name servers(legal and proper). If the resolver did not use the glue records presented from the root servers, how would the resolver find www.example.com? When you register name servers, these are called glue records. The info in the additional section, comes from those glue records. In your scenerio, the results will be unpredicatable and random. Sometimes it will work and sometimes it won't work. It's important that the glue records be correct. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/01/11 08:50, Markus Feldmann wrote: Am 01.07.2011 14:51, schrieb Lyle Giese: Markus, To be sure, you know that nslookup and dig do NOT use the search parameter in /etc/resolv.conf. So when you do an nslookup or dig query, you have to use the fully qualified domain name(FQDN). PING uses the search parameter in /etc/resolv.conf, so that can be a source of confusion for you. Don't really care about ping outputs. You are asking about name resolution with your bind server. I don't care about ping because it uses some methods that are outside of DNS. Like checking your hosts file and adding the search domains. I will only comment on DIG outputs. NSLOOKUP is better than PING, but does not post as much diagnostic output as DIG. So when troubleshooting, DIG is the best option. It would appear that you setup the dyndns client on your debian box to update feldland.dyndns.org. But how and where do you update the other two? www.feldland.dyndns.org and test.feldland.dyndns.org Or did you forget to create those at dyndns.org? Because i am using one Ip for two sites i do not have to register more than one host. yes its confusing me :-) I am not sure which of my services resolve the names correctly, but because of the fact i registered only feldland.dyndns.org at dyndns.org, i think i have to solve the problem in my network localy and not at dyndns.org You are right in that you only need one host at dyndns.org to update your ip address, but you want to have two different websites. The proper way to do that is with CNAME entries pointing to the host you are updating at connect time. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem with name resolving
On 07/01/11 14:13, Markus Feldmann wrote: Am 01.07.2011 18:35, schrieb Lyle Giese: You are right in that you only need one host at dyndns.org to update your ip address, but you want to have two different websites. The proper way to do that is with CNAME entries pointing to the host you are updating at connect time. Do i need to open my firewall for port 53? :-( Is there another way? maybe to add two virtual hosts at dyndns.org with the same IP? regards Markus I don't know dyndns.com services that well. I don't know what they support or do not support directly. Using an example, I have lcrcomputer.com. If I setup a dynamic dns host with dyndns.org and wanted two host names pointing there, I would do this: 1) setup a dynamic host at dyndns: host.dyndns.org 2) in the LCRCOMPUTER.COM zone I would add two entries: host1.lcrcomputer.com. in cname host.dyndns.org. host2.lcrcomputer.com. in cname host.dyndns.org. I don't know if dyndns.com will allow you to create cname entries in their zones. They will if you have a hosted domain name there. You need to open udp and tcp port 53 only if you need to make your dns server available to the public Internet. If it's only for internal use, no. And besides, if you want to run a public name server, it needs to be on a static IP address and not on a dynamic ip address. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind restart needed to reflect changes to dynamic zone in multiple views
On 06/24/11 08:22, Brian J. Murrell wrote: I am using BIND 9.7.2-P2. I have two views, one internal and one for external queries. In both of those views I have some zones which are common so I put them into their own file zones.common and include that file in both of the views. The problem I am having is that when I make a dynamic update to a common zone, only the internal view sees that change. External queries still return the data prior to the update. If I restart the server, then external queries get the updated data. To provide an (excerpted, for brevity) example... zones.common zone rbl.interlinx.bc.ca { type master; file /etc/bind/master/rbl.interlinx.bc.ca.zone; allow-update { ... }; allow-transfer { ... }; allow-query { any; }; }; zones.common named.conf view trusted { match-clients { trusted_networks; }; // our internal networks ... include /etc/bind/zones.common; ... zone interlinx.bc.ca { type master; file /etc/bind/master/interlinx.bc.ca.zone; allow-update { ... }; allow-query { ... }; allow-transfer { ... }; }; ... }; view greatunwashed { match-clients { any; }; // all others hosts ... include /etc/bind/zones.common; allow-query { great_unwashed_allowed_query; }; zone interlinx.bc.ca { type slave; file /etc/bind/slave/interlinx.bc.ca.zone; masters { ... }; allow-query { any; }; }; }; named.conf To demonstrate, given the above configuration: greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca. Host 1.2.3.4.rbl.interlinx.bc.ca not found: 3(NXDOMAIN) trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca. Host 1.2.3.4.rbl.interlinx.bc.ca. not found: 3(NXDOMAIN) dns_server $ nsupdate server localhost zone rbl.interlinx.bc.ca. update add 1.2.3.4.rbl.interlinx.bc.ca 60 A 127.0.0.2 send trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca. 1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2 greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca. Host 1.2.3.4.rbl.interlinx.bc.ca not found: 3(NXDOMAIN) dns_server # /usr/sbin/rndc reload server reload successful trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca. 1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2 greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca. Host 1.2.3.4.rbl.interlinx.bc.ca not found: 3(NXDOMAIN) dns_server # service bind9 restart * Stopping domain name service... bind9 ...done. * Starting domain name service... bind9 ...done. trusted_host $ host 1.2.3.4.rbl.interlinx.bc.ca. 1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2 greatunwashed_host $ host 1.2.3.4.rbl.interlinx.bc.ca. 1.2.3.4.rbl.interlinx.bc.ca has address 127.0.0.2 As you can see, it took a complete server restart for the greatunwashed view to get the zone update. Is this expected behavior or a (known?) bug? Cheers, b. It's expected behavior in a way. You are probably making this change in the internal view and the internal named process knows about the change and reloads the zone. The external view's process is unaware of the change and does not reload. 1) You could send a periodic rndc reload to the external view process. 2) Since this appears to be an rbl zone, use rbldnsd instead of named to serve this zone. Rbldnsd has code in it to auto-detect a change in the zone file and will auto-reload. Rbldnsd is a tighter piece of code designed not to be a general purpose piece of software, but a specialized service. It takes fewer system resources for this purpose. FYI, I have an internal rbl that I use here. I store the zone data in a postgres sql database and do the updates to it there. The two hosts that serve the data run rbldnsd. I have written perl scripts to periodicly pull a copy of the database and parse that into text files compatible with rbldnsd and move them into place. rbldnsd automagically reloads the updated zone files. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind restart needed to reflect changes to dynamic zone in multiple views
On 06/24/11 09:21, Brian J. Murrell wrote: On 11-06-24 09:57 AM, Lyle Giese wrote: It's expected behavior in a way. Given your explanation, indeed. :-) You are probably making this change in the internal view and the internal named process knows about the change and reloads the zone. The external view's process is unaware of the change and does not reload. A. I guess I had not considered how BIND handles views and that it's done with a separate process per view. But I only have one named process, so I suppose it's threading for each view. 1) You could send a periodic rndc reload to the external view process. Except that I only have the one process. Any thoughts on how to do this in such a case? 2) Since this appears to be an rbl zone, use rbldnsd instead of named to serve this zone. Yeah, I suppose I could. It would solve this specific use case, but I don't know that this RBL zone is the extent of this problem. I'd have to examine further where there are zones shared by multiple views. I'm guessing though that rbldnsd doesn't support remote update, yes? That would be limiting for my purposes here. Cheers, b. rbldnsd does not support dynamic updates like bind. But there is no reason you can not create a script in any language to update the zone file. When rbldnsd detects that the zone file has been changed, it auto reloads it. In my situation, when I place a new zone file in place, rbldnsd auto loads the new one. Lyle ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup a Name Servers visible on Internet?
On 06/21/11 08:13, Metropolitan College Eric Kom wrote: On 21/06/2011 13:07, Eivind Olsen wrote: Metropolitan CollegeEric Kom wrote: (...using normal text now, and not the HTML thingie which was messed up in Squirrelmail here - so I'll bother reading your postings now :-) So sorry for that! I'll admit I am a bit confused about what your current setup actually is. Having taken a couple of quick looks at your previous postings it looks like you have had a bit of a mix with filenames, views etc. I wonder, perhaps it would be easier to make sense of your setup if you could put your named.conf + any other relevant files (included files, zonefiles etc..) available for download on some website or FTP or something? Still have Errors: root@ns1:/var/cache/bind# named-checkzone metropolitanbuntu.co.za 194.134.41.in-addr.arpa zone metropolitanbuntu.co.za/IN: NS 'ns1.metropolitanbuntu.co.za' has no address records (A or ) zone metropolitanbuntu.co.za/IN: NS 'ns2.metropolitanbuntu.co.za' has no address records (A or ) zone metropolitanbuntu.co.za/IN: not loaded due to errors. Please below my bind files data and zone in this link: http://www.metropolitancollege.co.za/erickom/bind/ [ ] 0.0.10.in-addr.arpa 21-Jun-2011 15:07 541 [ ] 194.134.41.in-addr.arpa 21-Jun-2011 15:07 475 [ ] bind.keys 21-Jun-2011 15:07 2.5K [ ] db.021-Jun-2011 15:07 237 [ ] db.127 21-Jun-2011 15:07 271 [ ] db.255 21-Jun-2011 15:07 237 [ ] db.empty21-Jun-2011 15:07 353 [ ] db.local21-Jun-2011 15:07 270 [ ] db.root 21-Jun-2011 15:07 2.9K [ ] metropolitanbuntu.co.. 21-Jun-2011 15:07 1.0K [ ] metropolitanbuntu.co.. 21-Jun-2011 15:07 1.0K [TXT] named.conf 21-Jun-2011 15:07 463 [TXT] named.conf.default-z.. 21-Jun-2011 15:07 572 [TXT] named.conf.local21-Jun-2011 15:07 793 [TXT] named.conf.options 21-Jun-2011 15:07 777 [ ] rndc.key21-Jun-2011 15:07 77 [ ] zones.rfc1918 21-Jun-2011 15:07 1.3K Regards Eivind Olsen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Try removing the wild card entry in the metropolitanbuntu.co.za and see if that clears this error. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to Setup a Name Servers visible on Internet?
