Re: Can't modify an existing SPF record
Ok now I understand.thanks a lot to you! El vie, 8 jul 2022 a las 19:58, Greg Choules () escribió: > > The SPF record type was deprecated in 2014 and the SPF definition string > *must* now be contained as data in a TXT record. > BIND will still load a zone containing SPF records, but it will check whether > a TXT record also exists that contains the same string and will generate a > log message telling you if it doesn't find one. > > From a quick glance at the webmin manual it *should* allow you to put > anything you like in a TXT record. > @Roberto Carna your SPF record currently looks like this: > > company.com. 971 IN TXT "v=spf1 mx ip4:[corpIP] include:mktomail.com ~all" > > > The ip4:[corpIP] will not work. [] are not valid characters in the SPF > specification and in any case ip4: must be followed by a literal dotted > decimal IPv4 address. > > On Fri, 8 Jul 2022 at 17:34, Benny Pedersen wrote: >> >> On 2022-07-08 18:14, Crist Clark wrote: >> > As far as BIND is concerned, this is arbitrary text in a TXT record. >> > It doesn’t know or care about SPF syntax within it. >> >> TXT records is mostly used, and SPF records is in bind supported >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't modify an existing SPF record
Thanks a lot, it's a webmin interface error because it doesn't accept characters in allowed host sender option. Sorry for my interruption. Greetings !!! El vie, 8 jul 2022 a las 13:14, Crist Clark () escribió: > > As far as BIND is concerned, this is arbitrary text in a TXT record. It > doesn’t know or care about SPF syntax within it. > > It sounds like you’re having webmin problems, not BIND. > > On Fri, Jul 8, 2022 at 9:08 AM Ondřej Surý wrote: >> >> >> > On 8. 7. 2022, at 18:05, Roberto Carna wrote: >> > >> > using the CLI in the BIND master >> >> What does this mean and how exactly are you changing the zone? List all the >> steps that you are doing when changing the zone contents. >> >> Ondrej >> -- >> Ondřej Surý — ISC (He/Him) >> >> My working hours and your working hours may be different. Please do not feel >> obligated to reply outside your normal working hours. >> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from >> this list >> >> ISC funds the development of this software with paid support subscriptions. >> Contact us at https://www.isc.org/contact/ for more information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't modify an existing SPF record
Dear all, I add "a:relay.company.com" using the CLI in the BIND master: company.com. 3600IN TXT "v=spf1 mx a:relay.company.com -all" But after restart, this change never goes to the slaves. If I add "ip:x.x.x.x" for example, this change goes ok to the slaves. And from webmin interface, if I add the "a:relay.company.com" I get this error: Failed to save record : 'relay.company.com' is not a valid host to allow sending from I suspect the problem is with additional hostnames..I don't know. Thanks again! El vie, 8 jul 2022 a las 12:55, Richard T.A. Neal () escribió: > > Hi Roberto, > > > > You need to prefix it with “a:” to indicate that this is an A-record, i.e.: > > > > a:relay.company.com > > > > Best, > > > > Richard. > > > > From: bind-users On Behalf Of Greg Choules > via bind-users > Sent: 08 July 2022 4:45 pm > To: Roberto Carna > Cc: ML BIND Users > Subject: Re: Can't modify an existing SPF record > > > > Hi Roberto. What domain is this SPF for and exactly how are you trying to add > the extra term? > > Cheers, Greg > > > > On Fri, 8 Jul 2022 at 16:38, Roberto Carna wrote: > > Dear, from my webmin interface for BIND9, I try to add an additional > allowed sender host to our SPF record, but I get the following error: > > Failed to save record : 'relay.company.com' is not a valid host to > allow sending from > > What does this mean? Do I have to consider some important thing I'm > forgetting ? > > relay.company.com is already defined in our public DNS, and it has a > reverse record too. > > if I add this record by hand, it's not replicated to the DNS slaves. > > Thanks in advance!!! > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can't modify an existing SPF record
Dear, from my webmin interface for BIND9, I try to add an additional allowed sender host to our SPF record, but I get the following error: Failed to save record : 'relay.company.com' is not a valid host to allow sending from What does this mean? Do I have to consider some important thing I'm forgetting ? relay.company.com is already defined in our public DNS, and it has a reverse record too. if I add this record by hand, it's not replicated to the DNS slaves. Thanks in advance!!! -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change records in DNS slave if master is offline
Warren, thanks a lotwith the masterfile-format clause it works OK.
Greetings!!!
El jue, 16 dic 2021 a las 15:43, Warren Kumari () escribió:
>
>
>
> On Thu, Dec 16, 2021 at 10:37 AM Roberto Carna
> wrote:
>>
>> Dear all, I have one BIND9 server as master and 3 as slaves.
>>
>> The master and one slave are in a given site #1, and the other two
>> slaves are in a geographical different site #2.
>>
>> In case site #1 goes offline, I need to edit records in both slaves
>> from site #2, in order to point some services to other public IP's for
>> contingency.
>>
>> My question is:
>>
>> What is the recommended way to edit the records from a BIND9 slave?
>> Because the zone files are binary files
>
>
> Yup, if you are running (IIRC) > v9.9.x, the default is binary files.
> You can convert these beck to text with:
> named-compilezone -f raw -F text -o example.com.text example.com
> example.com.binary
>
> You can also change the default in named.conf:
> options {
> // many many options
> masterfile-format text;
> //
> // many other options
> //
> }
>
> The raw (binary) zone files are good for large zones, but for small zones,
> where speed isn't super important, text format works just fine...
> W
>
>
>>
>> and using the Webmin interface
>> is blocked.
>>
>> The only manner is changing the configuration from slave to master?
>>
>> Thanks in advance, greetings!!!
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> ISC funds the development of this software with paid support subscriptions.
>> Contact us at https://www.isc.org/contact/ for more information.
>>
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> The computing scientist’s main challenge is not to get confused by the
> complexities of his own making.
> -- E. W. Dijkstra
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Change records in DNS slave if master is offline
Dear all, I have one BIND9 server as master and 3 as slaves. The master and one slave are in a given site #1, and the other two slaves are in a geographical different site #2. In case site #1 goes offline, I need to edit records in both slaves from site #2, in order to point some services to other public IP's for contingency. My question is: What is the recommended way to edit the records from a BIND9 slave? Because the zone files are binary files and using the Webmin interface is blocked. The only manner is changing the configuration from slave to master? Thanks in advance, greetings!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND9: one zone is not up to date
Dear all, I have BIND 9 and Webmin. One master and one slave using zne ransfer with TSIG Everything was Ok till today. When I add or modify a record for zone1.com in the master, the record in the slave is up to date. But when I add or modify a record for zone2.com in the master, the record is not updated in the slave, however the log in /var/log/bind/bind.log tell me the update operation was OK: 13-Dec-2021 14:46:24.558 notify: info: client @0x7fe8ec5532f0 172.17.1.2#56011/key xxx: received notify for zone 'zone2.com': TSIG 'xxx' 13-Dec-2021 14:46:24.558 general: info: zone zone2.com/IN: notify from 172.17.1.2#56011: zone is up to date What can be the problem? I see everything well defined. Special thanks ! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Add DNS records automatically for static IP's
Thank you so much ! El lun, 9 ago 2021 a las 13:40, tale () escribió: > > On Mon, Aug 9, 2021 at 8:46 AM Roberto Carna wrote: > > Thanks to all of you, is it possible to use nslookup in order to > > update DNS records from Linux hosts to a Windows DNS server (not BIND) > > Not nslookup, but nsupdate as Brian Cuttler said. nslookup is purely > a query tool; > nsupdate implements the DNS Update protocol, which is one of the mechanisms > that Windows DNS server supports. > > So, yes, you can go Linux -> Windows using nsupdate. > > > El jue, 5 ago 2021 a las 14:14, Cuttler, Brian R (HEALTH) > > () escribió: > > > I've been using nsupdate for that. > > -- > tale ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Add DNS records automatically for static IP's
Thanks to all of you, is it possible to use nslookup in order to update DNS records from Linux hosts to a Windows DNS server (not BIND) ? Thanks a lot again! El jue, 5 ago 2021 a las 14:14, Cuttler, Brian R (HEALTH) () escribió: > > Roberto, > > I've been using nsupdate for that. > > I restricted my dynamic address pool, at the bottom end for infrastructure > and at the top end for static IP's and then I use nsupdate to add the entries. > There are other methods, which I learned mostly from this list and can attach > a copy of my site wiki article if you'd like to see it. > > Brian > > > -Original Message- > From: bind-users On Behalf Of Roberto Carna > Sent: Thursday, August 5, 2021 12:19 PM > To: ML BIND Users > Subject: Add DNS records automatically for static IP's > > ATTENTION: This email came from an external source. Do not open attachments > or click on links from unknown senders or unexpected emails. > > > Dear all, I know DDNS works with a DHCP server and dynamic IP's. When > IP changes, the hostname in DNS is updated. > > But I have this scenario: > > I have several hosts with static IP's / hostnames and I want to > register them to our private BIND DNS, and they should be updated if > the IP or hostname changes. > > Is there any way to do what I need ? Any Linux/Windows client to > install in the servers in order to register IP and hostname to aour > provate BIND ??? > > Special thanks! > ___ > Please visit > https://protect2.fireeye.com/v1/url?k=f79b63c4-a8005aca-f7999af1-0cc47aa88e08-87326f8873a8f70f=1=661620c9-7459-4c2c-b3e4-07a131bd2d04=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users > to unsubscribe from this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at > https://protect2.fireeye.com/v1/url?k=f4271fb0-abbc26be-f425e685-0cc47aa88e08-eb2d0c2a090ba813=1=661620c9-7459-4c2c-b3e4-07a131bd2d04=https%3A%2F%2Fwww.isc.org%2Fcontact%2F > for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://protect2.fireeye.com/v1/url?k=b3f69bd9-ec6da2d7-b3f462ec-0cc47aa88e08-5673bd64038e4ed1=1=661620c9-7459-4c2c-b3e4-07a131bd2d04=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Add DNS records automatically for static IP's
Dear all, I know DDNS works with a DHCP server and dynamic IP's. When IP changes, the hostname in DNS is updated. But I have this scenario: I have several hosts with static IP's / hostnames and I want to register them to our private BIND DNS, and they should be updated if the IP or hostname changes. Is there any way to do what I need ? Any Linux/Windows client to install in the servers in order to register IP and hostname to aour provate BIND ??? Special thanks! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Local resolution first and then public resolution for "google.com" domain
But if I want to resolve:
foo.google.com
that doesn't exist in my google.com private zone, I don't obtain any result.
