RE: Request to provide procedure for bind upgrade
This is a question about the operating system, not BIND. There are a number of ways. You can enable rollbacks in RPM, you can keep snaphots... you're not going to run into incompatible upgrades in BIND during a simple patching. -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Senior Technologist || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIRT/High Perf Res Comp - MSB C630, Newark `' From: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] On Behalf Of Sundram Bharti [sundram.bha...@ericsson.com] Sent: Monday, February 16, 2015 10:16 AM To: bind-users@lists.isc.org Subject: Request to provide procedure for bind upgrade Hi Team, My DNS current version is BIND 9.8.4-P1 and OS is Fedora Core release 6 (Zod). So could you let me know. yum update named works for upgrade to current version, if yes then what will be the fall back procedure of upgrade fails? -- BR// Sundram Bharti +919717977886 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Digging to the final IP
*Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Senior Technologist || \\ and Health | novos...@rutgers.edumailto:novos...@rutgers.edu- 973/972.0922 (2x0922) || \\ Sciences | OIRT/High Perf Res Comp - MSB C630, Newark `' On Oct 21, 2014, at 16:00, Evan Hunt e...@isc.orgmailto:e...@isc.org wrote: On Tue, Oct 21, 2014 at 12:07:15PM -0700, Warren Kumari wrote: dig A $name | awk '$0 ~ /status/ $0 !~ /status: NOERROR,/ { sub(,, , $6 ); print $6; x=1 } $4 == A { print $5; x=1 } END { if (!x) print TIMEOUT }' Because, not everyone is as stunningly brilliant as you? To a non-zero population of this list the above looks like line-noise... Could be worse, could be perl. In any case, filtering the existing output does seem better than adding every imaginable formatting option to dig. ... I *could* maybe see adding a formatting option to produce an easier-to-parse output header, though, such as: ; OPCODE=QUERY ; RCODE=NOERROR ; QRFLAG=1 ; AAFLAG=0 ; TCFLAG=0 ; RDFLAG=1 ; RAFLAG=1 ; ADFLAG=0 ; CDFLAG=0 [... etc ...] While on some level, I'm with you, IP only doesn't seem like a corner case. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Two domains reporting errors
OS X/iOS autocorrect doesn't work well for technology conversations, period. It's always changing words and acronyms to other things more interesting. I swear it waits till the moment you hit send. -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Senior Technologist || \\ and Health | novos...@rutgers.edumailto:novos...@rutgers.edu- 973/972.0922 (2x0922) || \\ Sciences | OIRT/High Perf Res Comp - MSB C630, Newark `' On Sep 28, 2014, at 10:39, LuKreme krem...@kreme.commailto:krem...@kreme.com wrote: On 28 Sep 2014, at 08:37 , LuKreme krem...@kreme.commailto:krem...@kreme.com wrote: This is all very interesting. To be honest, I first figured out how to generate named.con and the domain failed Sigh. named.conf and the domain files. I swear, my typos and OS X autocorrect do *not* get along. -- K is for KATE who was struck by an axe L is for Leo who swallowed some tacks ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can someone please translate entries from query.log file?
Looks like finding who is authoritative foothillfiretraining.org and then doing a reverse lookup on an address. From: Samad Agha [mailto:samad.agha2...@gmail.com] Sent: Tuesday, July 15, 2014 04:33 PM To: DNS BIND bind-us...@isc.org; bind-users@lists.isc.org bind-users@lists.isc.org Subject: Can someone please translate entries from query.log file? Hi All, Can someone please tell me exactly what the two entries below from query.log file mean? 15-Jul-2014 16:24:27.042 queries: XX /206.117.120.2/foothillfiretraining.org/SOA/INhttp://206.117.120.2/foothillfiretraining.org/SOA/IN 15-Jul-2014 16:24:34.100 queries: XX /206.117.120.84/129.118.117.206.in-addr.arpa/PTR/INhttp://206.117.120.84/129.118.117.206.in-addr.arpa/PTR/IN I'm running BIND 8.2.4 on Solaris 8 root@bmw:/export/home/dns # in.named -v in.named BIND 8.2.4 Tue Jul 13 06:04:59 PDT 2004 Generic Patch-5.8-July 2004 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Update from 9.2.1 to 9.8.2 rc1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/03/2013 10:18 AM, Mark Andrews wrote: In message blu172-w413284a8b9811729dbc1d6d3...@phx.gbl, =?iso-8859-1?B?RuFiaW 8gR29tZXM=?= writes: Hi, We are in a process to upgrade a really old server running an old Linux distro with Bind 9.2.1. The new server will be a Red Hat EL 6.4 which comes with Bind 9.8.2. BIND 9.8.2 is also well out of date. That may be, but RHEL frequently ships with old versions that are patched for security. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlInMtUACgkQmb+gadEcsb5nQQCfSRDrQQAFr/SYtENBsl0JlJZw V1UAoKEvWGGVuBsvunoimb5SgcejXGXu =DUW4 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Records on a leash?