On 06/20/11 12:31, Metropolitan College Eric Kom wrote: Maybe I'm still mix up somethings because after change the settings, the *grep named /etc/log/syslog* still showing errors: Jun 20 19:21:58 ns1 named[3178]: managed-keys-zone ./IN/internal: loading from master file 3bed2cb3a3acf7b6a8ef408420cc682d5520e26976d354254f528c965612054f.mkeys failed: file not found Jun 20 19:21:58 ns1 named[3178]: managed-keys-zone ./IN/internal: loaded serial 0 Managed keys are something else. See this message: https://lists.isc.org/pipermail/bind-users/2010-October/081294.html Jun 20 19:21:58 ns1 named[3178]: zone 194.134.41.in-addr.arpa/IN/external: loaded serial 14 Looks to me like the in-addr.arpa zone is loading now. And you still have some IPv6 connectivity issues: Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'ns1.mweb.co.za//IN': 2001:4200::a::1#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'ns2.mweb.co.za//IN': 2001:500:2e::1#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'ns.coza.net.za//IN': 2001:500:14:6055:ad::1#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'ns0.plig.net/A/IN': 2001:503:ba3e::2:30#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'ns4.iafrica.com/A/IN': 2001:dc3::35#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'coza1.dnsnode.net/A/IN': 2001:500:2f::f#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'coza1.dnsnode.net/A/IN': 2001:500:1::803f:235#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'coza1.dnsnode.net/A/IN': 2001:503:c27::2:30#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'coza1.dnsnode.net/A/IN': 2001:7fe::53#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'coza1.dnsnode.net/A/IN': 2001:500:3::42#53 Jun 20 19:21:58 ns1 named[3178]: error (network unreachable) resolving 'ns.orange-tree.alt.za/A/IN': 2001:67c:1010:19::53#53 Jun 20 19:21:59 ns1 named[3178]: error (network unreachable) resolving 'secdns1.posix.co.za/A/IN': 2001:42a0:1000:ff02::481#53 Jun 20 19:21:59 ns1 named[3178]: error (network unreachable) resolving 'coza1.dnsnode.net/A/IN': 2001:503:231d::2:30#53 Jun 20 19:21:59 ns1 named[3178]: error (network unreachable) resolving 'ns.orange-tree.alt.za//IN': 2001:4200:1010::1#53 Jun 20 19:21:59 ns1 named[3178]: error (network unreachable) resolving 'rain.psg.com/A/IN': 2001:503:a83e::2:30#53 Jun 20 19:21:59 ns1 named[3178]: error (network unreachable) resolving 'arizona.edu//IN': 2001:7fd::1#53 Jun 20 19:21:59 ns1 named[3178]: error (network unreachable) resolving 'ns1.iafrica.com//IN': 2001:418:1::39#53 Jun 20 19:21:59 ns1 named[3178]: error (network unreachable) resolving 'nlns.globnix.net//IN': 2a02:898:31::53:0#53 And you did a reload successfully. Jun 20 19:22:02 ns1 named[3178]: received control channel command 'reload' Jun 20 19:22:02 ns1 named[3178]: loading configuration from '/etc/bind/named.conf' Jun 20 19:22:02 ns1 named[3178]: reading built-in trusted keys from file '/etc/bind/bind.keys' Jun 20 19:22:02 ns1 named[3178]: using default UDP/IPv4 port range: [1024, 65535] Jun 20 19:22:02 ns1 named[3178]: using default UDP/IPv6 port range: [1024, 65535] Jun 20 19:22:02 ns1 named[3178]: reloading configuration succeeded Jun 20 19:22:02 ns1 named[3178]: reloading zones succeeded root@ns1:/var/cache/bind# This is still an issue for you: But that does not change that your upstream has not delegated this in-addr.arpa range to you. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Restoring BIND DNS configuration from TAR command
On 06/19/11 10:14, Jorg W. wrote: 2011/6/19 babu dheenbabudh...@yahoo.co.in Hi, I have a DNS server running in BIND. I executed to take backup of configuration and zone files as below and its working fine. # /bin/tar -pczvf named.tar.gz /etc/ /var/named --exclude='/var/named/chroot/var/named/data' --exclude='/var/named/chroot/proc' But what happens is when i executed below command to restore the backup on the freshly OS installed machine under /root directory, command is excecuted successfully but what i found that there is a directory called /etc and /var created under /root as below drwxr-xr-x 91 root root 12288 Jun 18 07:50 etc -rw-r--r-- 1 root root7390955 Jun 19 05:04 named.tar.gz drwxr-xr-x 3 root root 4096 Jun 19 15:54 var You should learn to how to use tar correctly. maybe 'man tar' or 'tar --help' give you the info. The authors of tar were partial to info over man. Try: info tar There is alot more information in the info pages than man pages for tar. Plus the original poster needs to learn how to use the command line a lot better. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nameserver registration
On 06/18/11 09:30, Jorg W. wrote: Greetings, given my domain name is example.net, and my NS servers for example.net are: ns1.example.com ns2.example.com But, example.com itself's NS servers are the registrator's (for example, godaddy's). Under this case, I don't need any glue for ns[1-2].example.com. But why I still need to register them in the .com NS servers? Thanks. You are wrong. You do need glue records. Glue records registers the ip address of your name server(s) with the root name servers. In this case the glue records are associated with ns1 and ns2.example.com. The name servers need to be registered with the domain registrar for example.com and forwarded as glue records to the root name servers for .com. Godaddy is a domain name registrar and does not run any root name servers. However, it is the responsibility of the domain name registrars to make sure proper glue records are maintained for any/all name servers used with a domain registered with them. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: I can't resolve one domain: nhs.uk
andy:~$ dig nhs.uk ; DiG 9.8.0-P2 nhs.uk ;; global options: +cmd ;; connection timed out; no servers could be reached andy:~$ It then leaves this in /var/sys.log: Jun 17 11:49:42 eccles named[4689]: createfetch: pop.gmail.com A Jun 17 11:49:43 eccles named[4689]: createfetch: gmail-pop.l.google.com A Jun 17 11:49:43 eccles named[4689]: createfetch: gmail-pop.l.google.com Jun 17 12:02:08 eccles named[4689]: createfetch: nhs.uk A Jun 17 12:02:10 eccles named[4689]: createfetch: nsa.nhs.uk Jun 17 12:02:10 eccles named[4689]: createfetch: nsb.nhs.uk Jun 17 12:02:10 eccles named[4689]: decrement_reference: delete from rbt: 0x7ff273d21328 ns2.fengnet.com Jun 17 12:02:10 eccles named[4689]: decrement_reference: delete from rbt: 0x7ff273d21010 ns1.zjinfo.gov.cn Jun 17 12:02:13 eccles named[4689]: createfetch: nhs.uk A Jun 17 12:02:18 eccles named[4689]: createfetch: nhs.uk A Jun 17 12:02:38 eccles named[4689]: client 127.0.0.1#36651: query failed (SERVFAIL) for nhs.uk/IN/A at query.c:6199 As I say, for any other domain/website on the internet it works great; instant response, rapid page loadingbut this one domain I just can't resolve. I can work around the problem by adding google's nameservers to /etc/resolv.conf; they work, why doesn't mine? It's very annoying. Can anyone offer me some pointers how to move forward with debugging this problem? Andy ___ Based on what I see, it would appear that you may be in China. (ns2.fengnet.com and ns1.zjinfo.gov.cn). If you are in fact doing this query from China, all bets are off for a successful query. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forward name resolution OK, but reverse doesn't work ...