I need to tell my private BIND to forward to 8.8.8.8 all the received
*.google.com queries, except www.google.com that is the one locally
resolved.
Thanks again !!!
El mié, 31 mar 2021 a las 13:48, Matus UHLAR - fantomas
() escribió:
>
> On 31.03.21 13:07, Roberto Carna wrote:
> >Dear Matus, maybe I have not understood very well...
> >
> >I can setup a master zone as you said:
> >
> >zone "www.google.com" {
> >type master;
> >file "...";
> >};
> >
> >But what are the needed clauses from Bind's named.conf.options file in
> >order to tell "if foo.google.com is not present in the google.com
> >private zone, you have to forward the query to another server (public
> >forwarder) in order to be publicly resolved" ???
>
> that above will cover www.google.com and *.www.google.com
>
> >El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
> >() escribió:
> >>
> >> On 31.03.21 12:49, Roberto Carna wrote:
> >> >Dear, I have a BIND private DNS server which has two forwarders for
> >> >public resolution.
> >> >
> >> >I need to create a private zone "google.com" with just one A record as
> >> >follow:
> >> >
> >> >www.google.com IN A 192.168.0.100
> >> >
> >> >All the local clients will resolve www.google.com to a private address
> >> >from our company.
> >> >
> >> >And for the other google.com records that this private BIND receives
> >> >and they are not defined in the local private zone, they have to be
> >> >forwarded to the public forwarders in order to be resolved as normal.
> >> >
> >> >Is it possible to have this scenario ???
> >>
> >> yes, simply define zone
> >>
> >> zone "www.google.com" {
> >> type master;
> >> file "...";
> >> };
> >>
> >> note that for this kind setup, using dnsmasq with two forwarders and
> >> www.google.com
> >> overriden through /etc/hosts would be easier solution.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> "One World. One Web. One Program." - Microsoft promotional advertisement
> "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Local resolution first and then public resolution for "google.com" domain
Dear Matus, maybe I have not understood very well...
I can setup a master zone as you said:
zone "www.google.com" {
type master;
file "...";
};
But what are the needed clauses from Bind's named.conf.options file in
order to tell "if foo.google.com is not present in the google.com
private zone, you have to forward the query to another server (public
forwarder) in order to be publicly resolved" ???
Thanks a lot again.
El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
() escribió:
>
> On 31.03.21 12:49, Roberto Carna wrote:
> >Dear, I have a BIND private DNS server which has two forwarders for
> >public resolution.
> >
> >I need to create a private zone "google.com" with just one A record as
> >follow:
> >
> >www.google.com IN A 192.168.0.100
> >
> >All the local clients will resolve www.google.com to a private address
> >from our company.
> >
> >And for the other google.com records that this private BIND receives
> >and they are not defined in the local private zone, they have to be
> >forwarded to the public forwarders in order to be resolved as normal.
> >
> >Is it possible to have this scenario ???
>
> yes, simply define zone
>
> zone "www.google.com" {
> type master;
> file "...";
> };
>
> note that for this kind setup, using dnsmasq with two forwarders and
> www.google.com
> overriden through /etc/hosts would be easier solution.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> 10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support subscriptions.
> Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Local resolution first and then public resolution for "google.com" domain
Dear, I have a BIND private DNS server which has two forwarders for public resolution. I need to create a private zone "google.com" with just one A record as follow: www.google.com IN A 192.168.0.100 All the local clients will resolve www.google.com to a private address from our company. And for the other google.com records that this private BIND receives and they are not defined in the local private zone, they have to be forwarded to the public forwarders in order to be resolved as normal. Is it possible to have this scenario ??? Thanks a lot!!! Robert ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS queries go to primary and secondary DNS servers at the same time
OK, thanks a lot for your comments. I'll investigate this topic. Greetings !!! El mar., 17 dic. 2019 a las 14:42, Chuck Aurora () escribió: > On 2019-12-16 13:13, Roberto Carna wrote: > > I have a primary and a secondary BIND9 DNS servers, working as master > > / slave with zone transfers between them. > > Primary/master and secondary/slave are concepts which apply only to > authoritative servers, and in this case you are talking about these > servers acting as resolvers, not authoritative. > > > I have several Linux machines (desktops and servers) with Debian and > > Mint. > > > > I've realized, using TCPDUMP at DNS1 and DNS2, that all DNS queries > > from Linux machines go to both DNS1 and DNS2 BIND servers at the same > > time. > > > > In all Linux machines we have setup the DNS resolution using > > /etc/resolv.conf: > > And resolv.conf is not an ISC BIND thing. In GNU/Linux it's usually > GNU glibc which uses that file. > > > nameserver IP_dns1 > > nameserver IP_dns2 > > > > But when the from Linux clients I execute: > > > > $ host > > > > I can see UDP traffic arriving to DNS1 and DNS2 at the same time. > > > > What can be the problem ? > > I'm not sure I would see that as a problem, although you might want to > simplify and use only a single resolver IP address. If your site is > big enough to need two or more resolvers, use an anycast address. For > example, Google's 8.8.8.8 is a large farm of nameservers distributed > throughout the world. > > > Because I expect only DNS traffic going to > > DNS1 because it is before DNS2 in /etc/resolv.conf. > > GNU glibc does have documentation, starting with the resolv.conf(5) > manual. I'm not sure if there is a specific mailing list or forum to > discuss it, however. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS queries go to primary and secondary DNS servers at the same time
I add something interesting: If I execute the same query with dig: $ dig The query traffic goes only tu DNS1 and not to DNS2. Maybe a host command problem ??? Thanks again !!! El lun., 16 dic. 2019 a las 16:13, Roberto Carna () escribió: > Hi people, > > I have a primary and a secondary BIND9 DNS servers, working as master / > slave with zone transfers between them. > > I have several Linux machines (desktops and servers) with Debian and Mint. > > I've realized, using TCPDUMP at DNS1 and DNS2, that all DNS queries from > Linux machines go to both DNS1 and DNS2 BIND servers at the same time. > > In all Linux machines we have setup the DNS resolution using > /etc/resolv.conf: > > nameserver IP_dns1 > nameserver IP_dns2 > > But when the from Linux clients I execute: > > $ host > > I can see UDP traffic arriving to DNS1 and DNS2 at the same time. > > What can be the problem ? Because I expect only DNS traffic going to DNS1 > because it is before DNS2 in /etc/resolv.conf. > > Thanks a lot !!! > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS queries go to primary and secondary DNS servers at the same time
Hi people, I have a primary and a secondary BIND9 DNS servers, working as master / slave with zone transfers between them. I have several Linux machines (desktops and servers) with Debian and Mint. I've realized, using TCPDUMP at DNS1 and DNS2, that all DNS queries from Linux machines go to both DNS1 and DNS2 BIND servers at the same time. In all Linux machines we have setup the DNS resolution using /etc/resolv.conf: nameserver IP_dns1 nameserver IP_dns2 But when the from Linux clients I execute: $ host I can see UDP traffic arriving to DNS1 and DNS2 at the same time. What can be the problem ? Because I expect only DNS traffic going to DNS1 because it is before DNS2 in /etc/resolv.conf. Thanks a lot !!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND setup for GSLB (Global Service Load Balancing)
Thanks to all, you have helped me a lot. Now it's time to think about a suitable solution for us. Regards !!! El vie., 13 sept. 2019 a las 8:40, LeBlanc, Daniel James (< daniel.lebl...@bellaliant.ca>) escribió: > Hi Roberto. > > > > I am not aware of any inherent capability within ISC BIND to accomplish > this. However, the following ideas come to mind (and each has a custom > element to it): > > > > - Is it possible to create DNS record (NAPTR?) for which a > dynamic response is provided that accomplishes this objective? > > - The nsupdate command line tool could be used to dynamically > add/remove DNS records as required, but an external script/daemon would > need to be created to drive the changes. > > > > Thanks. > > > > *Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell > Canada* > > > > > > *From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf > Of *Blason R > *Sent:* September-12-19 10:22 PM > *To:* Roberto Carna > *Cc:* bind-users > *Subject:* [EXT]Re: BIND setup for GSLB (Global Service Load Balancing) > > > > Well there are other cheaper Solutions are available like from Array > network or peplink they can offer DNS sub domain delegation of GSLB. > > > > But I really doubt if any such OSS can do the similar job. > > > > On Thu, 12 Sep 2019, 21:10 Roberto Carna, > wrote: > > Hi people, is it possible to setup BIND in order to implement GSLB (Global > Service Load Balancing) between two sites ? > > > > I need a near Active-Active scenario between two datacenters in > different locations, and I want to do this with an open source solution. > > > > Thanks a lot ! > > > > Roberto > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND setup for GSLB (Global Service Load Balancing)
Hi people, is it possible to setup BIND in order to implement GSLB (Global Service Load Balancing) between two sites ? I need a near Active-Active scenario between two datacenters in different locations, and I want to do this with an open source solution. Thanks a lot ! Roberto ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind with views: forward any public domain in one view
Thanks a lot !!!