No -- and it's not BIND, it's the DNS spec. Reverse entries are in the .in-addr.arpa domian, not your domain name. - Original Message - From: Eduardo Bonsi [mailto:beart...@pacbell.net] Sent: Saturday, August 10, 2013 01:26 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: Reverse Records on a leash? On 8/10/13 3:37 AM, Matus UHLAR - fantomas wrote: On 09.08.13 17:44, Eduardo Bonsi wrote: I would like to know why we are treat like a dog on a leash when the question is to reverse our DNS ip address to a FQDN of our choices since our account is already assigned to us by our ISP? i don't understand your question. Sorry Matus, I thought it was clear! 000.000.000.000.in-addr.arpa. 7200 IN PTR yourdomain.com. yourdomain.com.IN A 000.000.000.000 however, reverse DNS records must not be zero-filled (those won't be taken into account) I put zeros just as an example. it can be 111.111.111.111 where 1= (any ipv4 number) or 000.000.000.000. where 0 is (any ipv4 number). Is there a way to get around that without have to ask our ISP to reverse it? Can we use CNAMES for that? I'm afraid but it's your ISP who must set up reverse records or delegate them to you. Unless you have IP range allocated from regional internet registry. Yes, I know that and this is my problem! Why should we be subjected to the ISP for reverse when we already have a static ip and are paying for the internet account, that by the way it is not cheap or catered to small business? Can we just CNAME whatever reverse they have there like; 000.000.000.000.someISP.net. IN CNAME mydomain.com. Is that cause a technical issue according to BIND? I thought I read somewhere you cannot CNAME under certain rules. Is this one of them? One of the major problem here is that ISPs are not happy to make all that money in their subscribers, they also want to exploit that part and charge you for it. ... and please, do not tell me that is to keep the spammers out because that so far has not proven to be true. The bad guys have an unlimited number of domains to do their dirt work everyday. -- Eduardo Bonsi System - Network Admin beart...@pacbell.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/12/2013 11:23 AM, Sam Wilson wrote: In article mailman.736.1372773195.20661.bind-us...@lists.isc.org, Steven Carr sjc...@gmail.com wrote: On 2 July 2013 14:42, Sam Wilson sam.wil...@ed.ac.uk wrote: Can anyone here give examples of the types of various software that will not operate without a PTR record? There have already been numerous listings of software that require reverse lookups. SMTP being the main one. Other services like IRC and some databases (Oracle/MySQL) can also be configured to require properly working reverse lookups. ... can also be configured ... - see below. I agree that if PTR records exist then they should match an A record. My experience (and IIRC correctly the word of several RFCs) is that PTRs are not required for most things to work. RFC1912 [http://tools.ietf.org/html/rfc1912] section 2.1... Every Internet-reachable host should have a name... Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one). Failure to have matching PTR and A records can cause loss of Internet services similar to not being registered in the DNS at all. Also, PTR records must point back to a valid A record, not a alias defined by a CNAME. Sorry for the delay in returning to this. RFC 1912 says: Status of this Memo This memo provides information for the Internet community. This memo does not specify an Internet standard of any kind. ... To make myself clear, I'm a big fan of correct PTR records and we try to make sure that our reverse DNS is fully populated. I do not regard lack of a valid PTR record to be a reason to refuse connection except, perhaps, in very particular circumstances, for instance where it might be part of a trust stance. That would be by agreement between consenting adults, not the law of Internetland in general. Came across another instance where it may matter: TCP Wrappers. Although the case there was a bit more peculiar -- rr.net does not appear to have FORWARD DNS for at least some of its dynamic address space. So you can get a PTR, and then address validation fails on the forward address. I guess perhaps if you had no PTR it would never go that far. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHgIxoACgkQmb+gadEcsb4E7ACgzTQeo6E2lLrzu5ld7DhWWYq8 9VAAoKpte8yzfY/aXQIEsvlOLDfKv7qz =Dk3L -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/03/2013 04:39 AM, Matus UHLAR - fantomas wrote: On 02.07.13 08:53, Daniel McDonald wrote: I've had trouble with OSI-Soft PI historian without reverse entries. If there is no reverse, then the PI software would spend about 30 seconds looking in vain for a DNS answer before sending a SYN-ACK packet. If there is no reverse, the software should get NXDOMAIN answer. in such case there's nothing to wait for any longer. Are you sure that was not a case of unreachable servers? Something I just stumbled over today (funny that it was during this topic) is that there is a Cisco ASA issue that makes reverse queries against anything but in-addr.arpa fail with a timeout. Unfortunately, some things check IN-ADDR.ARPA (why on earth?) and the lack of that entry is apparently causing mail delivery problems. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHU400ACgkQmb+gadEcsb6VMgCgrly3VyQLx5LOMo/9+A69amDr rQoAoN3gMhd2zQuQaozh2+/gJ05XUZNb =DJTm -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/03/2013 11:33 PM, Doug Barton wrote: On 07/03/2013 07:52 PM, Novosielski, Ryan wrote: | On 07/03/2013 04:39 AM, Matus UHLAR - fantomas wrote: | On 02.07.13 08:53, Daniel McDonald wrote: | I've had trouble with OSI-Soft PI historian without reverse | entries. If there is no reverse, then the PI software would | spend about 30 seconds looking in vain for a DNS answer before | sending a SYN-ACK packet. | | If there is no reverse, the software should get NXDOMAIN answer. in | such case there's nothing to wait for any longer. Are you sure that | was not a case of unreachable servers? | | Something I just stumbled over today (funny that it was during this | topic) is that there is a Cisco ASA issue that makes reverse queries | against anything but in-addr.arpa fail with a timeout. Unfortunately, | some things check IN-ADDR.ARPA (why on earth?) and the lack of that | entry is apparently causing mail delivery problems. It's not clear what distinction you're making. DNS should not be case sensitive, or is that what you're saying the problem is? Sorry I wasn't that clear -- the issue that we're having is that the reverse DNS is not available. The reason happens to be case sensitivity and problem with the Cisco firewall we're using -- not a choice not to include those entries -- but in any case, it is an example of what can happen when your reverse entries are not properly configured. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHU/5AACgkQmb+gadEcsb46cwCcD8sE/fwK5DHkkcr9u3uAxzKp qigAoJuE7fYTDLGfkRjM6k9op1SSg5lP =xykF -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/02/2013 12:36 PM, John Horne wrote: On Tue, 2013-07-02 at 14:42 +0100, Sam Wilson wrote: Can anyone here give examples of the types of various software that will not operate without a PTR record? Nope, and our entire reverse zone was externally inaccessible for many months! (See previous posts on the bind9-users list from me about the problem.) As far as we could tell no services blocked us because of a failed reverse lookup. In fact it was one of the reasons we didn't immediately spot the problem. We were alerted to the problem because we got long delays (around 20 seconds) when accessing a site doing a reverse lookup. That service then, no doubt the same as with SMTP, then proceeded but without the reverse lookup answer. In general, I wouldn't consider a 20 second delay an acceptable compromise though. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHTAd8ACgkQmb+gadEcsb4BVwCgnpQz8kGb8rhOHfxhYlETjjVf N2kAoOSXpmcuuJuLCQNswcmMhZV92qUQ =Hq7g -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 The short answer is some software once cared. Does it still now, I'm not sure. But we do it. On 06/28/2013 01:56 PM, Ward, Mike S wrote: Hello all, is there any reason to setup reverse address entries for a zone? I have asked some of the admins here and the consensus from them is that only A records are necessary. Is this true? == This email, and any files transmitted with it, is confidential and intended solely for the use of the individual or entity to which it is addressed. If you have received this email in error, please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this message by mistake and delete this e-mail from your system. If you are not the intended recipient, you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHNzpQACgkQmb+gadEcsb7TKwCdGrPXaINNgAPMpULWGLICkqv5 6T8An3h/74KkINWd7bxPH1Y/6pMJQDjx =LppK -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: This list's prefix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/05/2013 03:47 PM, Elmar K. Bins wrote: war...@kumari.net (Warren Kumari) wrote: And the 100-dollar-question is: How do you remove them on outgoing mails? ;-) You don't -- that's part of the churches evangelism / outreach effort. ;) (Less flip answer: sorry, don't know if you can...) Just wondering, because your responses arrive without them. My guess is that the personal e-mail directed at you in a reply-all situation will not have them and the e-mail sent via the list (if the list has them turned on) will whether you like it or not. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlGvnlUACgkQmb+gadEcsb6OgACgpfcPhAsNnsW19OYl9D9S1aCE b5IAoK7/GnTk3Sk2Xy4IABPyHIa+uZBW =zFiJ -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: any requests
Quite correct (sorry for the top post). I'm surprised, but glad to have learned something. The only difference in the cases I do are that they're MS DNS and the zones I normally use that trick for are forwarded. - Original Message - From: Barry Margolin [mailto:bar...@alum.mit.edu] Sent: Tuesday, June 04, 2013 01:37 AM To: comp-protocols-dns-b...@isc.org comp-protocols-dns-b...@isc.org Subject: Re: any requests In article mailman.424.1370323734.20661.bind-us...@lists.isc.org, Novosielski, Ryan novos...@umdnj.edu wrote: If it were not already in the cache, I would not need to refresh the cache. Are you absolutely certain? If so, it is possible that this is a difference between BIND and AD DNS (I'm generally trying to refresh AD DNS caches), but I'm nearly certain I've used this to update a cached entry on a BIND-hosted domain. Try the following test: Pick a name that has both A and MX records, but isn't currently in cache. dig name a @server dig name any @server I have no idea what MS DNS does, but I'm pretty certain that if you direct this to the BIND server the second query will only return the A record, not the MX record. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: any requests
Not in my experience -- in fact, I often do an ANY query to refresh the cache. From: Chris Buxton [mailto:cli...@buxtonfamily.us] Sent: Monday, June 03, 2013 08:47 PM To: Leonard Mills l...@yahoo.com Cc: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Re: any requests If you have mail relays acting this way, you'd better give them a dedicated DNS server to use for recursive lookups, because otherwise that's going to periodically fail. If a host has both an MX record and an A record, and if the A record is in cache, the ANY lookup will just get the A record, not the MX record. And that represents a failure of the SMTP protocol implementation. Chris Buxton On Jun 3, 2013, at 3:42 PM, Leonard Mills l...@yahoo.commailto:l...@yahoo.com wrote: If your some of your clients are SMTP relays, then ANY is the default lookup for an MX and is perfectly normal. Much better from the point of view of the mail servers to do one lookup instead of several. Len From: hugo hugoo hugo...@hotmail.commailto:hugo...@hotmail.com To: Vernon Schryver v...@rhyolite.commailto:v...@rhyolite.com; bind-users@lists.isc.orgmailto:bind-users@lists.isc.org bind-users@lists.isc.orgmailto:bind-users@lists.isc.org Sent: Monday, June 3, 2013 12:26 PM Subject: RE: any requests Hello, Thanks for your answer. I see ANY queries from my clients (we do not use open resolvers) I do not see why these kind of queries are present. Moreover, the cache servers only anbswer with its cache content. Is this normal or must the cache query the authoritztive server to fetch all the records? Hugo, Date: Sun, 2 Jun 2013 22:13:33 + From: v...@rhyolite.commailto:v...@rhyolite.com To: bind-users@lists.isc.orgmailto:bind-users@lists.isc.org Subject: Re: any requests From: Matus UHLAR - fantomas uh...@fantomas.skmailto:uh...@fantomas.sk On 02.06.13 20:28, hugo hugoo wrote: I plan to block these kind of requests on the dns cache servers in order to avoid any amplification attack. hard to say, but as I stated before: don't do that. Instead, use RRL to mitigate many kinds of amplification attacks instead of only those using ANY. See http://www.redbarn.org/dns/ratelimits Blocking DNS ANY requests is to DNS amplification DoS mitigation as blocking SMTP envelope Mail_From values of is to spam filtering. In early spam days, people who either knew far less than they pretended or had special agendas prescribed blocking the sender as almost the FUSSP, and never mind RFCs that require accepting mail from , the value of mail from , and the vast floods of spam that don't and never did involve the sender. Blocking DNS ANY or SMTP fit the old saying by H. L. Mencken: For every complex problem there is an answer that is clear, simple, and wrong. Vernon Schryver v...@rhyolite.commailto:v...@rhyolite.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.orgmailto:bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: any requests
If it were not already in the cache, I would not need to refresh the cache. Are you absolutely certain? If so, it is possible that this is a difference between BIND and AD DNS (I'm generally trying to refresh AD DNS caches), but I'm nearly certain I've used this to update a cached entry on a BIND-hosted domain. - Original Message - From: Barry Margolin [mailto:bar...@alum.mit.edu] Sent: Tuesday, June 04, 2013 01:01 AM To: comp-protocols-dns-b...@isc.org comp-protocols-dns-b...@isc.org Subject: Re: any requests In article mailman.422.1370315514.20661.bind-us...@lists.isc.org, Novosielski, Ryan novos...@umdnj.edu wrote: Not in my experience -- in fact, I often do an ANY query to refresh the cache. That will work if the name is not currently in the cache -- the caching server will query the auth server, and get everything from there. But if it already has the name in cache, the ANY query will just return it, not force a recursion. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: architecture question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I personally use localdomain. I'm not sure how safe it is, but I use it at home so it probably doesn't matter. On 05/08/2013 01:47 PM, Steven Carr wrote: You could ask your institution for a subdomain to be reserved from their domain? .lan isn't AFAIK reserved for anything or in the process of being considered by ICANN. .test is reserved and will never be advertised on the internet (as are .example, .invalid and .localhost) On 8 May 2013 18:33, Jeremy P jpcra...@gmail.com wrote: I understand letter of the law, spirit of the law and playing it safe to avoid headaches. However, there are times where registering a real domain just isn't practical. For example, I'm not going to ask all of the students in my courses to go out and register a .com for the semester. It would be a waste of money as their systems never leave the local network, except through a NAT connection. So in those types of instances, I'm assuming .lan or .test are safest? On Wed, May 8, 2013 at 11:20 AM, Steven Carr sjc...@gmail.com wrote: On 8 May 2013 18:09, wbr...@e1b.org wrote: This just came up with a site I support. Thanks to this list and the DNS-OARC list, I know better. Hopefully, I can redirect them to use something below their real domain for Active Directory such as ad.example.org. FWIW: MS now advises not to use .local for internal AD anymore. They suggest you use your owned/registered namespace to prevent domain collisions. http://support.microsoft.com/kb/909264 Generally, we recommend that you register DNS names for internal and external namespaces with an Internet registrar... Registering your DNS name with an Internet registrar may help prevent a name collision. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlGKl7EACgkQmb+gadEcsb4dJwCg2sJl6x8gteSR/rt+6CIp7wK8 iycAoLt+BiL/gWptUEWNBIzaIOHFZMd6 =4y/9 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 05/08/2013 01:28 PM, wbr...@e1b.org wrote: From: Steven Carr sjc...@gmail.com Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? Why, Are the settings wrong? I have used and later run lists for years, and supported Listserv(tm) servers for others for most of those years. There is no right or wrong for the reply settings. It's really a personal preference of the list owner as to how replies should be handled. If the message should go back to the list, use reply all. That's supported by all the major mail clients. Subject tagging is another preference item - no right or wrong. I have my mail client filter on the sender moving list traffic into the appropriate folder. Works just as well as filtering on the tag. My personal preference is to have subject tagging, and I know of no other list where it's not on. Reply-To: my understanding is that the way this list set up is the correct way to have the list set up. There are reply-to-list options in most decent mail clients that can handle this. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlGKnCAACgkQmb+gadEcsb6KHwCfVxQfOY41XVxF3KAO4BAjX/U5 T6UAn06xQqwKTZF4j3qe6FBMCUJDuq26 =cVwP -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/08/2013 09:47 AM, Sam Wilson wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilson sam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Someone can correct me if I'm wrong, but I think they'd be right if and only if the webserver they're adding the A record for happens to also be the AD server. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFjBY8ACgkQmb+gadEcsb45vgCgxgNUHa2m62zu1XopcZhoRcTu l20AoLW0pupflGi5bY0U4EHFBr7Vzw9j =9ecc -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/08/2013 10:16 AM, Phil Mayers wrote: On 08/04/13 14:46, Sam Wilson wrote: In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil Mayers p.may...@imperial.ac.uk wrote: Sam Wilson sam.wil...@ed.ac.uk wrote: [adding an A record for ed.ac.uk.] If your AD realm is also called ed.ac.uk then adding an A record will definitely affect things. Which is exactly the opposite of what our AD guys said, but not with such great conviction. :-) Off the top of my head the two most recent issues we've had. 1. If you don't have a domain controller A record at your AD realm name, you'll experience sporadic timeouts and slowness if you ever want to roll out DFS, particularly if your domain members include non-Microsoft clients such as Macs 2. If you put something else at that place, you'll see SMB connection attempts and if they fail but port 80 is open, you'll see Windows trying to do WebDAV requests (!) to it. Both these and other issues make me wish we'd chosen a sub-domain for our AD realm when we migrated from NT4. But we had no way of knowing at the time :o( It would seem to me there is some other way around this, either by redirecting traffic to the AD servers or some careful combination of local host names or something else. In our case, the domain itself has barely any activity (and no client activity) and we can just lie to the AD servers and use them as the bare domain name. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFjCAEACgkQmb+gadEcsb7fjQCeIvlEeStO/pAT72UNJGbTuZ32 UxEAn3issXjvxOz+JXPZymbLeGhPdwKA =W3i9 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/05/2013 04:12 PM, Dave Warren wrote: On 2013-04-05 12:18, Sam Wilson wrote: We're currently prevaricating over putting in an A record for ed.ac.uk. Whilst my colleagues who manage active directory assure me that having an A record there - pointing at the content-managed web server that has difficulty handling arbitrary URLs - won't break anything I'm not going to try it except under very controlled conditions and after I've spoken to a lot of other people who do it already. Is ed.ac.uk your Active Directory root as well? If so, my experience is that pointing it at anything but domain controllers will eventually lead you to issues. It's not to say that this totally forbidden, but there is (was?) Microsoft best practices documents suggesting avoiding this configuration entirely when possible, although there were ways to mitigate most of the negative side effects. Obviously if you can run a split DNS environment this is less of a factor. It is funny you should mention that... my questions about using views to create a situation where one single record is different happens to be exactly for this reason. The Active Directory administrators were saying that not having umdnj.edu point to an Active Directory server was bothering the AD servers in some fashion. The solution we're going to test is telling the AD servers that umdnj.edu are them, but telling everyone else on the planet that it's www. We think this will do it, but haven't tested yet. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFfxkgACgkQmb+gadEcsb7w4wCeKJ/dbr6KekRULsz0VnphSDnB XeoAnjf8tx6zKG7EfpQxnHGWdZSpF1OD =Ny9k -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/06/2013 03:11 AM, Doug Barton wrote: On 04/05/2013 11:53 PM, Novosielski, Ryan wrote: | It is funny you should mention that... my questions about using views | to create a situation where one single record is different happens to | be exactly for this reason. The Active Directory administrators were | saying that not having umdnj.edu point to an Active Directory server | was bothering the AD servers in some fashion. The solution we're going | to test is telling the AD servers that umdnj.edu are them, but telling | everyone else on the planet that it's www. We think this will do it, | but haven't tested yet. Much better to put the AD stuff in its own subdomain, like ad.umdnj.edu. AD DNS is only really happy when it runs the whole show for its home domain. It's possible to do otherwise, but really painful and fragile. Yeah, it pretty much is in our case. There's just a small amount of stuff in the root domain for whatever reason and the A record thing is causing some minor issues that they'd prefer would not occur. I don't really know the specifics -- something with group policies. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFf2j8ACgkQmb+gadEcsb4MFACfbaxo4X2AvxVZdtdAdnPT5pN4 mt4AoJXvwn3Jc9z/E2Ehxa0T0IHnnuHO =jRwv -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can two views be layered?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/15/2013 07:11 PM, Joseph S D Yao wrote: On Fri, Mar 15, 2013 at 06:56:57PM -0400, Novosielski, Ryan wrote: Hi all. Running BIND 9.6 I believe it is. Not important what version as if there is a version that can do this and I'm not running it, I can go there. Is it possible to have a view that is in essence a list of exceptions to the main zone? eg. the example.com domain exists, so does www.example.com, but for a small subset of machines I need it to resolve to a different address -- every other address should come from the main zone. It is not possible to have views layered as you describe. However, try this: file zonename.shared with all shared records. file zone.zonename.for-the-many with the records for the many. $INCLUDE zonename.shared File zone.zonename.for-the-few with the records for the few. $INCLUDE zonename.shared ... SNIP... One followup question to this: are there any limits to how the SOA section is handled in this case? Can the SOA record be in the $INCLUDE'd file, or does it have to be in the defined zone files (which then would mean maintaining I guess two serial numbers)? I was originally thinking that in that case, whenever changes are made to the zonename.shared file, all that was really needed to be updated was the for-the-many zone but I believe then the for-the-few machines would begin to see an increasingly out of date version of the shared file. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFfMu8ACgkQmb+gadEcsb54vACgimqYO1V5TdzpGn7o2WbR224t QFkAoL+up2JbCAd4LccsMo7d8sRJEOFE =XqTS -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can two views be layered?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 04/06/2013 01:05 AM, Joseph S D Yao wrote: On Fri, Apr 05, 2013 at 04:24:24PM -0400, Novosielski, Ryan wrote: ... One followup question to this: are there any limits to how the SOA section is handled in this case? Can the SOA record be in the $INCLUDE'd file, or does it have to be in the defined zone files (which then would mean maintaining I guess two serial numbers)? I was originally thinking that in that case, whenever changes are made to the zonename.shared file, all that was really needed to be updated was the for-the-many zone but I believe then the for-the-few machines would begin to see an increasingly out of date version of the shared file. The bit stream that the computer sees is just what you would see if you removed the $INCLUDE line and stuck all the bytes from the $INCLUDE'd there instead. You can't tell what was $INCUDE'd and what was not. Every other line might have been $INCLUDE'd from a different file, if you wanted to be a bit crazy, and the computer would never care. So I messed around with this a little before your reply and realized that almost immediately. So I did things a little differently... BUT you may ONLY have one SOA record per zone. That's not a per-file thing, that's a per-zone thing. Use RCS archiving and $Version:$ strings in comments [or TXT records] if you want to keep track of file version numbers. Or something more recent, if you want. Yeah, that I know... but where to place them to me seems less written in stone... Just as a logistical thing, the SOA record should be in the zone file that $INCLUDEs the rest of the information, anmd no SOA record in the latter. Is there any reason that that necessarily should be so? What I did was create two views of the zone, let's call them few and many like you did. Those views both contain example.com, with zone files db.example.com-few and db.example.com-many. Instead of what you suggested, I flipped the order in the contents of the two files (honestly, I'm not even certain that was necessary). So for example, db.example.com-many: $INCLUDE db.example.com @ IN A 192.168.50.50 ...where db.example.com is basically the same zone file I've used for example.com all along, just with the A record for the domain removed. Which means, I should have added, that any time you update the $INCLUDEd file, you must update the serial numbers in the zone files doing the $INCLUDEs. That's a small disadvantage of this method - but one which good discipline should overcome. Yeah, this is what caused me to ask the question and, frankly, sounded annoying, mainly because I was now maintaining three files to edit just one DNS record, and the other two files contain a record that will probably not change once in the next 5 years. So is there anything wrong with doing it the way I've tried? It appears to work just fine. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFfsyQACgkQmb+gadEcsb4Z4QCgoZV5PCRPJVrXUPgOhsUFMrW1 p6oAn2Rvj8ecZ4zwLNNWtzpP9zN21vAR =M+Zf -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Niall already answered you the other day (brackets mine): The reply to such a query [from your server] originates from port 53 on the remote server, and is destined for the port on your server which was used as the source of the query[, which will be a randomly chosen port above 1024 if you are doing things the way they are usually done]. On 03/26/2013 02:44 PM, babu dheen wrote: Dear Brown, I am using Stateful firewall from leading vendor company. So let me know why still my server initiate connection to remote DNS server on non standard destination port? Regards Babu *From:* wbr...@e1b.org wbr...@e1b.org *To:* babu dheen babudh...@yahoo.co.in *Cc:* bind-users@lists.isc.org bind-users@lists.isc.org *Sent:* Monday, 25 March 2013 7:48 PM *Subject:* Re: Suspecious DNS traffic babu dheen wrote on 03/25/2013 12:21:30 PM: Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? Total security requires total isolation. It is a matter of accepting some risks to perform the needed task. I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet? Kindly provide some details. You send request via UDP from random high port to an authoritative server. Answer is too large to fit in UDP packet, so it responds via TCP to the source port of the request (random high port from above). If you block that TCP connection, you cannot receive answer to your query. Another reason for TCP replies is DNS Response Rate Limiting (RRL). Some modern stateful firewalls understand DNS and if there is a UDP packet sent to port 53, it will accept TCP connections back from the destination address on port 53 to the source address/port. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlFR8dcACgkQmb+gadEcsb4r3ACeNPse/dcwDd/rkipAo/mO3iJ0 eScAoKn2IRu+JAnIWdGQEMjUWd6irdnv =WVBw -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It sounds like exactly the reverse of what Niall described in his other e-mail (brackets mine): The reply to such a query originates from port 53 on the remote server [in this case, your server], and is destined for the port on your server [in this case, the remote server] which was used as the source of the query [which will, again, almost certainly be a random port above 1024, but the same port the request just came in from to your port 53]. Why your firewall is confused about this is anyone's guess. I'd check with them. On 03/26/2013 02:50 PM, babu dheen wrote: Dear Vernon, Thanks for your wonderful and detailed reply. I read the update given by you as below. Many stateful firewalls can also record the source and destination IP addresses and port numbers of outgoing UDP packets and allow subsequent incoming UDP packets with source and destination reversed. This has nothing to do with TCP. I am using stateful firewall and still why my BIND DNS server connection iniated using source port 53 to remote DNS server on non standard destination port is getting blocked? Not sure why my DNS server is initiating the connection to remote DNS server on non standard destination Port? Regards Babu *From:* Vernon Schryver v...@rhyolite.com *To:* bind-users@lists.isc.org *Sent:* Monday, 25 March 2013 8:40 PM *Subject:* Re: Suspecious DNS traffic Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? Every UDP and TCP packet has two port numbers, the source port and the destination port. When a resolver sends a request to a distant DNS authority, it sends to destination port 53 with a random local source port number. When the distant resolver responds, it will send a UDP packet with source port 53 and with destination port equal to the source port number in the request. If you block all packets from port 53 to local ports other than 53, then you will block all response to your resolver's requests. Some DNS resolver software in ancient days sent requests to distant authorities with source port 53, so that both the source and destination port numbers in DNS/UDP packets were 53. There are many reasons why that was a bad idea. For one modern reason, see https://www.google.com/search?q=cache+poisoning+attack and https://www.google.com/search?q=dns+source+port+randomization Contrary to claims in this thread, that source port need not be greater than 1024 except on some operating systems. The notion of privileged ports smaller than 1024 is an ancient BSDism that many consider a mistake. However, the source ports in DNS/UDP requests (as well as DNS/TCP) are likely to be restricted to parts of the complete [1,65535] range of port nubmers, but those partial ranges depend on the operating system, operating system configuration, DNS resolver software, and the resolvers configuration. For TCP and stub DNS resolvers, see https://www.google.com/search?q=ephemeral+port For DNS/UDP and BIND as a resolver, see the BIND Administrators Reference Manual (ARM) including the query-source,use-v4-udp-ports, use-v6-udp-ports, avoid-v4-udp-ports, and avoid-v6-udp-ports options. You send request via UDP from random high port to an authoritative server. Answer is too large to fit in UDP packet, so it responds via TCP to the source port of the request (random high port from above). If you block that TCP connection, you cannot receive answer to your query. No, a distant DNS authority certainly does not respond via TCP after a UDP response fails to fit in a DNS/UDP packet. Instead, the distant authority responds with a DNS/UDP packet with the TC or truncated error bit. A resolver will react to TC bits or truncation errors by making the same request with TCP unless it has already received the required data from some other DNS authority. This can happen after the local resolver has tired of waiting for an answer from one authority and sent the request to some other authority. Making a request via TCP consists of sending a TCP segment (or packet) with SYN bit sent to port 53 at the distant authority and with yet another random source port number. The distant authority will respond with a TCP segment with both the SYN and ACK bits set. The local resolver will respond with another TCP segment with both the SYN and ACK bits set. This is the famous 3-way handshake that establishes a TCP connection. Only after the TCP connection is established does the local resolver send the DNS request through the TCP connection. Another reason for TCP replies is DNS Response Rate Limiting (RRL). Not exactly. Some modern stateful firewalls understand DNS and if there is a UDP packet sent to port 53, it will accept TCP connections back from the destination address on port 53 to the source address/port. That is
Re: Having trouble setting up BIND 9.9.2-P2 on Win XP PRO SP3, won't start
I have no idea how things work on Windows, but I doubt directory is optional. - Original Message - From: Joanne Homier [mailto:joanne.hom...@gmail.com] Sent: Tuesday, March 26, 2013 11:30 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Having trouble setting up BIND 9.9.2-P2 on Win XP PRO SP3, won't start I installed bind using the default settings in the installer. I successfully generated a rndc.key file. I needed to populate the etc folder, so I downloaded the Ubuntu version of bind and extracted the contents of /etc and put them in Windows version of etc. I went through the files one by one and replaced Linux paths with Windows paths. So bind starts then immediately quits. The error report is below. I have included my config files. I am using bind only as a recursive revolver as my ISP DNS servers are super slow and they do DNS hijacking. I don't want to use any other DNS server other than the one running on my machine. I want to run my own DNS server for fun. So what could be wrong, what did I miss. Event Type:Error Event Source:Service Control Manager Event Category:None Event ID:7022 Date:3/26/2013 Time:5:30:16 PM User:N/A Computer:MOM Description: The ISC BIND service hung on starting. named.conf: include C:\WINDOWS\system32\dns\etc\named.conf.options; include C:\WINDOWS\system32\dns\etc\named.conf.local; include C:\WINDOWS\system32\dns\etc\named.conf.default-zones; named.conf.options: Note that I commented out the /var/cache because I thought we don't need that on Windows or am I wrong. // options { //directory /var/cache/bind; dnssec-validation auto; auth-nxdomain no;# conform to RFC1035 listen-on-v6 { any; }; }; named.conf.default-zones: // prime the server with knowledge of the root servers zone . { type hint; file C:\WINDOWS\system32\dns\etc\db.root; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone localhost { type master; file C:\WINDOWS\system32\dns\etc\db.local; }; zone 127.in-addr.arpa { type master; file C:\WINDOWS\system32\dns\etc\db.127; }; zone 0.in-addr.arpa { type master; file C:\WINDOWS\system32\dns\etc\db.0; }; zone 255.in-addr.arpa { type master; file C:\WINDOWS\system32\dns\etc\db.255; }; -- http://namiwalks.nami.org/joannehomier ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can two views be layered?
Hi all. Running BIND 9.6 I believe it is. Not important what version as if there is a version that can do this and I'm not running it, I can go there. Is it possible to have a view that is in essence a list of exceptions to the main zone? eg. the example.com domain exists, so does www.example.com, but for a small subset of machines I need it to resolve to a different address -- every other address should come from the main zone. I can think of a few ways this could have been implemented (allowing one to overlay a zone, having a duplicate zone with only that address that can then do some kind of include of the main zone, etc.) but I can't find the right search terms to figure out whether this is possible as is. My suspicion is not possible, but if you could point me in the right direction, I'd appreciate it. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can two views be layered?