On 06/17/11 11:44, Thomas Schweikle wrote: Hi! I am having some problem with my nameserver: It resolves forward: !user@ks1:~$ host google.com !google.com has address 74.125.79.147 !google.com has address 74.125.79.99 !google.com has address 74.125.79.104 !google.com mail is handled by 50 alt4.aspmx.l.google.com. !google.com mail is handled by 10 aspmx.l.google.com. !google.com mail is handled by 20 alt1.aspmx.l.google.com. !google.com mail is handled by 30 alt2.aspmx.l.google.com. !google.com mail is handled by 40 alt3.aspmx.l.google.com. But not reverse: !user@ks1:~$ host 74.125.79.99 !Host 99.79.125.74.in-addr.arpa not found: 2(SERVFAIL) Main configuration (partly shorted): !options { !directory /var/tmp/named; !pid-file/var/run/named/named.pid; !dump-file /var/run/named/named_dump.db; !statistics-file /var/run/named/named.stats; !listen-on { any; }; !#listen-on-v6 { any; }; !recursion yes; !auth-nxdomain no; !}; ! !// slave to root name servers !zone . { ! type slave; ! file /var/cache/named/root/root.slave; ! masters { 192.5.5.241; }; ! notify no; !}; ! !zone arpa { ! type slave; ! file /var/cache/named/root/arpa.slave; ! masters { 192.5.5.241; }; ! notify no; !}; ! !zone in-addr.arpa { ! type slave; ! file /var/cache/named/root/in-addr.arpa.slave; ! masters { 192.5.5.241; }; ! notify no; !}; ! !// RFC 1912 (and BCP 32 for localhost) !zone localhost { ! type master; ! file /etc/named/master/localhost-forward.db; !}; ! !zone 127.in-addr.arpa { ! type master; ! file /etc/named/master/localhost-reverse.db; !}; localhost-forward.db: !$TTL 3h !localhost. SOA localhost. nobody.localhost. 42 1d 12h 1w 3h !; Serial, Refresh, Retry, Expire, Neg. cache TTL ! !NS localhost. ! !A 127.0.0.1 !::1 localhost-reverse.db: !$TTL 3h !@ SOA localhost. nobody.localhost. 42 1d 12h 1w 3h !; Serial, Refresh, Retry, Expire, Neg. cache TTL ! !NS localhost. ! !1.0.0 PTR localhost. ! !1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0\ ! PTR localhost. The server has AFAIS all root servers available: !$ORIGIN . !$TTL 86400 ; 1 day !@ IN SOA a.root-servers.net.\ ! nstld.verisign-!grs.com. ( !2011061700 ; serial !1800 ; refresh (30 minutes) !900; retry (15 minutes) !604800 ; expire (1 week) !86400 ; minimum (1 day) !) !RRSIG SOA 8 0 86400 2011062400 ( !2011061623 34525 . !kKIgiv5epNOi/mWtHYtH/Zwj6O6pV+wB09rnMiaTrYRk !HKqH7CCBdnIei6Kc1ghTRgdPwzrpgxzB3VHH/IfjEGbM !3sNGzMOYFtykMD1xjE93hBUU08yd1ojchWW2AXayGEJZ !5UOkaiA7cN3txThTtd1/r+k1zR5pvL+S6Pt7TTE= ) !$TTL 518400 ; 6 days !NS a.root-servers.net. !NS b.root-servers.net. !NS c.root-servers.net. !NS d.root-servers.net. !NS e.root-servers.net. !NS f.root-servers.net. !NS g.root-servers.net. !NS h.root-servers.net. !NS i.root-servers.net. !NS j.root-servers.net. !NS k.root-servers.net. !NS l.root-servers.net. !NS m.root-servers.net. !RRSIG NS 8 0 518400 2011062400 ( !2011061623 34525 . ! KgMPA/Ucp/cFQHQ36kFe8lhVV6ckJx8Zk8Mm2aiKIxOB ! v9fsM3qYyGOOqnNUGPr7V0X604r5xaePysUNy0iET+Ga ! 9WPmPeEX9438srt54qEDCBeCqn5Zbjo1lOVTrykAvtBI ! Y8ONwpp0DcDw9D7mTyBzp+ARLVG56jaZ5AucyGQ= ) [... havily shortened -- the file has about 211k length ...] Any idea, what is wrong here and where to change configuration to make reverse dns-lookups happen? First of all, stop using host or nslookup. Use dig. Dig tells you alot more about what it did and even who gave it the answer it is trying to display. Also try: dig +trace -x 74.125.79.99 This is try to do a reverse lookup on this ip address and do a trace of it as it travels through various dns servers to get to the right answer. I noticed that you have three zones defined '.' 'arpa' and 'in.addr.arpa' showing 192.5.5.241 (f-root.servers.net) as the master. Are you getting zone transfers from there? I question the need or a desire to have a copy of that zone on your dns server, let alone if you are getting a full zone from the F root. Lyle Giese
Re: How to Setup a Name Servers visible on Internet?
On 06/17/11 12:53, Metropolitan College Eric Kom wrote: On 17/06/2011 16:16, Michelle Konzack wrote: Hello Eric Kom, are you sure, you want this: ns1 IN A 41.134.194.90 ns2 IN A 41.134.194.91 ns1 IN A 10.0.0.80 ns2 IN A 10.0.0.82 I use to run DNS on LAN without really care, since I decided to run my own, I was thinking that add a private IPs going to resolve both side (LAN and Internet) that's why the private IPs are in the configs files. This results in a round-robing and I would not get in 50% of all cases the right domain. www IN A 10.0.0.81 www IN A 10.0.0.82 mailIN A 10.0.0.84 backup IN A 10.0.0.102 So please can I just removed the LAN IPs? It's Bind gonna resolve also for a local looking up if my connection is down? Use Views. Make an internal view and an external view and don't mix records of internal ip addresses with external ip addresses. The machines outside of your LAN can not use the 10.0 info and those machines inside your LAN can not use your external ip addresses. How can someone reach your Web- and Mail-Server, if you have setup them in a private network? ftp IN CNAME www img IN CNAME www * IN CNAME www imapIN CNAME mail pop IN CNAME mail pop3IN CNAME mail smtpIN CNAME mail Are you sure, this is working? The * wildcard will even catch the imap, pop, pop3 and smtp hosts and redirect them to www I put the asterisk (*) in my config file just in case where if any subdomain none specified, bind must look up for www subdomain without complaint showing the error server not found. I think in this case your wildcard is adding an additional layer of confusion. Lyle Giese LCR Computer Services, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to improve bind caching dns server performance
On 06/10/11 07:53, David Sparro wrote: On 6/10/2011 5:04 AM, kshitij mali wrote: HI All, I am repeated facing SERVFAIL error with respond to dig command . but when i dig to known domian like yahoo,gmail.orkut etc then no problem . i think there is some perfomance issue with mycaching dns server how to check the reson lookup failure and how to improve the preformance . Based on your previous posts to the list, the problem is not with your caching server. The problems you've described are the result of bad DNS entries entered by the owners and operators of the domains that are producing the errors you see. There is nothing you can do to fix the errors you described. In addition, you should learn how to use dig +trace for troubleshooting these problems. Lyle ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem resolving CNAME in BIND 9.8.0 and 9.8.0-P2
On 06/10/11 09:50, Per-Olof Axelsson wrote: When I run the following dig command below I sometimes get different answers, generally 20-30 minutes after restarting BIND. It doesn't matter if I run dig from a remote host or locally on the problematic DNS server. The two servers in question run on entirely different hardware and operating systems. One server runs a compiled version of BIND (on Redhat) whilst the other runs an installed package version (SLES11 SP1). The problem can occur on one DNS server whilst the other remains unaffected, and vice-versa. Incorrect replies often come in small groups mixed with correct replies, generally over a period of a few seconds before returning to returning the correct answer. Specifiying localhost (127.0.0.1) as the server however results in the problem never occuring. I turned on debug level 5 in BIND and searched the logs for any errors but didnt find anything. I tried tcpdump but that didn't give anything either. To solve the problem I downgraded BIND to version 9.7.3. The following are the outputs I'm seeing: Correct answer. [root@mayday named]# dig @193.10.166.35 ldap.hb.se ; DiG 9.8.0-P2 @193.10.166.35 ldap.hb.se ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 12728 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 2 ;; QUESTION SECTION: ;ldap.hb.se.IN A ;; ANSWER SECTION: ldap.hb.se. 3600IN CNAME vm-nldap-n1.hb.se. vm-nldap-n1.hb.se. 3600IN A 193.10.166.191 ;; AUTHORITY SECTION: hb.se. 3600IN NS dns2.hb.se. hb.se. 3600IN NS hb-ns.server.hv.se. hb.se. 3600IN NS ns2.chalmers.se. hb.se. 3600IN NS mayday.hb.se. ;; ADDITIONAL SECTION: dns2.hb.se. 3600IN A 193.10.166.35 mayday.hb.se. 3600IN A 193.10.166.34 ;; Query time: 2 msec ;; SERVER: 193.10.166.35#53(193.10.166.35) ;; WHEN: Thu Jun 9 12:49:17 2011 ;; MSG SIZE rcvd: 199 --- Wrong answer. --- [root@mayday named]# dig @193.10.166.35 ldap.hb.se ; DiG 9.8.0-P2 @193.10.166.35 ldap.hb.se ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 61784 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;ldap.hb.se.IN A ;; ANSWER SECTION: ldap.hb.se. 3600IN CNAME vm-nldap-n1.hb.se. ;; Query time: 1 msec ;; SERVER: 193.10.166.35#53(193.10.166.35) ;; WHEN: Thu Jun 9 12:49:17 2011 ;; MSG SIZE rcvd: 54 --- Why is ANSWER SECTION, AUTHORITY SECTION and ADDITIONAL SECTION different? Any ideas?? /Per-Olof Axelsson ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users From here, I can not resolve vm-nldap-nl.hb.se with dig 9.7.3 using the +trace option. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND error: opcode: QUERY, status: SERVFAIL