El jue., 15 ago. 2019 a las 13:09, Matus UHLAR - fantomas (<
uh...@fantomas.sk>) escribió:
> On 15.08.19 12:18, Roberto Carna wrote:
> >Dear, I have a BIND 9 working with two views.
> >
> >One view forwards two public domains to our resolver.
> >
> >And I want the second view to forward any public domain to our resolver in
> >order to let navigate withouth restrictions.
>
> what restricions and where are they applied?
>
> >I need something like this:
> >
> >zone "ANY" {
> >type forward;
> >forward only;
> >forwarders {
> >8.8.8.8;
> >};
> >};
> >
> >How can I implement this second option ??? Can I replace ANY for the
> >correct wildcard ???
>
> "." should be enough, but note that BIND can do the same that google
> servers
> (8.8.8.8) can do, and you'll avoid one hop.
>
> simply don't forward but let BIND to resolve.
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> The early bird may get the worm, but the second mouse gets the cheese.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Bind with views: forward any public domain in one view
Dear, I have a BIND 9 working with two views.
One view forwards two public domains to our resolver.
And I want the second view to forward any public domain to our resolver in
order to let navigate withouth restrictions.
I need something like this:
zone "ANY" {
type forward;
forward only;
forwarders {
8.8.8.8;
};
};
How can I implement this second option ??? Can I replace ANY for the
correct wildcard ???
Thanks a lot !!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 with Views: zone transfer refused from master to slave
Dear people, finalla I could put to work my zone transfers. I have review my config one more time and I am using one TSIG key for each view. Thanks a lot, regards!!! El jue., 4 jul. 2019 a las 9:38, Tony Finch () escribió: > Roberto Carna wrote: > > > > As I have shown above, I use two views with a TSIG key for each view, but > > the zone transfer doesn't work. > > The redacted config you posted did not consistently use key one in view > one and key two in view two. I don't know if your real config has the same > mistake or not. > > You might find your logs help you to debug the problem, though recent > versions of BIND are better at logging details of TSIG keys. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Trafalgar: Cyclonic 4 or 5, occasionally 6 in north. Moderate or rough. > Thundery showers. Good, occasionally poor. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind 9 with Views: zone transfer refused from master to slave
Dear, thanks for your help. As I have shown above, I use two views with a TSIG key for each view, but the zone transfer doesn't work. Please can you send me your Bind views configuration if you can, on master and slave sides? Thanks a lot again. Regards!!! El mié., 3 jul. 2019 a las 17:27, Sten Carlsen () escribió: > > > On 03/07/2019 22.14, Grant Taylor via bind-users wrote: > > On 7/3/19 2:04 PM, Lightner, Jeffrey wrote: > > You have to use separate IPs for the separate views on the master and the > slave. > > > I thought you could use different TSIG keys to identify different zones > with a single IP at each end. > > Is that not the case? > > As far as I am aware the two views must use different keys, with the same > IP the key (or the view's ACL) is the only thing to distinguish between the > views. > > You can use the same IP for both views at least on the master, I have that > setup and have for a very long time seen it running without any problem. I > do not use keys but let view ACL do the work. > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing > listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bind 9 with Views: zone transfer refused from master to slave
Hi people, I have a master/slave Bind 9.10.3 servers configured with views
and TSIG keys on a Debian 9 host. But the transfer from master to slave is
refused in the slave side, there is no a descriptive error.
In both Views I have delegated the same two zones: black.com and white.com,
with different records according to the view.
Please if I send my configuration, can you help me to detect the fail in
the zone transfer from master to slave??? Thanks a lot in advance.
MASTER
named.conf:
key "rndc-key" {
algorithm hmac-md5;
secret "+PGWO1r5rrT8hcA47Anu0w==";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
named.conf.options:
options {
directory "/var/cache/bind";
also-notify { 10.0.0.2; };
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};
named.conf.local:
key one {
algorithm HMAC-MD5;
secret "uohej/pa1oLBK4Cfhi3zAA==";
};
key two {
algorithm HMAC-MD5;
secret "HcKSpnKhqg/+KFvOg2uTag==";
};
key three {
algorithm HMAC-MD5;
secret "1JikGx1kdjq/cTCsi36/JQ==";
};
acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };
view "one" {
match-clients { one; };
server 10.0.0.2 { keys one; };
recursion yes;
allow-transfer { key one; };
zone "black.com." {
type master;
file "/etc/bind/zones/black.com.one.db";
also-notify { 10.0.0.2 key one; };
};
zone "white.com" {
type master;
file "/etc/bind/zones/white.com.one.db";
also-notify { 10.0.0.2 key one; };
};
};
view "two" {
match-clients { two; };
server 10.0.0.2 { keys two; };
recursion yes;
allow-transfer { key two; };
zone "black.com." {
type master;
file "/etc/bind/zones/black.com.two.db";
also-notify { 10.0.0.2 key one; };
};
zone "white.com" {
type master;
file "/etc/bind/zones/white.com.two.db";
also-notify { 10.0.0.2 key one; };
};
};
SLAVE
named.conf:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
named.conf.options:
options {
directory "/var/cache/bind";
allow-transfer {"none";};
dnssec-validation no;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
notify explicit;
recursion no;
version "none";
};
named.conf.local:
key one {
algorithm HMAC-MD5;
secret "uohej/pa1oLBK4Cfhi3zAA==";
};
key two {
algorithm HMAC-MD5;
secret "HcKSpnKhqg/+KFvOg2uTag==";
};
key three {
algorithm HMAC-MD5;
secret "1JikGx1kdjq/cTCsi36/JQ==";
};
acl one { !key two; !key three; key one; 10.10.0.0/24; };
acl two { !key one; !key three; key two; 10.10.1.0/24; };
acl three { !key one; !key two; key three; 10.10.2.0/24; };
view "one" {
match-clients { one; };
server 10.0.0.1 { keys one; };
recursion yes;
zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.one.db";
};
zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.one.db";
};
};
view "two" {
match-clients { two; };
server 10.0.0.1 { keys two; };
recursion yes;
zone "black.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/black.com.two.db";
};
zone "white.com" {
type slave;
masters { 10.0.0.1 key one; };
file "/etc/bind/zones/white.com.two.db";
};
};
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Change DNS records automatically when a link is DOWN
Dear people, I have two sites: - Main site with an Internet link and two BIND services (DNS1 y DNS2) and a /28 block, and web and mail services supported - Backup site with a second Internet link and a BIND service (DNS3) and another /28 block When the Internet link from main site is DOWN, the web and mail traffic come through the backup site to main site crossing a L2L. So I need to change the IP's of the FQDN hosts I have supported in the DNS3 in order to continue offering services (web and mail). How can I do this automatically? Is there any way that "something" monitors the main Internet link and in case it is DOWN automatically order to modify the FQDN records in DNS3 ??? Thanks a lot and regards!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
Thanks a lot.
Greetings !!!
El mié., 20 feb. 2019 a las 16:55, Matus UHLAR - fantomas (<
uh...@fantomas.sk>) escribió:
> On 20.02.19 10:48, Roberto Carna wrote:
> >You tell me to do this:
> >
> >zone "." {
> >type master;
> >file "empty.db";
> >};
> >
> >The root zone Is "type master" or "type hint" ???
> >
> >The empty.db is really an empty file with no data at all ???
>
> debian ships db.empty which contains everything an empty zone file needs.
>
> >And where do I have to put my current file:
>
> >recursion yes;
>
> useless as it's the default
>
> >zone "teamviewer.com" {
> >type forward;
> >forwarders { 8.8.8.8; };
> >};
>
> anywhere, but your files looks like debian installation, it should go to
> db.local.
>
> I think you can specify empty forwarders list and BIND should do the
> resolution itself.