Thanks! Wonderful -- asked and answered. - Original Message - From: Joseph S D Yao [mailto:j...@tux.org] Sent: Friday, March 15, 2013 07:11 PM To: Novosielski, Ryan Cc: 'bind-users@lists.isc.org' bind-users@lists.isc.org Subject: Re: Can two views be layered? On Fri, Mar 15, 2013 at 06:56:57PM -0400, Novosielski, Ryan wrote: Hi all. Running BIND 9.6 I believe it is. Not important what version as if there is a version that can do this and I'm not running it, I can go there. Is it possible to have a view that is in essence a list of exceptions to the main zone? eg. the example.com domain exists, so does www.example.com, but for a small subset of machines I need it to resolve to a different address -- every other address should come from the main zone. It is not possible to have views layered as you describe. However, try this: file zonename.shared with all shared records. file zone.zonename.for-the-many with the records for the many. $INCLUDE zonename.shared File zone.zonename.for-the-few with the records for the few. $INCLUDE zonename.shared view for_the_few { ... zone zonename { ... file data/zone.zonename.for-the-few; ... }; }; view for_the_many { ... zone zonename { ... file data/zone.zonename.for-the-many; ... }; }; -- /*\ ** ** Joe Yao j...@tux.org - Joseph S. D. Yao ** \*/ ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Registrar that supports self-run domains and provides DNSSEC support
Could we knock off the politics please? I view the recent few posts as ignorant nonsense (complete with poor spelling AND Ayn Rand -- a twofer!), but I'm not inclined to take us further off topic by responding to it. From: Shawn Bakhtiar [mailto:shashan...@hotmail.com] Sent: Friday, February 22, 2013 01:25 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: RE: Registrar that supports self-run domains and provides DNSSEC support Well said. government is a bloated waist of money, however, look at what happened when Ma'bell was broken up. Unix became proprietary and languished while DOS dominated the world. Look at what happened when we deregulated energy in California 2 decades ago, prices shot up, and price gouging nearly sent the economy into a spiral. You have to either follow Ayn Rand, in true free economy, by letting anyone function as a registrar, or centralize it to a system that treats the registrant equally. I personally use netsol, they do charge more, but I find them to have an excellent service model, but why are we limited to .com .edu .gov et al, why not have the root servers as a government function, give people the ability to request and publish any TLD, I want to be .sha I want to run .sha with little to no QA. I want anyone and everyone without fee to be able to register domains under it? Why not? There is no technical reason stopping this from happening is there? The REAL problem is you already have government control, here is an ICANN thought on all this (ICANN governs it is government, though not in the traditional sense): http://archive.icann.org/en/tlds/new-stld-rfp/new-stld-rfp-24jun03.htm Don't want to fill the list with political brain farting but I passionately feel that this a fundamental violation of netizens rights that we have to pay to get domain names, and that we are limited to the TLD that we can register with, with a HUGE financial/systemic barrier to entry as a TLDs. There is a very big part of the world population that can not afford the $ 10 a year even, and thus is simply not equitable. There are countries, regions, that can not participate. If all that does not make sense, let's put it this way, Wikipidia serve 1000x more data (I know not in number of hits, but in data bits) then I bet the roots do. Yet they are free, and live off of donations. How hard can this be? If governments are bloatware, corporations are vaporware :) From: micho...@cisco.com To: bind-users@lists.isc.org Subject: Re: Registrar that supports self-run domains and provides DNSSEC support Date: Fri, 22 Feb 2013 15:51:49 + -Original Message- From: Shawn Bakhtiar shashan...@hotmail.com Date: Friday, February 22, 2013 12:06 AM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: RE: Registrar that supports self-run domains and provides DNSSEC support 2) We don't buy or maintain street addresses from a for profit company, why should domain name be any different? Domain name registration should be a free government/ ma'bell function. Being an outsider with no beef or raves for GD (just realized that sounds like something else), I feel this isn't necessarily true. Government functions rarely get ran well, at least here in the US. They're slow, bloated, and tend to spend lots of tax dollars (not really free) producing things hackers easily circumvent the day after release. Also, in ma'bell (er um netsol?) fashion, lack of competition stifles innovation. Of course all the registrars don't do what any one of us likes, but at least there is choice. Lack of competition also tends to drive price up vs down. However, I'm not sure making choices based on cheaper and then complaining about quality makes sense. I'd like to think such gems could exist, but it's certainly not illogical to expect problems from free services with less money to devote to improving their infrastructure or conducting RD to adopt new technologies. I know this last bit from experience, having worked at CELECs back in the day and running an ISP that was severely underfunded because the Internet was new and couldn't be trusted like a telephone. Lots of committed people working long hours for very little, but there's only so much you can do with blood, sweat and tears. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Registrar that supports self-run domains and provides DNSSEC support
I personally like NameCheap. Cheap, and good documentation (that you can use even if you go with someone else). - Original Message - From: Robert Moskowitz [mailto:r...@htt-consult.com] Sent: Monday, February 18, 2013 03:32 PM To: bind-users@lists.isc.org bind-users@lists.isc.org Subject: Registrar that supports self-run domains and provides DNSSEC support Delving further into my challenges. Right now I use Network Solutions as my registrar. Just never changes as they were the only show in town back then. But they don't seem to support DNSSEC protected domains, and even IPv6 glue records are special requests, it seems. My registration is up for renewal; it expires 4/6/13 so this is a good time to move. But of course my domain is locked and I can't see on NS account page how to change that. I was pointed to dyn.com, but they are not clear about how to apply for them just being a registrar and how to contact them for help. Either you are asking for their managedDNS service of go to their free community forum(s). I suppose nothing worth doing is easy to do. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Find all authoritative domains for a nameserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I don't know if there's an easy, or even moderately easy way to do this, but can one somehow figure out/get a list of all domains for which the nameserver is set to a given IP/server name? For reasons I won't get into, the people who register the domains are not the same as the people who run the DNS servers (me) and occasionally the domains I have zones defined for in my nameservers do not match the WHOIS records. Normally, that problem becomes pretty obvious because nothing works right, but it does generate a lot of logging for failed queries to the nameservers. I guess that would be one way to tell when someone has made us authoritative for a domain but not had us create a zone file, but is there a way to get a list somehow? Thanks. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC9NgkACgkQmb+gadEcsb55EQCgpMYxBAswxZ97eiKqphcDd4Hr ZlgAoMwwqHbKKhTzvPN1QwPsZnQFBlyo =mPm4 -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Find all authoritative domains for a nameserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/03/2012 06:45 PM, Chuck Swiger wrote: Registrars are expected to have both a billing/admin contact and a technical contact; make sure that people who expect you to make their domains work put you as the tech contact, and you will at least get notified when they register new top-level domains. Yeah, and at lesat that is now the case, that just doesn't help with the misdeeds of the past. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC9PMoACgkQmb+gadEcsb7DVQCdHG5jQCcx5y046cHru8dftbvc V5AAoKPGH5VybFEL+JVPcd9sAd8uMp0T =LJaT -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Find all authoritative domains for a nameserver?