SERVFAIL means there was a failure to properly resolve something. Not necessarily a BIND error. Do this and analyze the output: dig +trace goelexports.com Also you are using an old version of DIG. You may want to consider updating BIND. It also appears that you are running a recursive server on this machine. Do you have UDP and TCP ports 53 open to this server? You need both open. Lyle Giese LCR Computer Services, Inc. On 06/03/11 02:04, kshitij mali wrote: Hello ALL Please help me toubleshoot this bind ISSUE I am facing intermetent problem with some domains == [root@D1OKH680RL ~]# dig goelexports.com http://goelexports.com ; DiG 9.2.4 goelexports.com http://goelexports.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;goelexports.com http://goelexports.com. IN A ;; Query time: 10 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 27 03:28:13 2011 ;; MSG SIZE rcvd: 33 === Regards, Kshitij Mali On Thu, Apr 28, 2011 at 2:38 PM, kshitij mali foreplay...@gmail.com mailto:foreplay...@gmail.com wrote: goelexports.com http://goelexports.com/ is delegated to the following nameservers which do not exist. kshitij : may i know how you checked the delegation for the above domain Regards, Kshitij On Wed, Apr 27, 2011 at 7:17 PM, Mark Andrews ma...@isc.org mailto:ma...@isc.org wrote: In message banlktik70mdfrhcbfi+7ye_sibccoge...@mail.gmail.com mailto:banlktik70mdfrhcbfi%2b7ye_sibccoge...@mail.gmail.com, kshitij mali w rites: Hi everbody , we are unable to lookup the domain goelexports.com http://goelexports.com/ goelexports.com http://goelexports.com/ is delegated to the following nameservers which do not exist. Mark goelexports.com http://goelexports.com/.172800 IN NS ns.hostsearchindia.com http://ns.hostsearchindia.com/. goelexports.com http://goelexports.com/.172800 IN NS ns2.hostsearchindia.com http://ns2.hostsearchindia.com/. ; DiG 9.6.0-APPLE-P2 ns.hostsearchindia.com http://ns.hostsearchindia.com/ ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 36873 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ns.hostsearchindia.com http://ns.hostsearchindia.com/. IN A ;; AUTHORITY SECTION: hostsearchindia.com http://hostsearchindia.com/.10719 IN SOA ns4.webcomindia.net http://ns4.webcomindia.net/. amit.sood.webcomindia.net http://amit.sood.webcomindia.net/. 2009090712 86400 7200 360 86400 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 27 23:45:38 2011 ;; MSG SIZE rcvd: 105 [root@D1OKH680RL ~]# dig goelexports.com http://goelexports.com/ ; DiG 9.2.4 goelexports.com http://goelexports.com/ ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 63082 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;goelexports.com http://goelexports.com/. IN A ;; Query time: 10 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 27 03:28:13 2011 ;; MSG SIZE rcvd: 33 what does status: SERVFAIL means how can check Regards, kshitij --0016e6d96f657794a304a1e56815 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable div=A0/div divHi everbody ,/div div=A0/div divwe are unable to lookup the domain quot;a href=3Dhttp://goelexports http://goelexports/= .comgoelexports.com http://goelexports.com//aquot;/div div=A0/div div p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= [root@D1OKH680RL ~]# dig a href=3Dhttp://goelexports.com http://goelexports.com/goelexports.co http://goelexports.co/= m/a/span/p p style=3DMARGIN: 0in 0in 0pt class=3DMsoNormalspan style=3DFONT-FA= MILY: #39;Tahoma#39;,#39;sans-serif#39;; COLOR: black; FONT-SIZE: 10pt= ; lt;lt
Re: IPv6 prefix length error
On 04/28/11 11:20, Khuu, Linh Contractor wrote: Hello, We just added the IPv6 address on our DNS servers. When we started named, we see these errors in the log: prefix length for 2001:1930:e03::e is unknown (assume 128) prefix length for ::1 is unknown (assume 128) So far, named is still running fine… I can’t find any information to correct these errors. Thanks, Linh Khuu ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users These are not bind errors, but errors in how you configured IPv6 in the host OS. You have not specified the prefix length(compares to /24 for IPv4 cidr notation) in your network configuration for your IPv6 addresses. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [OT] does deliveragent must have a PTR RR
p...@mail.nsbeta.info wrote: Hi list, I can't setup a ptr RR for my mailserver's IP. Here the main ISPs who are owned by this garbage state take expensive price for setup a reverse record for a public IP. It's about 30 USD each month for each IP. But some MTAs does require the peer deliveragent has a PTR RR,like AOL's email systems. Is there a special RFC for this requirement? Regards. Mail Delivery System writes: This is the mail system at host mail.nsbeta.info. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system dono...@beth.k12.pa.us: host mx1.beth.k12.pa.us[209.96.96.11] said: 450 4.7.1 Client host rejected: cannot find your reverse hostname, [121.9.221.212] (in reply to RCPT TO command) I do not believe this to be fully covered in an RFC, but came about as Best Practices as we fight SPAM. The best source for the Best Practices for this is at http://postmaster.aol.com Wonder through ALL of the pages that this area at AOL has to offer or you will miss some important points, like that 12 hrs is considered the min TTL for A and PTR records for mail servers. Less than 12 hrs TTL on these records are considered by default indicators of dynamic IP addresses. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
Jay G. Scott wrote: hi, thanks for the replies. however, i didn't learn much. i'm more of a network newbie than i thought. but what i can say is this: (repeating the problem) i get zillions of these msgs: Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i CAN do an AXFR from 10.4.1.6 to ns2 that is, dig @10.4.1.6 arlut.utexas.edu AXFR does give me output. on 10.4.1.6, dig @146.6.211.1 arlut.utexas.edu AXFR ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 arlut.utexas.edu AXFR ; (1 server found) ;; global options: printcmd ; Transfer failed. now, when i attempt that AXFR, the error message is NOT like the symptom i have. so i conclude that my problem is not AXFR (or IXFR, similar experiment). so what is this msg talking about? Jan 10 12:36:24 ns2 named[3037]: client 10.4.1.6#59926: view internal: error sending response: host unreachable i'm starting to think it might be just an ordinary dns lookup. j. Jay Please do the following two queries from the secondary server and show us the results: dig @146.6.211.1 +tcp arlut.utexas.edu dig @146.6.211.1 -tcp arlut.utexas.edu Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: host unreachable. -- a bit more info