>
> >> On Tue, Feb 19, 2019 at 10:29 AM Roberto Carna <
> robertocarn...@gmail.com>
> >> wrote:
> >> >
> >> > Dear Matus and Kevin, please tell me if it's OK if I do thsi:
> >> >
> >> > named.conf:
> >> > include "/etc/bind/named.conf.default-zones";
> >> >
> >> > named.conf.default-zones:
> >> > recursion yes;
> >> > zone "teamviewer.com" {
> >> > type forward;
> >> > forwarders { 8.8.8.8; };
> >> > };
> >> >
> >> > named.conf.local:
> >> >
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re:
Dear Crist, sorry but I can understand at all what you say.please I ned
to ask you again:
You tell me to do this:
zone "." {
type master;
file "empty.db";
};
The root zone Is "type master" or "type hint" ???
The empty.db is really an empty file with no data at all ???
And where do I have to put my current file:
recursion yes;
zone "teamviewer.com" {
type forward;
forwarders { 8.8.8.8; };
};
Thanks in advance, I'll be waiting for your response please.
Greetings!!!
El mié., 20 feb. 2019 a las 0:57, Crist Clark ()
escribió:
> You need to explicitly define the root zone. Last I knew, BIND still
> gets the root zone hardcoded into the executable and will try to Do
> the Right Thing and find the root on its own even if the administrator
> does not define one or provide hints.
>
> You need something like,
>
> zone "." {
> type master;
> file "empty.db";
> };
>
>
> On Tue, Feb 19, 2019 at 10:29 AM Roberto Carna
> wrote:
> >
> > Dear Matus and Kevin, please tell me if it's OK if I do thsi:
> >
> > named.conf:
> > include "/etc/bind/named.conf.default-zones";
> >
> > named.conf.default-zones:
> > recursion yes;
> > zone "teamviewer.com" {
> > type forward;
> > forwarders { 8.8.8.8; };
> > };
> >
> > named.conf.local:
> >
> >
> > I define "recursion yes" in named.conf.default-zones.
> >
> > Thanks again, regards !!!
> >
> > El mar., 19 feb. 2019 a las 15:13, Matus UHLAR - fantomas via bind-users
> () escribió:
> >>
> >> On 19.02.19 09:45, Roberto Carna wrote:
> >> >Dear Kevin, I am sorry but I didn't see your past response.
> >> >
> >> >Please can you show me with an example what you say: "Define root zone.
> >> >Delegate teamviewer.com from root. Define teamviewer.com as 'type
> forward'".
> >> >
> >> >An also what is the benefit in defining a root zone with the
> teamviewer.com
> >> >delegated into it??? Because I put to work this zone just as a forward
> >> >zone, without a root zone definition.
> >>
> >> the benefit is it does exactly what you want.
> >> the "teamviewer.com" zone of type forward causes DNS resolution of
> teamviewer.com
> >> domain.
> >> the root zone effectively disables everything else (because bind thinks
> >> nothing else exists).
> >>
> >> >El lun., 18 feb. 2019 a las 17:00, Kevin Darcy (<
> kevin.da...@fcagroup.com>)
> >> >escribió:
> >> >
> >> >> I've already posted a solution for this. Basically, "Define root
> zone.
> >> >> Delegate teamviewer.com from root zone. Define teamviewer.com as
> 'type
> >> >> forward'".
> >> >>
> >> >> "Recursion yes" is implied. No views necessary. It doesn't make any
> sense
> >> >> anyway, to have the same match-clients list for all of one's views,
> since
> >> >> the first one matched is the one that's used.
> >> >>
> >> >> Did you not see my response, or did you perhaps dislike the approach
> I
> >> >> suggested?
> >> >>
> >> >> There was some subsequent discussion about not relying on DNS
> resolution
> >> >> as one's *only* control over what sites one's clients can or cannot
> access.
> >> >> While I agree with that, my position is that there's nothing wrong
> with
> >> >> controlling DNS resolution, in addition to other controls.
> >>
> >> --
> >> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> >> Warning: I wish NOT to receive e-mail advertising to this address.
> >> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> >> M$ Win's are shit, do not use it !
> >> ___
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users@lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS load balancing: UDP or TCP ?
Dear Tony, thanks for your response. I've read something I don't know if it's true or not: DNC clients send a UDP query to a DNS server, if no response is received until some seconds, then they try with UDP. You tell me this is not true, just clients try with UDP is the response is truncated. Can you confirm thgis is true in 100% of clients??? Thanks again, regards !! El mar., 19 feb. 2019 a las 13:24, Tony Finch () escribió: > Roberto Carna wrote: > > > Dear, I have to balance two DNS servers for a special reason. > > https://www.powerdns.com/dnsdist.html > > > The DNS clients are a mix of Windows, Cisco and Linux machines, so I > > think they ask for a FQDN using UDP and after that -if there is no > > response-, they ask the same FQDN using TCP, and so the load balancing > > will be succesful. > > No, fallback to TCP relies on receiving a truncated UDP response. You > never want a DNS client to be waiting around for a response that will > not arrive. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Rockall, Malin: Southeast veering southwest 6 to gale 8, occasionally 5 > later. > Rough or very rough. Rain. Moderate or poor. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
Dear Matus and Kevin, please tell me if it's OK if I do thsi:
*named.conf:*
include "/etc/bind/named.conf.default-zones";
*named.conf.default-zones:*
recursion yes;
zone "teamviewer.com" {
type forward;
forwarders { 8.8.8.8; };
};
*named.conf.local:*
I define "recursion yes" in named.conf.default-zones.
Thanks again, regards !!!
El mar., 19 feb. 2019 a las 15:13, Matus UHLAR - fantomas via bind-users (<
bind-users@lists.isc.org>) escribió:
> On 19.02.19 09:45, Roberto Carna wrote:
> >Dear Kevin, I am sorry but I didn't see your past response.
> >
> >Please can you show me with an example what you say: "Define root zone.
> >Delegate teamviewer.com from root. Define teamviewer.com as 'type
> forward'".
> >
> >An also what is the benefit in defining a root zone with the
> teamviewer.com
> >delegated into it??? Because I put to work this zone just as a forward
> >zone, without a root zone definition.
>
> the benefit is it does exactly what you want.
> the "teamviewer.com" zone of type forward causes DNS resolution of
> teamviewer.com
> domain.
> the root zone effectively disables everything else (because bind thinks
> nothing else exists).
>
> >El lun., 18 feb. 2019 a las 17:00, Kevin Darcy ( >)
> >escribió:
> >
> >> I've already posted a solution for this. Basically, "Define root zone.
> >> Delegate teamviewer.com from root zone. Define teamviewer.com as 'type
> >> forward'".
> >>
> >> "Recursion yes" is implied. No views necessary. It doesn't make any
> sense
> >> anyway, to have the same match-clients list for all of one's views,
> since
> >> the first one matched is the one that's used.
> >>
> >> Did you not see my response, or did you perhaps dislike the approach I
> >> suggested?
> >>
> >> There was some subsequent discussion about not relying on DNS resolution
> >> as one's *only* control over what sites one's clients can or cannot
> access.
> >> While I agree with that, my position is that there's nothing wrong with
> >> controlling DNS resolution, in addition to other controls.
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> M$ Win's are shit, do not use it !
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
DNS load balancing: UDP or TCP ?
Dear, I have to balance two DNS servers for a special reason. I need your comments please: 1) If I use HAProxy for DNS load balancing, this software only works with TCP protocol (not UDP). The DNS clients are a mix of Windows, Cisco and Linux machines, so I think they ask for a FQDN using UDP and after that -if there is no response-, they ask the same FQDN using TCP, and so the load balancing will be succesful. 2) Or do you recommend the use of a UDP load balancing method, maybe for faster responses??? In this case what UDP load balancer can I try ??? Thanking in advance. Robert ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re:
Dear Kevin, I am sorry but I didn't see your past response.
Please can you show me with an example what you say: "Define root zone.
Delegate teamviewer.com from root. Define teamviewer.com as 'type forward'".
An also what is the benefit in defining a root zone with the teamviewer.com
delegated into it??? Because I put to work this zone just as a forward
zone, without a root zone definition.
Special thanks again!!!
El lun., 18 feb. 2019 a las 17:00, Kevin Darcy ()
escribió:
> I've already posted a solution for this. Basically, "Define root zone.
> Delegate teamviewer.com from root zone. Define teamviewer.com as 'type
> forward'".
>
> "Recursion yes" is implied. No views necessary. It doesn't make any sense
> anyway, to have the same match-clients list for all of one's views, since
> the first one matched is the one that's used.
>
> Did you not see my response, or did you perhaps dislike the approach I
> suggested?
>
> There was some subsequent discussion about not relying on DNS resolution
> as one's *only* control over what sites one's clients can or cannot access.
> While I agree with that, my position is that there's nothing wrong with
> controlling DNS resolution, in addition to other controls.
>
> - Kevin
>
> On Mon, Feb 18, 2019 at 10:44 AM Roberto Carna
> wrote:
>
>> Dear I've implemented two views, one for local resolution and the other
>> for forward a public zone to our resolver.