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 12/03/2012 06:52 PM, Dan Mahoney wrote: Hi all, I don't know if there's an easy, or even moderately easy way to do this, but can one somehow figure out/get a list of all domains for which the nameserver is set to a given IP/server name? For reasons I won't get into, the people who register the domains are not the same as the people who run the DNS servers (me) and occasionally the domains I have zones defined for in my nameservers do not match the WHOIS records. Normally, that problem becomes pretty obvious because nothing works right, but it does generate a lot of logging for failed queries to the nameservers. I guess that would be one way to tell when someone has made us authoritative for a domain but not had us create a zone file, but is there a way to get a list somehow? Back in the old netsol days, a name server admin could get a list of domains for which was responsible by request. There's also a feature in very very old versions of bind called Inverse DNS, implemented against an optional part of one of the DNS spec, that comes close to this. Nowadays, verisign and a few others WILL let you download the COM zone via FTP once a day, with special signed agreements (mainly for research purposes, not to solve your problem). Your best answer comes in either your logs (with some simple grep and perl to do the dig +trace, could make a nice useful report), or some other tool like TCPDUMP, or in a passive DNS provider, but the reality is, all these methods require someone to be querying it. Thankfully, spambots seem to do this quite a lot, and manage to find new domains at an alarming pace. Thanks, that's about what I'd expected to hear. Luckily what you've said is true (I get hundreds of queries for umdnj.org for example) and the problem isn't actually a serious one unless someone expects the site to be working (in which case, I'd hear about it anyway). - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlC9PSAACgkQmb+gadEcsb4LQACeLIfbwp6jyeqUejJ8hn6clNO0 CzgAn26KxMSAp5g8zxm3HzHj+MNsv/sI =BrTx -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/15/2012 09:40 AM, Carsten Strotmann wrote: '.local is the 4th most queried domain name (after localhost, com and net), but it should not exist at all in the Internet (or queries should not reach the root server system). You see corp, intern and intra as well in the top 20 list. Failing to operate a private TLD correctly is causing internal data leaking to the Internet, which could be a security risk but in all cases is a burden on the root server system. Not that I think that I'm doing this (and as I'd said, the only place I use this is at home on a NAT'd network where there is no public DNS at all), but what are some common ways to let this happen if you happen to know? - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlClBs4ACgkQmb+gadEcsb6YTwCgkg/OXg2ivDpNATEsfiz6Of+x iJgAoJ58HdhMcUj8Zv5G1jhgLbGMtuvH =i4ol -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/15/2012 11:36 AM, btb wrote: On 2012.11.15 10.14, Novosielski, Ryan wrote: Failing to operate a private TLD correctly is causing internal data leaking to the Internet, which could be a security risk but in all cases is a burden on the root server system. Not that I think that I'm doing this (and as I'd said, the only place I use this is at home on a NAT'd network where there is no public DNS at all), but what are some common ways to let this happen if you happen to know? a nat'd network is a prime example of exactly the sort of place this kind of thing happens. what it usually boils down to is non public namespace being used [be it invented tlds or rfc1918/5735/etc address space] with no nameserver on the local network with those zones configured as authoritative. Great, thanks, sounds like I'm covered then (I have BIND running authoritative for my zone on the firewall/NAT machine only accepting queries from my local 1918 addresses) and DHCP providing its address as the nameserver. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlClGsIACgkQmb+gadEcsb7NKwCfUELoFIjKy1TAHFysZ0megp82 MuwAn2V+fOa3enJ6UxRTJmMEmqj3wNeg =ygQY -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: User wanting to use a .local domain to host DNS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/14/2012 10:09 AM, Tony Finch wrote: King, Harold Clyde (Hal) h...@utk.edu wrote: I'm a bit confused by a user request. I think he is trying to keep some hosts on the private side of DNS, but he wants to use a DNS name like host.sub.local. I do not know of the use of the .local TLD except in bonjure. Can anyone shed some light on the use of the .local TLD? Microsoft have recommended its use for sites that don't have a properly registered domain name. http://support.microsoft.com/kb/296250 Tony. I do this at home with bind on Linux, except I use .localdomain instead of .local. It doesn't seem to treat it any differently than anything else, and since this is just one DNS server servicing a NAT'd network, nothing strange really CAN happen. - -- - _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$| |__| | | |__/ | \| _| |novos...@umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/EI-Academic Svcs. - ADMC 450, Newark -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCjtbwACgkQmb+gadEcsb5NMgCgxYAoLyaSf6wNMpq9TmprLr12 /vcAoIB2fBd6N9U0E0gPvzmLnUmdwZc4 =HXqq -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable log message
I think many of us were just curious why someone would even think to disable it. Would be great if you could indulge (maybe something we've not thought of). - Original Message - From: Jack Tavares [mailto:j.tava...@f5.com] Sent: Sunday, October 21, 2012 06:03 PM To: c...@cam.ac.uk c...@cam.ac.uk; bind-users@lists.isc.org bind-users@lists.isc.org Subject: RE: Disable log message I wasn't suggesting that it be removed. I was asking if it was possible to disable it if desired. The answer is obviously no. Thank you all for your time. -- Jack Tavares How many more can we sell with this button? From: bind-users-bounces+j.tavares=f5@lists.isc.org [bind-users-bounces+j.tavares=f5@lists.isc.org] on behalf of Chris Thompson [c...@cam.ac.uk] Sent: Sunday, October 21, 2012 14:58 To: bind-users@lists.isc.org Subject: Re: Disable log message On Oct 20 2012, David Miller wrote: [...] Does this log message provide any information that the -V option doesn't provide? Given the number of times that problems brought up on this list turn out to be due to people not actually running the named binary they thought they were running, the more that the actually executing named says about itself, the better. -- Chris Thompson Email: c...@cam.ac.uk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable log message
While I can see maybe not being interested, caring enough to supress it has me curious. - Original Message - From: Alan Clegg [mailto:a...@clegg.com] Sent: Friday, October 19, 2012 06:13 PM To: bind-us...@isc.org bind-us...@isc.org Subject: Re: Disable log message On Oct 18, 2012, at 1:13 PM, Chris Thompson c...@cam.ac.uk wrote: On Oct 18 2012, Jeremy C. Reed wrote: On Thu, 18 Oct 2012, Jack Tavares wrote: I am running bind9.8.x built from source and I see this message in the logs built with '--prefix=/blah' '--sbindir=/blah' '--sysconfdir=/blah' '--localstatedir=/var' '--exec-prefix=/usr' '--libdir=/usr/lib' '--mandir=/usr/share/man' '--with-openssl=/blah' '--enable-fixed-rrset' '--enable-shared' '--enable-threads' '--enable-ipv6' '--with-libtool' etc etc etc I would prefer to not have that show up in the log. Short of modifying the source, is there an easy way to disable that? No way to disable just it. It is in the general catch-all category. Also, it is output before the configuration logging directives have been processed, so it comes out with the internal defaults for category and priority (daemon.notice). Any suppression would need to be done at the syslog level. But I have some difficulty understanding why anyone would want it suppressed. It's true that BIND is a bit noisier than it used to be at this stage, but can this really be a problem? Do you let the black hats see your system logs? This message was added by general recognition that being able to rebuild a drop-in binary for BIND when you didn't have access to the build directory (where the config.log contains the information) was a good thing. I, for one, see no reason to suppress this message (but I do have blind spots at times). AlanC -- Alan Clegg | +1-919-355-8851 | a...@clegg.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users