sorry about that. I don't normally use these options But it's dig @146.6.211.1 +tcp arlut.utexas.edu dig @146.6.211.1 +notcp arlut.utexas.edu But UDP is default and the second query should have been transmitted using UDP. The end result is that you have TCP and UDP port 53 openned properly in the firewalls between the two sites. BTW, zone transfers are done using TCP because of their size. Small queries try to use UDP first. This is starting to sound more like the master is not allowing your site to get a zone transfer. That is an ACL issue for the master site. Lyle Giese LCR Computer Services, Inc. Jay G. Scott wrote: On Mon, Jan 10, 2011 at 12:52:16PM -0600, Lyle Giese wrote: [snip] Jay Please do the following two queries from the secondary server and show us the results: dig @146.6.211.1 +tcp arlut.utexas.edu dig @146.6.211.1 -tcp arlut.utexas.edu Lyle Giese LCR Computer Services, Inc. okay. but it doesn't seem to like -tcp as an arg. thanks for helping. [r...@ns5 ~]# dig @146.6.211.1 +tcp arlut.utexas.edu ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 +tcp arlut.utexas.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15938 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;arlut.utexas.edu. IN A ;; AUTHORITY SECTION: arlut.utexas.edu. 300 IN SOA csdsun9.arlut.utexas.edu. root.arlut.utexas.edu. 2011011010 10800 600 604800 300 ;; Query time: 0 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Mon Jan 10 14:49:55 2011 ;; MSG SIZE rcvd: 83 --- [r...@ns5 ~]# dig @146.6.211.1 -tcp arlut.utexas.edu ;; Warning, ignoring invalid type cp ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5_5.3 @146.6.211.1 -tcp arlut.utexas.edu ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 23674 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;arlut.utexas.edu. IN A ;; AUTHORITY SECTION: arlut.utexas.edu. 300 IN SOA csdsun9.arlut.utexas.edu. root.arlut.utexas.edu. 2011011010 10800 600 604800 300 ;; Query time: 0 msec ;; SERVER: 146.6.211.1#53(146.6.211.1) ;; WHEN: Mon Jan 10 14:50:27 2011 ;; MSG SIZE rcvd: 83 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: to route specific dns query to specific dns server
May I suggest the book DNS and Bind 5th edition. Availible from Amazon: http://www.amazon.com/DNS-BIND-5th-Cricket-Liu/dp/0596100574/ref=sr_1_1?ie=UTF8qid=1293629633sr=8-1 All of these things can be done. Do some reading! Yes you setup forwarding only for the microsoft domain name. And yes you can setup BIND to not answer questions from the Internet about your Microsoft domain, but in my opinion that is not necessary. You do want to disable recursive queries from the Internet and there are no pointers out on the Internet pointing your microsoft domain to you BIND server, so noone outside your internal network will know about the microsoft domain. The book has examples plus syntax and examples that will cover the rest of your questions. Lyle Giese LCR Computer Services, Inc. Riccardo Castellani wrote: Hopefully the microsoft domain is a name that is not availible on the internet, like mymsdomain.local. Then your microsoft server is known as domaincontroller.mymsdomain.local. Of course ! In that case you would setup a forwarder in BIND for mymsdomain.local that points to the microsoft dns servers. Ok, but I'd like understanding if: 1- for every query to BIND there is always a forwarding to microsoft dns servers or if there is only a forwarding for queries containing 'mymsdomain.local' domain ? 2- If I configure BIND how you suggest me, can I not permit Internet queries for ''mymsdomain.local' ? 3- Can you show me sample example of forwarding configure file for specific domain, please ? - Original Message - *From:* Lyle Giese mailto:l...@lcrcomputer.net *To:* Riccardo Castellani mailto:ric.castell...@alice.it *Sent:* Tuesday, December 28, 2010 11:12 PM *Subject:* Re: to route specific dns query to specific dns server Riccardo Castellani wrote: I'm using Bind9 for my name server (SERVER EXT) and to give name resolution for who access from Internet to my domain (e.g. to access to my Web site or to write to my email addresses). My domain is example.com: www.Example.com http://www.Example.com test.h...@example.com mailto:test.h...@example.com This dns server maps only my pubblic addresses. This server has 2 nics: internal + external ip address. Some internal servers, as proxy or mail servers, send dns requests to this dns server to solve names. I have also internal MS domain (dns server is SERVER INT) which is different from the other, it's created by Domain Controllers + AD (activedirectory.com) and it's used to map machines into internal network. Now I my email server or proxy server (which are in internal network) need to synchronize time so they have to use my internal NTP server; these Linux machines use 'SERVER EXT' in /etc/resolv.conf, so how I can indicate to send request for specific internal name (ntp.activedirectory.com) to dns server INT ? I could insert it inot /etc/hosts but it's not dnss service !!! Hopefully the microsoft domain is a name that is not availible on the internet, like mymsdomain.local. Then your microsoft server is known as domaincontroller.mymsdomain.local. In that case you would setup a forwarder in BIND for mymsdomain.local that points to the microsoft dns servers. Then when the linux boxes want domaincontroller.mymsdomain.local, your Bind name server will ask the microsoft dns servers for the answer. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the zone file management
Or nsupdate Lyle Giese LCR Computer Services, Inc. philippe.simo...@swisscom.com wrote: Hi if i good understand your question maybe the answer is : rndc freeze / thaw Philippe -Original Message- From: bind-users-bounces+philippe.simonet=swisscom@lists.isc.org [mailto:bind-users-bounces+philippe.simonet=swisscom@lists.isc.org] On Behalf Of Tech W. Sent: lundi 29 novembre 2010 06:38 To: bind-users@lists.isc.org Subject: about the zone file management Hello, I'm not sure, is it right for the management of zone files, with both dynamic update and editting by hand? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does Yahoo/Google find unknown domains?
Michelle Konzack wrote: Hello Robert Spangler, Am 2010-11-09 10:34:52, hacktest Du folgendes herunter: If these domains are for internal use only, why did you list the DNS servers for them? You are aware that you can register a domain without listing a DNS Server? Because my own customers (exclusively) must access it. They are my VOIP and IPTV servers and there is no public HTTP content but I am bombed with PHP/CGI requests and I do not know, where Google and Co have gotten those links. Are you sure it's all search bots and not script kiddies playing? Having a valid index.html in place that redirects to your business home page may help. But the search bots don't normally search around for php/cgi scripts. That however is typical of the script kiddies looking for a server to hack. Some of the searchbots are hiting my servers 3 times in series from three different IPs and in summary, I have more then 10.000 searchbot- entries per day in my Logs. My server always return an Error-Page from the VServer that there is no configured HTTP host on the machine but it is ignored. One VHost must be configured for the web administration and it is hit too and too much! Even my simple squirrelmal login page from webmail.tamay-dogan.net is spidered daily with more then 800 hits and I have already counted more then 80 different searchbots. How braindamaged are Searchbot-Programmers? All of my webservers together have arround 86 TByte of content including a VERY huge debian archive (all releases and versions from 0.96 to now) and my traffic per month is arround 27 TByte. The searchbots are creating 17,3 TByte traffic per month which my customers have to pay to! Maybe I call my lawer to write letters to the serachbot owners to stop spidering my 36 domains. Oh, at Level3 in Frankfurt I pay 12 Euro/Mbit traffic per month which mean 12 Euro per 320 GByte traffic. Not counting the price for the 700km FiberOptic line which is another provider (0,40 euro/m/year). I had a 1 GE line from Frankfurt but du to the excessiv serchbot traffic it broke several times per day. Now I have in total twelf 1GE (Level3, Verizon, DTag and Orange). Maximal I can have 64 x 10 GE with my Transmode TS System but then I can install my own BPOP. Thanks, Greetings and nice Day/Evening Michelle Konzack Despite how I feel about Yahoo's SLURP engine, it still honors robots.txt. Script kiddies don't. Lyle Giese LCR Computer Services, Inc. P.S. My last post on this. This is not DNS related. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How does Yahoo/Google find unknown domains?