>>
>> But now I have a problem:
>>
>> If I define the same clients for the local zone view and forward view,
>> depending on the order of the views the client can resolve or not the
>> query. In this case client 10.12.1.1 will match view INT and not view
>> EXT:
>>
>> acl internal { 10.12.1. <https://10.12.1.4>1; };
>> acl external { 10.12.1.1; };
>>
>> view "INT" {
>> match-clients { internal; };
>> recursion no;
>> zone "company.com" {
>> type master;
>> file "/etc/bind/zones/company.com.db";
>> };
>>
>> view "EXT" {
>> match-clients { external; };
>> recursion yes;
>> zone "teamviewer.com" {
>> type forward;
>> forward only;
>> forwarders {
>> 172.1 <https://172.17.10.25>8.1.1;
>> };
>> };
>>
>> If I define just one view with local and forward zones, I have to define
>> "recursion yes" because the forward zone need this option, but in this case
>> a query for a local zone is trying to be resolved against ROOT Servers and
>> finally against master zone but it takes some seconds:
>>
>> acl unique { 10.12.1. <https://10.12.1.4/>1; };
>>
>> view "INT-EXT" {
>> match-clients { unique; };
>> recursion yes;
>> zone "company.com" {
>> type master;
>> file "/etc/bind/zones/company.com.db";
>> };
>> zone "teamviewer.com" {
>> type forward;
>> forward only;
>> forwarders {
>> 172.1 <https://172.17.10.25/>8.1.1;
>> };
>> };
>>
>> How can I define same clients to try resolving first view and -if there
>> is no response- they try with second view ???
>>
>> Or is there any other way to do what I want?
>>
>> Regards
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[no subject]
Dear I've implemented two views, one for local resolution and the other for
forward a public zone to our resolver.
But now I have a problem:
If I define the same clients for the local zone view and forward view,
depending on the order of the views the client can resolve or not the
query. In this case client 10.12.1.1 will match view INT and not view EXT:
acl internal { 10.12.1. 1; };
acl external { 10.12.1.1; };
view "INT" {
match-clients { internal; };
recursion no;
zone "company.com" {
type master;
file "/etc/bind/zones/company.com.db";
};
view "EXT" {
match-clients { external; };
recursion yes;
zone "teamviewer.com" {
type forward;
forward only;
forwarders {
172.1 8.1.1;
};
};
If I define just one view with local and forward zones, I have to define
"recursion yes" because the forward zone need this option, but in this case
a query for a local zone is trying to be resolved against ROOT Servers and
finally against master zone but it takes some seconds:
acl unique { 10.12.1.
Re: Forward zone inside a view
Matus, I've followed whatyou say:
view "internet" {
match-clients { internet_clients; key "pnet"; };
recursion yes;
zone "teamviewer.com" {
type forward;
forward only;
forwarders {
8.8.8.8;
};
};
};
but clients can resolve ANY public Internet domain, in addition to
teamviewer.comI think "recursion yes" apply to every public domain and
not just for "teamviewer.com", but I don't know why.
Please can yoy give me more details, using forward or not, how can let some
clients resolve just teamviewer.com ??? I confirm that my BIND is an
authorittaive name server for internal domains.
Thanks a lot again.
El lun., 11 feb. 2019 a las 10:49, Matus UHLAR - fantomas (<
uh...@fantomas.sk>) escribió:
> On 11.02.19 10:38, Roberto Carna wrote:
> >Dear Mathus, thanks al lot for your help.
> >
> >>> what is the point of running DNS server with only two hostnames allowed
> >>> to resolve?
> >
> >The point is I have several desktops that must have access only to
> internal
> >domains. The unique exception is they have access to teamviewer.com in
> >order to download the Teamviewer client and a pair of operations in this
> >public domain.
>
> if you disable recursion, any client using that server will only have
> access
> to the domains that are configured on that server internally.
>
> That also means they won't be allowed to contact any internal domains,
> unless you configure those internal domains on that server.
> Also no windows updates, nothing.
>
> >I think if I have setup "recursion = no", if I define a forward zone with
> >"type forward" and the corresponding forwarder, this option enable the
> >recursion just for this defined zone.
>
> No. Forward zone means recursion. "recursion no" is designed for
> authoritative servers, not servers like there.
>
> >In general, my question is how to forward a public domain to a DNS
> resolver
> >like 8.8.8.8 ???
>
> configure it as "type forward" and forwarders to 8.8.8.8. However, BIND can
> do resolution well without forwarding. Also, this seems to be just the
> opposite wht you describe above.
>
> >El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas (<
> uh...@fantomas.sk>)
> >escribió:
> >
> >> On 07.02.19 16:30, Roberto Carna wrote:
> >> >Desktops I mentioned can only access to web apps from internal domains,
> >> but
> >> >in some web apps there are links to download Teamviewer client software
> >> >from Internet. I can create a private zone "teamviewer.com" with all
> the
> >> >hostnames and IP's we will use, but if they change I will be in
> trouble.
> >> >
> >> >So we need to forward the query to our resolvers in order to get a
> valid
> >> >response.
> >> >
> >> >So I think we can use the forward option from BIND, but it doesn't
> work at
> >> >all as I described:
> >> >
> >> >1. "recursion no" can only be set at the top (view) level, not
> overridden
> >> > at the zone level.
> >> >
> >> >2. If I set "recursion no" at the view level, then a "type forward"
> >> > zone has no effect:
> >> >
> >> > view "foo" {
> >> >recursion no;
> >> >...
> >> >zone "teamviewer.com" {
> >> > type forward;
> >> > forward only;
> >> > forwarders {172.18.1.1; 172.18.1.2;};
> >> >};
> >> >
> >> >-- query for foo.teamviewer.com fails and tell it's not a recursive
> query
> >>
> >> the whole point of "recursion no" is not to answer recursive queries,
> >> so there should be no wonder it works that way.
> >>
> >>
> >> >3. If I define "recursion yes" at view level:
> >> >
> >> > view "foo" {
> >> >recursion yes;
> >> >...
> >> >zone "teamviewer.com" {
> >> > type forward;
> >> > forward only;
> >> > forwarders {172.18.1.1; 172.18.1.2;};
> >> >};
> >> >
> >> >-- query for foo.teamviewer.com is OK, but also I get response OK from
> >> >foo.ibm.com, foo.google.com, and any other public domain from Internet
> >> >(and this is not what I want, it's what I'm trying to prevent))
> >> >
> >> >So can y
Re: Forward zone inside a view
Dear Mathus, thanks al lot for your help.
>> what is the point of running DNS server with only two hostnames allowed
to
>> resolve?
The point is I have several desktops that must have access only to internal
domains. The unique exception is they have access to teamviewer.com in
order to download the Teamviewer client and a pair of operations in this
public domain.
I think if I have setup "recursion = no", if I define a forward zone with
"type forward" and the corresponding forwarder, this option enable the
recursion just for this defined zone.
In general, my question is how to forward a public domain to a DNS resolver
like 8.8.8.8 ???
Thanks again.
El sáb., 9 feb. 2019 a las 12:28, Matus UHLAR - fantomas ()
escribió:
> On 07.02.19 16:30, Roberto Carna wrote:
> >Desktops I mentioned can only access to web apps from internal domains,
> but
> >in some web apps there are links to download Teamviewer client software
> >from Internet. I can create a private zone "teamviewer.com" with all the
> >hostnames and IP's we will use, but if they change I will be in trouble.
> >
> >So we need to forward the query to our resolvers in order to get a valid
> >response.
> >
> >So I think we can use the forward option from BIND, but it doesn't work at
> >all as I described:
> >
> >1. "recursion no" can only be set at the top (view) level, not overridden
> > at the zone level.
> >
> >2. If I set "recursion no" at the view level, then a "type forward"
> > zone has no effect:
> >
> > view "foo" {
> >recursion no;
> >...
> >zone "teamviewer.com" {
> > type forward;
> > forward only;
> > forwarders {172.18.1.1; 172.18.1.2;};
> >};
> >
> >-- query for foo.teamviewer.com fails and tell it's not a recursive query
>
> the whole point of "recursion no" is not to answer recursive queries,
> so there should be no wonder it works that way.
>
>
> >3. If I define "recursion yes" at view level:
> >
> > view "foo" {
> >recursion yes;
> >...
> >zone "teamviewer.com" {
> > type forward;
> > forward only;
> > forwarders {172.18.1.1; 172.18.1.2;};
> >};
> >
> >-- query for foo.teamviewer.com is OK, but also I get response OK from
> >foo.ibm.com, foo.google.com, and any other public domain from Internet
> >(and this is not what I want, it's what I'm trying to prevent))
> >
> >So can you help me please???
>
> you still have not answered my question:
>
> >> what is the point of running DNS server with only two hostnames allowed
> to
> >> resolve?
>
> However, you can define empty type master "." zone, and bind will return
> NXDOMAIN for anything other.
>
>
> >El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas (<
> uh...@fantomas.sk>)
> >escribió:
> >
> >> On 07.02.19 14:58, Roberto Carna wrote:
> >> >In our company we have several desktops from two different cities
> >> accessing
> >> >only to internal domains distributed in two views in a private BIND
> with
> >> >authoritative zones, where I've defined "recursion no;".
> >> >
> >> >But now we have to let them access to *.teamviewer.com hostnames, just
> >> this
> >> >public domain and not other.
> >>
> >> btw, when did linux.org change to teamviewer.com?
> >>
> >> >So I've implemented the forwarding of "teamviewer.com" zone to our
> BIND
> >> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've
> created a
> >> >third view with this information in named.conf.local:
> >> >
> >> >acl internet { 10.0.0.0/24 };
> >> >
> >> >view "internet" {
> >> >
> >> > match-clients { internet; key "custom"; };
> >> >
> >> > recursion yes;
> >> >
> >> > zone "teamviewer.com" {
> >> >
> >> >type forward;
> >> >
> >> >forward only;
> >> >
> >> >forwarders {
> >> >
> >> >172.18.1.1;
> >> >
> >> >172.18.1.2;
> >> >
> >> >};
> >> >
> >> >};
> >>
> >>
> >> >I defined "recursion yes" but the BIND servers forwards all the public
&g
Re: Forward zone inside a view
Dear, thanks for your contact. I've used teamviewer.com just for tests.
Desktops I mentioned can only access to web apps from internal domains, but
in some web apps there are links to download Teamviewer client software
from Internet. I can create a private zone "teamviewer.com" with all the
hostnames and IP's we will use, but if they change I will be in trouble.
So we need to forward the query to our resolvers in order to get a valid
response.
So I think we can use the forward option from BIND, but it doesn't work at
all as I described:
1. "recursion no" can only be set at the top (view) level, not overridden
at the zone level.
2. If I set "recursion no" at the view level, then a "type forward"
zone has no effect:
view "foo" {
recursion no;
...
zone "teamviewer.com" {
type forward;
forward only;
forwarders {172.18.1.1; 172.18.1.2;};
};
-- query for foo.teamviewer.com fails and tell it's not a recursive query
3. If I define "recursion yes" at view level:
view "foo" {
recursion yes;
...
zone "teamviewer.com" {
type forward;
forward only;
forwarders {172.18.1.1; 172.18.1.2;};
};
-- query for foo.teamviewer.com is OK, but also I get response OK from
foo.ibm.com, foo.google.com, and any other public domain from Internet
(and this is not what I want, it's what I'm trying to prevent))
So can you help me please???
Regards.
El jue., 7 feb. 2019 a las 15:40, Matus UHLAR - fantomas ()
escribió:
> On 07.02.19 14:58, Roberto Carna wrote:
> >In our company we have several desktops from two different cities
> accessing
> >only to internal domains distributed in two views in a private BIND with
> >authoritative zones, where I've defined "recursion no;".
> >
> >But now we have to let them access to *.teamviewer.com hostnames, just
> this
> >public domain and not other.
>
> btw, when did linux.org change to teamviewer.com?
>
> >So I've implemented the forwarding of "teamviewer.com" zone to our BIND
> >resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
> >third view with this information in named.conf.local:
> >
> >acl internet { 10.0.0.0/24 };
> >
> >view "internet" {
> >
> > match-clients { internet; key "custom"; };
> >
> > recursion yes;
> >
> > zone "teamviewer.com" {
> >
> >type forward;
> >
> >forward only;
> >
> >forwarders {
> >
> >172.18.1.1;
> >
> >172.18.1.2;
> >
> >};
> >
> >};
>
>
> >I defined "recursion yes" but the BIND servers forwards all the public
> >domains queries to our resolvers and not just for "teamviewer.com", so it
> >doesn't work. And if I change for "recursion no", the query
> >www.teamviewer.com is refused and at the client side appears an error
> >telling that recursion is necessary.
>
> of course, BIND will resolve other domains (recurse) only when you allow it
> to recurse.
>
> >So I let desktops resolve all the Internet domains or neither, and this is
> >not what I want because I just want to let them resolve just
> teamviewer.com.
> >
> >How can I do to forward only teamviewer.com zone queries to my
> resolvers???
>
> what is the point of running DNS server with only two hostnames allowed to
> resolve?
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Despite the cost of living, have you noticed how popular it remains?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone inside a view
Ok Tony, please let me explain to you.
In our company we have several desktops from two different cities accessing
only to internal domains distributed in two views in a private BIND with
authoritative zones, where I've defined "recursion no;".
But now we have to let them access to *.teamviewer.com hostnames, just this
public domain and not other.
So I've implemented the forwarding of "teamviewer.com" zone to our BIND
resolvers servers (they forward DNS queries to 8.8.8.8). So I've created a
third view with this information in named.conf.local:
acl internet { 10.0.0.0/24 };
view "internet" {
match-clients { internet; key "custom"; };
recursion yes;
zone "teamviewer.com" {
type forward;
forward only;
forwarders {
172.18.1.1;
172.18.1.2;
};
};
I defined "recursion yes" but the BIND servers forwards all the public
domains queries to our resolvers and not just for "teamviewer.com", so it
doesn't work. And if I change for "recursion no", the query
www.teamviewer.com is refused and at the client side appears an error
telling that recursion is necessary.
So I let desktops resolve all the Internet domains or neither, and this is
not what I want because I just want to let them resolve just teamviewer.com.
How can I do to forward only teamviewer.com zone queries to my resolvers???
Sorry for my new message, special thanks Tony !!!
El jue., 7 feb. 2019 a las 13:41, Tony Finch () escribió:
> Roberto Carna wrote:
> >
> > So how can I define "recursion yes" just for the zone "linux.org" ???
>
> You can turn recursion on and off for the entire server, or per view, but
> not per zone.
>
> It isn't clear to me what you want this server to do. If it is providing
> DNS service to end-user devices (if it is configured in /etc/resolv.conf
> or advertised by DHCP) then it needs to provide recursive service. If not,
> then I am even more confused about what you are trying to do!
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> St Davids Head to Great Orme Head, including St Georges Channel: Southwest
> 5
> or 6, increasing 7 to severe gale 9. Moderate or rough becoming very rough.
> Rain and drizzle, squally showers later. Moderate or good, occasionally
> poor.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone inside a view
When I query www.teamviewer from a desktop, I fail and get this error in
dig:
WARNING: recursion requested but not available
In BIND I have in named.conf.local:
zone "linux. <http://teamviewer.com/>org" {
type forward;
forwarders {
172.18.1.1;
172.18.1.2;
};
and "recursion no;" is defined in named.conf.options.
How can enable the recursion for linux.org queries in order to forward them
to my resolvers???
Thanks a lot
El jue., 7 feb. 2019 a las 11:40, Roberto Carna ()
escribió:
> Tony, as you said forwarding requires recursion but when I define:
>
> zone "linux. <http://teamviewer.com/>org" {
> recursion yes;
> type forward;
> forward only;
> forwarders {
> 172.18.1.1;
> 172.18.1.2;
> };
>
> and after that I restart bind9 service, it fails:
>
> unknown option 'recursion'
>
> So how can I define "recursion yes" just for the zone "linux.org" ???
>
> Sorry for my newquestion, I'd appreciate your help.
>
> Regards!!!
>
>
> El jue., 7 feb. 2019 a las 11:26, Tony Finch () escribió:
>
>> Roberto Carna wrote:
>>
>> > Dear Tony, I forward the "linux.org" queries from our private Bind to
>> our
>> > Bind resolvers (they have authoritative public zones and also they are
>> > resolvers that forward the queries to 8.8.8.8).
>> >
>> > So why you say they are authoritative only servers?
>>
>> Oh, I misread your explanation, I thought the "recursion no" in your
>> configuration was on the target server. But it is on the server with the
>> "type forward" zone, and since forwarding requires recursion, it will not
>> work.
>>
>> Tony.
>> --
>> f.anthony.n.finchhttp://dotat.at/
>> Shannon: Southwest 7 to severe gale 9, veering west gale 8 to storm 10
>> later.
>> Very rough, becoming high or very high. Rain or squally showers. Poor.
>>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone inside a view
Tony, as you said forwarding requires recursion but when I define:
zone "linux. <http://teamviewer.com/>org" {
recursion yes;
type forward;
forward only;
forwarders {
172.18.1.1;
172.18.1.2;
};
and after that I restart bind9 service, it fails:
unknown option 'recursion'
So how can I define "recursion yes" just for the zone "linux.org" ???
Sorry for my newquestion, I'd appreciate your help.
Regards!!!
El jue., 7 feb. 2019 a las 11:26, Tony Finch () escribió:
> Roberto Carna wrote:
>
> > Dear Tony, I forward the "linux.org" queries from our private Bind to
> our
> > Bind resolvers (they have authoritative public zones and also they are
> > resolvers that forward the queries to 8.8.8.8).
> >
> > So why you say they are authoritative only servers?
>
> Oh, I misread your explanation, I thought the "recursion no" in your
> configuration was on the target server. But it is on the server with the
> "type forward" zone, and since forwarding requires recursion, it will not
> work.
>
> Tony.
> --
> f.anthony.n.finchhttp://dotat.at/
> Shannon: Southwest 7 to severe gale 9, veering west gale 8 to storm 10
> later.
> Very rough, becoming high or very high. Rain or squally showers. Poor.