Michelle Konzack wrote: Hello experts and *, I have (since several years) collected some domain names which do not exist (since years) and registered it in the last 4 month for the internal use of my Internet Service. Now I see Googlebot, Yahoo and he.net quering my DNS Servers for exactly those domains. If I read the conditions of Networksolutions and Co, spidering of WHOIS records is prohibited also the commercial use of the data. Does someone have an experience with his crap? Unfortunately I can not deny access to the 180 servers and Google, Yahoo and He is bombing my network with to much useless requests. I have written a mail to Google not to attack my network of VOIP and IPTV servers, but they continue... The webservers have only an SHTTP administrativ VHost, but not exp.com or www.exp.com but the webserver get any requests from *.exp.com because it is an administrative VServer and the error logfile is per day VERY long. An htaccess does not work, because I have more then 800 VHosts on each server. Thanks, Greetings and nice Day/Evening Michelle Konzack Somewhere someone tries to access that domain name for some reason and their dns servers make a note of that and they harvest that info( just a wild a** guess). On the other hand, I have seen where somebody at NS gave a copy of their WHOIS data for 'research' purposes. Technically, the webinterface to the WHOIS data is what that restriction is referring to. Not necessarily to disallow someone from asking for/paying for access to that data via another means. Again, I have no inside knowledge nor do I claim any special knowledge or access in this area. Yahoo's Slurp is a misbehaved robot(IMHO). But it does honor robots.txt. I also put in an index.html that redirects accidential visitors to my commerical business homepage. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
dnsexperiment.net
Does anyone know who this organization is? Their name registration is private and their website is just an opt out page with no indication as to who they are or really why they are doing these scans(other than a generic 'We are doing research.'). This ip address traces back to Liquid Web. Lyle Giese LCR Computer Services, Inc. Oct 22 16:32:42 linux2 named[20883]: client 69.167.186.59#45185: view external: query (cache) 'ofw4blrqy4.cache.lab.dnsexperiment.net/A/IN' denied Oct 22 16:32:43 linux2 named[20883]: client 69.167.186.59#35522: view external: query (cache) '3hml8kd3vj.lab.dnsexperiment.net/A/IN' denied ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Propagation
You need to go to your domain registrar and change the ip address there for these name servers. That data is inserted as glue records to the root servers. Without the domain name and name servers involved I could not have helped you find this issue. I get my own messages back from the list, but you do need to reply to the list and I sometimes forget as this list server does not put the list in as the from address and my reader does not pick that up. Lyle Giese LCR Computer Services, Inc. João Alberto Kuchnier wrote: Sorry about that. The domain is dataprom.com. ns1.dataprom.com - 200.198.101.3 ns2.dataprom.com - 200.198.101.4 More log errors: Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving '96.197.97.81.sbl-xbl.spamhaus.org/A/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving '96.197.97.81.bl.spamcop.net/A/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/SPF/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving 'ns1.virginmedia.net/A/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/TXT/IN': 200.198.101.4#53 Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#40978: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#45863: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#50880: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#20633: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:33 ns1 named[4602]: client 189.26.117.170#1032: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:07:03 ns1 named[4602]: error (connection refused) resolving 'orsp.f-secure.akadns.net/A/IN': 200.198.101.4#53 Looks like my slave DNS is refusing masters connection. Some querys are pointing to my old reverse configuration (8-15.101.198.200.in-addr.arpa). Now it is: 0-15.101.198.200.in-addr.arpa I'm not receiving the discussion list e-mails. Is that normal? Em Qui, 2010-10-14 às 11:16 -0500, Lyle Giese escreveu: João Alberto Kuchnier wrote: Hi Everyone! Recently I enabled a new IP range on my firewall. I used this bigger range to organize my DNS records like mail, www, ns1, ns2, and others. I did this last weekend. I find out that some DNS servers updated themselves with my new registers. However, CheckDNS (http://www.checkdns.net/quickcheckdomainf.aspx) stills resolving to my old servers. I changed every record, every file of all my domains, serials, firewall rules using the new IPs but I'm still having problems. Moreover, some mail servers are rejecting messages from my main domain. Here are some logs: Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving 'otwbhqbg.net/A/IN': 200.xxx.xxx.xxx#53 Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving 'yuogkiz.net/A/IN': 200.xxx.xxx.xxx#53 Oct 14 11:51:05 ns1 named[2929]: client 65.202.203.203#9026: query (cache) '12.8-15.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied Oct 14 11:51:05 ns1 named[2929]: client 65.202.203.203#1765: query (cache) '12.8-15.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied -- this query problem is pointing to my old reverse. Can someone help me? João K. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Since you chose to hide the real domain names, there is not much we can do to help. Most of us here like to do a couple of queries so that we can view what your dns servers are serving up for data. It may not be what you expect, but we can not do that in this case. With that said, there always is some gap due to TTL's. When changing IP addresses, it's best practice to lower the TTL on all records effected by the change. If your normal TTL is set to 1 day, 2 days before the change lower that to say 1 hour. When changing the zone files to the new ip addresses, put the TTL back to what it was. That still won't help you with a dns checking service that forces a longer TTL than you request. They are doing a disservice to you and the community if they are doing that without telling you about it. Lyle Giese LCR Computer Services,Inc. ___ bind-users mailing list bind-users@lists.isc.org https
Re: DNS Propagation
When you created these as name servers or used them for the first time at Network Solutions, you had to create name server records and register the IP address at that time. That's how glue records get inserted into the root servers. Otherwise the world could not find dataprom.com. If the world was not given the ip address of ns1 or ns2.dataprom.com via glue records, the world would not know how to find your name servers. At Network Solutions, you log into your account there, go to Manage Domains, then manage the dataprom.com domain. On the next page that comes up from Network Solutions, scroll down and under More Domain Options, click on Manage Name Servers. This is where you manage the glue records for your name servers. Lyle Giese LCR Computer Services, Inc. João Alberto Kuchnier wrote: Lyle, Domain registrar like Network Solutions? My domain account is set to ns1 and ns2, no by IP address. João K. Em Qui, 2010-10-14 às 13:15 -0500, Lyle Giese escreveu: You need to go to your domain registrar and change the ip address there for these name servers. That data is inserted as glue records to the root servers. Without the domain name and name servers involved I could not have helped you find this issue. I get my own messages back from the list, but you do need to reply to the list and I sometimes forget as this list server does not put the list in as the from address and my reader does not pick that up. Lyle Giese LCR Computer Services, Inc. João Alberto Kuchnier wrote: Sorry about that. The domain is dataprom.com. ns1.dataprom.com - 200.198.101.3 ns2.dataprom.com - 200.198.101.4 More log errors: Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving '96.197.97.81.sbl-xbl.spamhaus.org/A/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving '96.197.97.81.bl.spamcop.net/A/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/SPF/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving 'ns1.virginmedia.net/A/IN': 200.198.101.4#53 Oct 14 14:06:06 ns1 named[4602]: error (connection refused) resolving 'cpc3-seac12-0-0-cust351.7-2.cable.virginmedia.com/TXT/IN': 200.198.101.4#53 Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#40978: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#45863: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 200.103.142.207#50955: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#50880: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:16 ns1 named[4602]: client 201.10.124.1#20633: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:06:33 ns1 named[4602]: client 189.26.117.170#1032: query (cache) '10.8-15.101.198.200.in-addr.arpa/PTR/IN' denied Oct 14 14:07:03 ns1 named[4602]: error (connection refused) resolving 'orsp.f-secure.akadns.net/A/IN': 200.198.101.4#53 Looks like my slave DNS is refusing masters connection. Some querys are pointing to my old reverse configuration (8-15.101.198.200.in-addr.arpa). Now it is: 0-15.101.198.200.in-addr.arpa I'm not receiving the discussion list e-mails. Is that normal? Em Qui, 2010-10-14 às 11:16 -0500, Lyle Giese escreveu: João Alberto Kuchnier wrote: Hi Everyone! Recently I enabled a new IP range on my firewall. I used this bigger range to organize my DNS records like mail, www, ns1, ns2, and others. I did this last weekend. I find out that some DNS servers updated themselves with my new registers. However, CheckDNS (http://www.checkdns.net/quickcheckdomainf.aspx) stills resolving to my old servers. I changed every record, every file of all my domains, serials, firewall rules using the new IPs but I'm still having problems. Moreover, some mail servers are rejecting messages from my main domain. Here are some logs: Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving 'otwbhqbg.net/A/IN': 200.xxx.xxx.xxx#53 Oct 14 11:50:48 ns1 named[2929]: error (connection refused) resolving 'yuogkiz.net/A/IN': 200.xxx.xxx.xxx#53 Oct 14 11:51:05 ns1 named[2929]: client 65.202.203.203#9026: query (cache) '12.8-15.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied Oct 14 11:51:05 ns1 named[2929]: client 65.202.203.203#1765: query (cache) '12.8-15.xxx.xxx.xxx.in-addr.arpa/PTR/IN' denied -- this query problem is pointing to my old reverse. Can someone help me? João K. ___ bind-users mailing list bind-users@lists.isc.org https
Re: DNS Propagation