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Forward zone inside a view
Dear Tony, I forward the "linux.org" queries from our private Bind to our Bind resolvers (they have authoritative public zones and also they are resolvers that forward the queries to 8.8.8.8). So why you say they are authoritative only servers? A I said, can I still use the forward option for "linux.org" ??? Thanks a lot again!!! El jue., 7 feb. 2019 a las 11:05, Tony Finch () escribió: > Roberto Carna wrote: > > > Dear, I have Bind 9.10.3 as our private DNS service with two views, one > of > > them let some clients to query linux.org domain from Internet forwarding > > the query to our Bind resolvers, but the query is refused by our private > > Bind. > > You can't forward to an authoritative-only server. Use a static-stub zone > configuration instead. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Tyne: West, backing south, 5 to 7. Slight or moderate, occasionally rough > later. Showers. Good occasionally moderate. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Forward zone inside a view
Dear, I have Bind 9.10.3 as our private DNS service with two views, one of
them let some clients to query linux.org domain from Internet forwarding
the query to our Bind resolvers, but the query is refused by our private
Bind.
The private Bind has these main parameters in named.conf.options:
options {
directory "/var/cache/bind";
allow-transfer {"none";};
dnssec-validation auto;
dnssec-enable yes;
auth-nxdomain no;
allow-query { any; };
recursion no;
version "none";
};
And this is te relevant part of named.conf.local:
acl internet { 10.0.0.0/24; };
view "INTERNET" {
match-clients { internet; key "custom";};
zone "linux. org" {
type forward;
forward only;
forwarders {
172.18.1.1;
172.18.1.2;
};
};
};
Please can you help me in forward the query for linux.org hostnames from
the private BIND with the views to our resolvers?
Thanks a lot!!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Flag Day: I had to open the TCP/53 port
Thanks Ben for your response, can you tell me the types of TCP traffic I have to expect in BIND, excepting Zone Tansfer? Thans a lot again!!! El lun., 4 feb. 2019 a las 10:50, Ben Croswell () escribió: > BIND has always required UDP and TCP 53 for proper functionality. It > sometimes mistakenly believed that TCP is only for zone transfers but that > is not the case. > > On Mon, Feb 4, 2019, 8:46 AM Roberto Carna wrote: > >> Dear, I have a BIND 9.10 public server and I have delegated some public >> domains. >> >> When I test these domains with the EDNS tool offered in the DNS Flag Day >> webpage, the test was wrong wit just UDP/53 port opened to Internet. >> >> After that, when I opened also TCP/53 port, the test was succesful. >> >> Please can you explain me the reason I have to open TCP/53 port to >> Internet from February 1st to the future??? >> >> Really thanks, regards. >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Flag Day: I had to open the TCP/53 port
Dear, I have a BIND 9.10 public server and I have delegated some public domains. When I test these domains with the EDNS tool offered in the DNS Flag Day webpage, the test was wrong wit just UDP/53 port opened to Internet. After that, when I opened also TCP/53 port, the test was succesful. Please can you explain me the reason I have to open TCP/53 port to Internet from February 1st to the future??? Really thanks, regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Flag Day may cause any problem in private DNS servers ?
Thanks a lot! El jue., 24 ene. 2019 a las 16:24, Evan Hunt () escribió: > On Thu, Jan 24, 2019 at 10:53:49AM -0300, Roberto Carna wrote: > > Dear, I've just worked around on my public BIND DNS's in order to solve > the > > problem of DNS Flag Day. > > > > But I have a pair of private DNS (BIND and Windows) that respond to > > internal queries and also forward non authoritative queries to my public > > DNS'smay my private DNS's become unstables after DNS Flag Day if I > > don't any workaround on them ? > > DNS flag day is when vendors of recursive name servers will stop releasing > new software that coddles ancient or broken authoritative servers and > firewalls. Instead of trying over and over in different ways to coax some > broken remote system to send back an answer, new resolver software will > just declare the remote server to be broken, and give up. > > Nothing will stop working suddenly on February 1. However, the next time > you upgrade your recursive name server to the latest version, you *might* > have problems then. My guess is that you won't, but I can't guarantee it. > > If you do have some legacy server running internally that can't be fixed to > support EDNS properly, you can still configure your resolvers not to use > EDNS when talking to that specific server. That option will still be > available after flag day. > > An easy way to check would be to install the latest BIND development > release (version 9.13.5) and see if it works. It already has all the flag > day changes in it. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Flag Day may cause any problem in private DNS servers ?
Dear, I've just worked around on my public BIND DNS's in order to solve the problem of DNS Flag Day. But I have a pair of private DNS (BIND and Windows) that respond to internal queries and also forward non authoritative queries to my public DNS'smay my private DNS's become unstables after DNS Flag Day if I don't any workaround on them ? Thanks a lot, Robert ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
TSIG error with BIND9 Views
Hi people, I've implemented a BIND9 service wit two views, and only one key for TSIG. The primary and secondary server start OK, but the transfer doesn't work because in the bind.log from secondary server I can see "TSIG error". Do I have to use one Key for the first view and a different Key for the second view for TSIG transfer ? Or can I use just on Key ? Thanks a lot !!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: give KSK from my domain to parent zones
Thanks a lot to all of youNow I understand. But when I check for the DNSEC support with: dig com.uk +dnssec +multi I can see there is no support at all...so use DNSSEC for xxx.com.uk has no sense at allhasn't it? ; <<>> DiG 9.10.3-P4-Debian <<>> com.uk +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55494 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;com.uk.IN A ;; AUTHORITY SECTION: uk. 1548 IN SOA dns1.nic.uk. hostmaster.nic.uk. ( 1403852443 ; serial 7200 ; refresh (2 hours) 900; retry (15 minutes) 2419200; expire (4 weeks) 10800 ; minimum (3 hours) ) uk. 1548 IN RRSIG SOA 8 1 172800 ( 20181019160738 20181005150738 43056 uk. obD8WjHpNUB/GeEdlp2SaJBsp9D0N03cLTCpEn+0UpQF V75NiX509EzgTeT9Eh0du0kIptjMZKyDON/5ZN7p21BI E3srTdrMVTNyNqAEa1SZWlTBWcs4FNzFoVkJVfJXwHpF IDF2ZLlNxjlP9xgWr+YKcEtqUTYF4lfscx5tOF8= ) m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN RRSIG NSEC3 8 2 10800 ( 20181018194223 20181004184445 43056 uk. RH6cfZjzah93ucxwynKropExMhvWznqV4ySiWAsWLw3T 3IaCQoF/rS5Np/PwcuIzZ5ZLR0dJ/56prKWSKA6l5LBz 4dQWvlceb8oY3o1WvBXn/+UjptIMP87LPtNLxU/JsrGJ YpO6qsBZXTerhmEAAZi+9tLBCo5dW5CO8n5PlP0= ) m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN NSEC3 1 1 0 - ( M4FDARQNDI0P0UGAD29OKGNPRJKAE5SP NS DS RRSIG ) u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN RRSIG NSEC3 8 2 10800 ( 20181019000937 20181004233936 43056 uk. ca9n8B+3hjnDKh8KHsM5gDGYq9bJ4Rjh/EQ7fVSO4FK4 VDDFtzhDvQySLfudSq3P0pGdqye/BLjTgC6p4pNUeFhL SPjJsjcA5SvSha7ZNGgAjjdC4t7Sg0yyGnLxfx129lX2 AbhbpJUjCQ5eX6U56t2IH5/8Dg8uAPOFUF6Ogmk= ) u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN NSEC3 1 1 0 - ( U1LG7J6JO1NFSU55LON2UMGEUJO912TU NS SOA RRSIG DNSKEY NSEC3PARAM TYPE65534 ) uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN RRSIG NSEC3 8 2 10800 ( 20181018165433 20181004163523 43056 uk. Tt5nrfM6nuJOgMPjULGi2WIN5RB3EZmv+nqODimBe5x8 9axQltyX7OR8iHNR6DzQl33aABgfvC/htUpKmtvOlQ6P 6V+2f/1I021Qcnuo7thu3V3a+ad1XFfHp6IqpEHi0Qxz H4OsgvzFoycF+v0xpSr4ZSeuElJ0whKBlGWKAuM= ) uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN NSEC3 1 1 0 - ( UJSIFQNCG7CTSHF49P4L7HNBMPOSGRMB NS DS RRSIG ) ;; Query time: 0 msec ;; SERVER: 172.17.10.25#53(172.17.10.25) ;; WHEN: Fri Oct 05 13:12:28 -03 2018 ;; MSG SIZE rcvd: 1011 Regards!!! El vie., 5 oct. 2018 a las 12:58, Chris Thompson () escribió: > On Oct 4 2018, Mark Elkins wrote: > > >On 10/04/2018 05:03 PM, Roberto Carna wrote: > [...] > >> I have two DNS servers running BIND 9.10, they have delegated my own > >> domain, let's say "robert.com.uk <http://robert.com.uk>" and some > >> other domains from our clients, let's say: > >> > >> client1.com.uk <http://client1.com.uk> > >> client2.edu.uk <http://client2.edu.uk> > >> client3.info.uk <http://client3.info.uk> > >> > >> Can I sign theses client zones with my ZSK, or do I have to have a > >> different key for each domain? > > > >I believe common practise is to create separate KSK and ZSK keys for > >each domain - so each domain will have their own DS records in the > >parent. This way, if one of the clients moves their domain to a new DNS > >provider - there is no security conflict in the move from shared keys. > > Even if you make the (RDATA of) the KSKs identical for the different zones > the DS records you will need to insert into the parent zones will be > different, because the hashing algorithm includes the KSK owner name > (i.e. the zone name) in its input. See RFC 4034 section 5.1.4. > > Similarly using ZSKs with identical RDATA in the different zones will > not make any o
Re: DNSSEC: give KSK from my domain to parent zones