João Alberto Kuchnier wrote: Yes! Found it! Thank you! Now, if you could help me, these log info are from my master DNS: Oct 14 16:00:42 ns1 named[4602]: error (connection refused) resolving 'guide.opendns.com/A/IN': 200.198.101.4#53 200.198.101.3 - Master 200.198.101.4 - Slave Slave is refusing connections? There is this query problem too: Oct 14 16:01:56 ns1 named[4602]: client 201.39.197.2#53: query (cache) '2.0-63.102.3.189.in-addr.arpa/PTR/IN' denied Oct 14 16:01:59 ns1 named[4602]: client 201.39.197.2#53: query (cache) '2.0-63.102.3.189.in-addr.arpa/PTR/IN' denied Some of my slave logs: Oct 14 15:26:06 ns2 named[503]: error (unexpected RCODE REFUSED) resolving 'km13718-05.keymachine.de/TXT/IN': 87.118.100.101#53 Oct 14 15:31:08 ns2 named[503]: error (unexpected RCODE SERVFAIL) resolving '21.76.60.212.in-addr.arpa/PTR/IN': 212.60.66.245#53 Can you help me to fix this issues? João K. Google is your friend! Please use it. You have mistakes of some sort in your named.conf and/or your zone files. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind and blacklist IP file
Alans wrote: Hello, Is it possible for bind dns to check the queries, if the returned answer is existed in a file that contains blacklisted IPs then block it? One more thing, from where we can get/buy updated lists of categorized IPs/websites, like Gaming, Porn, Social...? Thanks, Alans You really need a web proxy with filtering software(like squidGuard) and some block lists to do this. http://www.squidguard.org/blacklists.html ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Andrey G. Sergeev (AKA Andris) wrote: Hello Dotan, Tue, 5 Oct 2010 20:35:24 +0200 Dotan Cohen wrote: The two domains names are sharingcenter.eu and sharingcenter.de. The eu domain has ns1 and ns2 on the same server (IP addresses 178.63.65.136 and 178.63.65.188) and works fine. The de domain has ns1 on this same server (IP address 178.63.65.171) but ns2 on a different server (IP address 88.198.21.168). The commands dig @178.63.65.171 sharingcenter.de. soa +norec +short dig @88.198.21.168 sharingcenter.de. soa +norec +short were done without any delays or errors from my location so the UDP connections from the external hosts are fine too. If you still experience troubles while working with the registrar control panel you should consult with their support. Eurodns is currently autoritative for sharingcenter.de domain. If he wants to move the dns to his new servers and IP addresses, he needs to create proper A records for ns1 and ns2.sharingcenter.de at eurodns first. Eurodns won't let him move the dns until the new servers answer properly. However they are not querying the ip addresses he is inputing but the current A records eurodns returns when asking about ns1 or ns2.sharingcenter.de. Those queries appear to be returning a wild card entry of 80.92.66.130 for ns1 and ns2.sharingcenter.de. There is no name server answering at 80.92.66.130 and thus Eurodns reports that name server is not answering. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to query the nameserver
Dotan Cohen wrote: On Mon, Oct 4, 2010 at 23:20, Andrey G. Sergeev (AKA Andris) and...@aernet.ru wrote: Hi Dotan! Hello hello! You might be blocking 53/udp and (or) 53/tcp port. Try to query your problematic server from some other location rather than the site this server is installed on. The ports aren't blocked as another site (example.eu) hosted on the 1.1.1.1 server works fine. The working site has both nameservers pointed to that same server (on two different IP addresses on eth0 and etho0:0). Only the example.de site which has one nameserver on the 1.1.1.1 machine and the second nameserver on 1.1.2.2 is giving me a headache. I would like to help but since you are refusing to post the real ip address or the real hostnames or the real domain names involved, I can not. I could do some testing from here to see if your firewall was configured correctly or what the view was from outside your network. But I can not. You appear to be posting sanitized portions of named.conf, so we can not tell if you have a typo in there that would cause this problem. You may also be bypassing a firewall misconfiguration because of your testing methods, but we can not tell as you are not posting the real IP addresses. Even though the ip addresses involved are registered for web and dns services that should be availible to the world anyway. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
Chris Buxton wrote: On Sep 9, 2010, at 5:02 PM, Lyle Giese wrote: wllarso wrote: I'm not any sort of Linux expert but this started my mind thinking. Take a look at the BIND FAQ, it comes with the sources. There are some Linux specific comments about file and directory permissions. Bind running under Linux drops special 'root' permissions when it starts up. I am not using the -u option nor am I running in a CHROOT environment. ps shows root owning the named process. Also, there are specific issues when running the Security Enhanced Linux. This may be your situation, or not. We can't tell. I have never on purpose enabled SELinuxGRIN! On SLES, look for AppArmor. You may find that an AppArmor profile is stifling what named can do. Try disabling it. IMO, SELinux and AppArmor have their place, but you generally have to create or customize your own security profile to allow services to work the way you want them to. Both SUSE and RHEL/Fedora/CentOS make the assumption that you will use the provided management tools, or none at all, rather than using any 3rd party management system. Chris Buxton BlueCat Networks Thanks, Chris. That is exactly what it was. AppArmor. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ipv6 implementation in an ipv4 camp
Jim Pazarena wrote: I am curious if anyone can point out articles or deeper instructions regarding an implementation and launch of ipv6 in a fully ipv4 camp? If the upstream ISP still provides the end user an ipv4 number as a gateway, and the end user still has a /24 or /23 assigned by the ISP, need they be concerned with ipv6? would the ipv4 /23 subnet be 'translatable' to a corresponding ipv6 number? Any source documents would be greatly appreciated. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users I used http://ipv6.he.net and http://www.sixxs.net for use to do a trial implementation of IPv6 in our network. Our upstream ISP has since provided us with native IPv6 and we are working on full implementation here. We have the infrastructure in place and are working on adding IPv6 addresses to all websites as time allows. It's not a high priority at this time. IMHO, it's good for an ISP operation to get on board and figure out how to implement IPv6. End users don't have that pressing of a need unless/until they are forced to by their upstream providers. There is a lot of good info at http://ipv6.he.net and at http://www.sixxs.net for getting a working IPv6 tunnel into their network and how to implement IPv6. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
Lyle Giese wrote: I am not running named as named, but as root(no -u on command line). But in testng I did change the permissions on this directory to 777 with no change in behaviour and changed it back to 755. Lyle Giese LCR Computer Services, Inc. dhottin...@harrisonburg.k12.va.us wrote: Does name own the directory? Quoting Lyle Giese l...@lcrcomputer.net: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) The error is Sep 9 10:40:05 linuxps named[30549]: transfer of '103.0.10.in-addr.arpa/IN/chase' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.116 secs (48586 bytes/sec) Sep 9 10:40:05 linuxps named[30549]: zone 103.0.10.in-addr.arpa/IN/chase: sending notifies (serial 2010081601) Sep 9 10:40:05 linuxps named[30549]: dumping master file: tmp-QJcEgeBZ3h: open: permission denied There is never a path mentioned in the permission denied message and the zone files are not written out to disk. I have set a directory in the options section: Options { directory /etc/named; }; When I run named-checkconf against named.conf, it is always erroring out against this line(directory line), no matter what I put there or different syntax I insert. And yes the directory really does exist. named.conf: line 17: change directory to: '/etc/named' failed: file not found named.conf:line 17: parse failed What 'file' is named-checkconf looking for? Or is this a bogus error message? Am I missing something else? I am starting named as root, but appear to be getting permission issues. It just does not make any sense right now. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) I had similar problems with 9.7.1-P2 and it seemed that the named init script generated for F11 reset permissions on the /var/named directory. Go figure. But, to make it work, I inserted a chmod command just before it launched the daemon to set /var/named as owned by named. I also like the executable in /usr/local/sbin rather than /usr/sbin as the script said. so mine now is as below: ... chown -hR named:named /var/named ## DRF #daemon /usr/sbin/$named -u named ${OPTIONS};## DRF daemon /usr/local/sbin/$named -u named ${OPTIONS}; ## DRF ... I don't start it directly from the command line though, so running from the command line as root should not have that ownership problem. You might check the actual install directory as you might be running the old executable. Dave I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave the more I play, the more it looks like named just plain won't write out to disk anything except via syslog. The issue I saw with named-checkconf was user error. (bad command line). I am starting named as root and it shows up in ps as owned by root. In the global options section I have set: directory /etc/named; This directory is owned by root and is set to 777 and named still won't write to it. The only thing I can come up with it's a problem with SLES 10 SP3. That's the only thing that makes sense, but I should be able to work through that. When starting named, I see this for all zones. The function to dump master file fails with an open: permission denied. Sep 9 15:30:32 linuxps named[16342]: transfer of '100.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 260 records, 6103 bytes, 0.224 secs (27245 bytes/sec) Sep 9 15:30:32 linuxps named[16342]: zone 100.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:32 linuxps named[16342]: dumping master file: /etc/named/tmp-EKfXmnQngI: open: permission denied ( I set the above zone for file /etc/named/100.0.10.in-addr.arpa; and it appears that named wants to drop a temp file and rename it) Sep 9 15:30:33 linuxps named[16342]: transfer of '102.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.283 secs (19915 bytes/sec) Sep 9 15:30:33 linuxps named[16342]: zone 102.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:33 linuxps named[16342]: dumping master file: tmp-wS5yINBtho: open: permission denied And rndc dumpdb -all yields this error: Sep 9 15:46:03 linuxps named[16342]: received control channel command 'dumpdb -all' Sep 9 15:46:03 linuxps named[16342]: could not open dump file 'named_dump.db': permission denied Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: installing on SLES 10sp3
wllarso wrote: I'm not any sort of Linux expert but this started my mind thinking. Take a look at the BIND FAQ, it comes with the sources. There are some Linux specific comments about file and directory permissions. Bind running under Linux drops special 'root' permissions when it starts up. I am not using the -u option nor am I running in a CHROOT environment. ps shows root owning the named process. Also, there are specific issues when running the Security Enhanced Linux. This may be your situation, or not. We can't tell. I have never on purpose enabled SELinuxGRIN! Lyle Giese Sent from Garminfone by T-Mobile. Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: David Forrest wrote: On Thu, 9 Sep 2010, Lyle Giese wrote: I am trying to install bind 9.7.1-P2 from source on a SLES 10 SP3 server. When I run named from the command line, it runs, but fails to open and write any of the zone files it downloaded. named -c /etc/named.conf (yes I am running this a root) [snipped] I checked the version of named and named-checkconf using -v and -V and tried running it via the full path. They have the right version number 9.7.1-P2. Lyle Giese Lyle, since it runs from the command line, it would seem that you're left with the zone files and those special files named needs. From the named-checkconf man: Note: files that named reads in separate parser contexts, such as rndc.key and bind.keys, are not automatically read by named-checkconf. Configuration errors in these files may cause named to fail to run, even if named-checkconf was successful. named-checkconf can be run on these files explicitly, however. I have also found some pesky errors in my zone files by running named-checkzone on them. That may be indicated as you can run but the zones don't open. Dave the more I play, the more it looks like named just plain won't write out to disk anything except via syslog. The issue I saw with named-checkconf was user error. (bad command line). I am starting named as root and it shows up in ps as owned by root. In the global options section I have set: directory /etc/named; This directory is owned by root and is set to 777 and named still won't write to it. The only thing I can come up with it's a problem with SLES 10 SP3. That's the only thing that makes sense, but I should be able to work through that. When starting named, I see this for all zones. The function to dump master file fails with an open: permission denied. Sep 9 15:30:32 linuxps named[16342]: transfer of '100.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 260 records, 6103 bytes, 0.224 secs (27245 bytes/sec) Sep 9 15:30:32 linuxps named[16342]: zone 100.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:32 linuxps named[16342]: dumping master file: /etc/named/tmp-EKfXmnQngI: open: permission denied ( I set the above zone for file /etc/named/100.0.10.in-addr.arpa; and it appears that named wants to drop a temp file and rename it) Sep 9 15:30:33 linuxps named[16342]: transfer of '102.0.10.in-addr.arpa/IN' from 209.172.152.3#53: Transfer completed: 1 messages, 261 records, 5636 bytes, 0.283 secs (19915 bytes/sec) Sep 9 15:30:33 linuxps named[16342]: zone 102.0.10.in-addr.arpa/IN: sending notifies (serial 2010081601) Sep 9 15:30:33 linuxps named[16342]: dumping master file: tmp-wS5yINBtho: open: permission denied And rndc dumpdb -all yields this error: Sep 9 15:46:03 linuxps named[16342]: received control channel command 'dumpdb -all' Sep 9 15:46:03 linuxps named[16342]: could not open dump file 'named_dump.db': permission denied Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: www.ncbi.nlm.nih.gov / pubmed
I agree with this idea. Sorta like when a browser is presented with an invalid SSL cert by a website. It could be that you put in example.com when the cert is for www.example.com or in the case of a self-signed cert, as long as I am not giving them sensitive data, I, the user, can accept or deny the invalid cert. And we have the choice(at least in Firefox) to accept that invalid cert forever or just for the current session with that site. I agree that this would be a useful feature. Maybe an add-on 'zone' file where we enumerate the broken domains we want to accept with an expiration date, not to exceed x numbers of days. That way we don't add a domain and mistype the expiration date or forget we created an exception for it. Lyle Giese LCR Computer Services, Inc. I did, and I disagree that it misses the point. I wanted a *short term* workaround for that zone, while the site fixed their DNSSEC. I had satisfied myself that it was a DNSSEC signing mistake, and faced an unpalatable choice - disable validation globally for the duration of a single site repair period (sacrificing the benefits of DNSSEC) or lose connectivity to that site. Had the site been more important to us, it would have been no choice at all - I would have been instructed to disable validation. I think DNSSEC is very important, but I also think mistakes will happen, and that sites will want the ability to be forgiving for a grace period. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Denis BUCHER wrote: Dear all, I have a question, it's not really a big problem, but it's annoying. In the logs I get plenty of lines like : client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s) client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s) client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s) This seems to be due to a script-kiddie. I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Currently it is working for sshd on this server to add lines in /etc/hosts.allow, but I would like to know if it would be possible for bind : sshd: 121.14.195.176: DENY # uname -a Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 2009 i686 i686 i386 GNU/Linux # cat /etc/redhat-release Fedora release 9 (Sulphur) Thanks a lot in advance for any help... And sorry if this is not 100% on topic, I know it's at the border between BIND and OS... Denis ___ Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Script-kiddie / client IP query (cache) 'host/MX/IN' denied
Kevin Darcy wrote: On 8/3/2010 3:03 PM, Denis BUCHER wrote: Dear Lyle, Le 03.08.2010 18:17, Lyle Giese a écrit : I would like to know if I can block hosts doing that at the level of /etc/hosts.allow or should I do it at the level of Bind itself ? Use IPTables or add rules to your firewall. I don't believe that BIND pays any attention to /etc/hosts.allow Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does not look to be working. This was pefect : iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP I'm no iptables experts, but doesn't that only apply to TCP packets? - Kevin Good catch, Kevin! You are right, he should add two rules, one for tcp and one for udp. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about recursion queries
Recursive queries start with the root name servers. That list is built in to almost(I am reluctant to say all) all versions of bind and is availible for download from ftp.rs.internic.net. An unknown server is one that 1) does not answer queries or 2) has not been asked yet by this bind server. Over time, bind figures out which of those servers answers fastest and will tend to ask the fast ones the most questions. Lyle Giese LCR Computer Services, Inc. Zhang Meng wrote: Thanks for your information. But what does unknown servers mean? Where does the list come from? On Tue, Jul 20, 2010 at 7:08 AM, Chris Buxton chris.p.bux...@gmail.com mailto:chris.p.bux...@gmail.com wrote: It uses the RTT algorithm to select the fastest server from the list, using random, low values for unknown servers. (Fastest is in quotes because the algorithm does not do exactly that, but it's close.) No, I cannot show you the code. I'm not a developer. Find it yourself. Regards, Chris Buxton BlueCat Networks On Jul 19, 2010, at 2:12 AM, Zhang Meng wrote: The question is given that When I ask the bind server, what's the A record of google.com http://google.com/? for the ROOT name server, there're several NS record /.// //60493// //IN// //NS// //g.root-servers.net http://g.root-servers.net/./ /.// //60493// //IN// //NS// //b.root-servers.net http://b.root-servers.net/./ /.// //60493// //IN// //NS// //m.root-servers.net http://m.root-servers.net/./ /.// //60493// //IN// //NS// //d.root-servers.net http://d.root-servers.net/./ /.// //60493// //IN// //NS// //j.root-servers.net http://j.root-servers.net/./ /.// //60493// //IN// //NS// //c.root-servers.net http://c.root-servers.net/./ /.// //60493// //IN// //NS// //i.root-servers.net http://i.root-servers.net/./ /.// //60493// //IN// //NS// //a.root-servers.net http://a.root-servers.net/./ /.// //60493// //IN// //NS// //h.root-servers.net http://h.root-servers.net/./ /.// //60493// //IN// //NS// //k.root-servers.net http://k.root-servers.net/./ /.// //60493// //IN// //NS// //l.root-servers.net http://l.root-servers.net/./ /.// //60493// //IN// //NS// //f.root-servers.net http://f.root-servers.net/./ /.// //60493// //IN// //NS// //e.root-servers.net http://e.root-servers.net/./ How does the bind handle these multiple NS records? A).Select one of them to ask the NS records for com. ? If fails, try the second one? B).Or send several queries concurrently, and get the first one responsed? Could you show me the related code in Bind9.7.1-P2? -- Yours sincerely ZhangMeng ___ bind-users mailing list bind-users@lists.isc.org mailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Yours sincerely ZhangMeng ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
root-anchor.xml anchors.xml in Bind
OK I am confused a bit. Can someone shed just a bit of light on this for me? (This is such a new topic not much is available in searches yet) IANA put out anchors2keys python script and I have that working. If I include the resulting files into named.conf as an include, named(9.7.1-P2) loads up but does not mention importing those keys, but complains loudly if the file asked for in the include statement is not there. That part is good, it appears to be reaching out and at least reading the file and knows it's there. But did it import that data and is named using it? That is not answered quite so quickly. Now I read with great interest the thread here about how to use the root-anchor.xml. Kalman Feher takes the root-anchor output from anchors2keys as a trusted-key and changes it to a managed-key and then imports into named's data. Doing that results in named adding the . key into it's managed keys zone files and you can see them in the *.mkeys files. What is the difference between managed-keys and trusted-keys? And should I be importing anchors.xml as managed-keys instead of trusted-keys? Thanks, Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: root-anchor.xml anchors.xml in Bind
Alan Clegg wrote: On 7/17/2010 9:49 AM, Lyle Giese wrote: What is the difference between managed-keys and trusted-keys? Managed keys automatically watch for RFC-5011 roll over and update when new keys are made available. Trusted keys are manually managed and will cause you to have problems if you forget to change a key during key rollovers. And should I be importing anchors.xml as managed-keys instead of trusted-keys? I'm recommending managed-keys. AlanC Then why was anchors2keys written to create only trusted-keys?GRIN? It doesn't look hard to modify the script, but there appears to be subtle differences in syntax between the two data types. Or better yet, make it a runtime option in anchors2keys to create managed keys or trusted keys data set. Lyle Giese LCR Computer Services, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users