Thanks a lot Mark, regards !!! El jue., 4 oct. 2018 a las 16:18, Mark Elkins () escribió: > > > On 10/04/2018 05:03 PM, Roberto Carna wrote: > > Hello, thanks to both of you for your help. Now I understand I have to > contact my registrar in order to give it the DS of the KSK. > > Please I have a last question: > > I have two DNS servers running BIND 9.10, they have delegated my own > domain, let's say "robert.com.uk" and some other domains from our > clients, let's say: > > client1.com.uk > client2.edu.uk > client3.info.uk > > Can I sign theses client zones with my ZSK, or do I have to have a > different key for each domain? > > > I believe common practise is to create separate KSK and ZSK keys for each > domain - so each domain will have their own DS records in the parent. This > way, if one of the clients moves their domain to a new DNS provider - there > is no security conflict in the move from shared keys. > > (Use a different Key) > > And do I have to tell my clients I will sign their zones or it is > transparent for them? > > > DNSSEC is a good thing - but I'd suggest telling the clients that this is > happening. DNSSEC usually introduces the need to have extra DNS actions > happen - even on an otherwise static Zone. Thus - there is more that might > possibly break. On the other hand, it make resolving items in that zone far > more secure and allows for newer possibilities such as TLSA records for Web > and Mail services. I believe the customer should be made aware of all these > pros and cons. > > (Yes) > > Thanks a lot again, regards !!! > > > > El mié., 3 oct. 2018 a las 16:36, Mark Andrews () escribió: > >> You give the matching DS record via your registrar much the same way as >> you do the NS RRset or glue address records. If your registrar doesn’t >> support DNSSEC you will need to change registrars. >> >> If your parent zone uses CDS or CDNSKEY then publish those records at the >> zone apex. >> >> If your parent zone is not signed then start complaining. >> >> -- >> Mark Andrews >> >> On 4 Oct 2018, at 05:24, Roberto Carna wrote: >> >> Dear people, I have DNSSEC implemented in my authoritative domain in BIND >> 9.10. I've created the KSK and ZSK too. >> >> Let's say my domain is "robert.com.uk". >> >> How do I have to give the KSK (key signing key) to my parent zones, let's >> say COM and UK ??? >> >> And what if COM or UK don't use DNSSEC at all ??? >> >> Thanking in advance, >> >> Robert >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> >> > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing > listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users > > > -- > Mark James ELKINS - Posix Systems - (South) africa...@posix.co.za > Tel: +27.128070590 Cell: +27.826010496 > For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC: give KSK from my domain to parent zones
Hello, thanks to both of you for your help. Now I understand I have to contact my registrar in order to give it the DS of the KSK. Please I have a last question: I have two DNS servers running BIND 9.10, they have delegated my own domain, let's say "robert.com.uk" and some other domains from our clients, let's say: client1.com.uk client2.edu.uk client3.info.uk Can I sign theses client zones with my ZSK, or do I have to have a different key for each domain? And do I have to tell my clients I will sign their zones or it is transparent for them? Thanks a lot again, regards !!! El mié., 3 oct. 2018 a las 16:36, Mark Andrews () escribió: > You give the matching DS record via your registrar much the same way as > you do the NS RRset or glue address records. If your registrar doesn’t > support DNSSEC you will need to change registrars. > > If your parent zone uses CDS or CDNSKEY then publish those records at the > zone apex. > > If your parent zone is not signed then start complaining. > > -- > Mark Andrews > > On 4 Oct 2018, at 05:24, Roberto Carna wrote: > > Dear people, I have DNSSEC implemented in my authoritative domain in BIND > 9.10. I've created the KSK and ZSK too. > > Let's say my domain is "robert.com.uk". > > How do I have to give the KSK (key signing key) to my parent zones, let's > say COM and UK ??? > > And what if COM or UK don't use DNSSEC at all ??? > > Thanking in advance, > > Robert > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNSSEC: give KSK from my domain to parent zones
Dear people, I have DNSSEC implemented in my authoritative domain in BIND 9.10. I've created the KSK and ZSK too. Let's say my domain is "robert.com.uk". How do I have to give the KSK (key signing key) to my parent zones, let's say COM and UK ??? And what if COM or UK don't use DNSSEC at all ??? Thanking in advance, Robert ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND for complementary records for the same authoritative domain
Dear, our company has an internal Windows DNS with the "company.com" authoritative domain. Suppose within it we have the following records: a.company.com b.company.com c.company.com Now we need to have several records maintained by other IT area exclusively, in the same autoritative domain "company.com", so let's say: x.company.com y.company.com z.company.com Is it possible to build a BIND DNS server for these last records, and tell Windows DNS server something like this: "Search the record x.company.com within company.com, if it is not there search this record in the BIND server". Windows DNS server is setup in the clients computers, and it can contact BIND server for records it doesn't contain for the same authoritative domain. Thanks a lot!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS primary and secondary receiveing queries at the same time
OK, now I understandthank you very much !!! Regards. 2018-05-17 11:25 GMT-03:00 Roberto Carna <robertocarn...@gmail.com>: > Dear Tony, so you say that it's impossible what I want... > > In this scenario that my two DNS servers respond queries at the same > time, suppose the primary server goes downhow do clients know that > they have to query the secondary DNS server at this moment? > > Thanks again. > > 2018-05-17 11:19 GMT-03:00 Tony Finch <d...@dotat.at>: >> Roberto Carna <robertocarn...@gmail.com> wrote: >>> >>> I always believed that all the client queries coming from Internet go >>> to the DNS primary server, and if it is down, just in this case go to >>> the DNS secondary server. >> >> It can't happen that way because there's no way for a resolver to tell >> which is which. >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ >> Hebrides: Southeast 4, veering south 5 or 6, then veering west later. >> Moderate >> or rough. Rain later. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS primary and secondary receiveing queries at the same time
Dear Tony, so you say that it's impossible what I want... In this scenario that my two DNS servers respond queries at the same time, suppose the primary server goes downhow do clients know that they have to query the secondary DNS server at this moment? Thanks again. 2018-05-17 11:19 GMT-03:00 Tony Finch <d...@dotat.at>: > Roberto Carna <robertocarn...@gmail.com> wrote: >> >> I always believed that all the client queries coming from Internet go >> to the DNS primary server, and if it is down, just in this case go to >> the DNS secondary server. > > It can't happen that way because there's no way for a resolver to tell > which is which. > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Hebrides: Southeast 4, veering south 5 or 6, then veering west later. Moderate > or rough. Rain later. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS primary and secondary receiveing queries at the same time
Dear Nico, my BIND servers are authoritativethey have delegated several zones. 2018-05-17 11:12 GMT-03:00 Nico CARTRON <nico...@ncartron.org>: > Hi Roberto, > > On 17 May 2018, at 16:06, Roberto Carna <robertocarn...@gmail.com> wrote: > > Hi people, I've implemented two BIND9 servers for my company, one as > primary public DNS server and the other as secondary public DNS > server. > > I always believed that all the client queries coming from Internet go > to the DNS primary server, and if it is down, just in this case go to > the DNS secondary server. > > But it seems it is different than I believedwhen I see the query > log file in primary and secondary DNS servers, I can see queries > coming from Internet in both serversin other words, the two DNS > servers are being contacted all the time. > > Is there any way to make DNS clients from Internet always contact my > primary DNS server and just if it is down the clients must contact the > secondary DNS server ??? > > > are those servers Authoritative, or Recursive? > It’s not quite clear in your above explanation. > > Cheers, > > -- > Nico > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS primary and secondary receiveing queries at the same time
Hi people, I've implemented two BIND9 servers for my company, one as primary public DNS server and the other as secondary public DNS server. I always believed that all the client queries coming from Internet go to the DNS primary server, and if it is down, just in this case go to the DNS secondary server. But it seems it is different than I believedwhen I see the query log file in primary and secondary DNS servers, I can see queries coming from Internet in both serversin other words, the two DNS servers are being contacted all the time. Is there any way to make DNS clients from Internet always contact my primary DNS server and just if it is down the clients must contact the secondary DNS server ??? Special thanks !!! Robert ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries to DNS Blackholes don't respond
Dear Darcy, now understand what you mean. Thanks for yor great explanation about the possible causes that blackhole servers don't respond to me. Thanks a lot !!! 2018-04-18 17:35 GMT-03:00 Darcy Kevin (FCA) <kevin.da...@fcagroup.com>: > Sorry, but the "that's what they're there for" argument is often misapplied > to justify reckless, irresponsible or just plain unauthorized use of > resources, and I think this is an example of that. > > The AS112 project (https://www.as112.net/), who collectively run those > "blackhole" servers, set them up to answer queries that leak out > *unintentionally*. RFC 6303, among other documents, makes it quite clear that > DNS operators SHOULD define the RFC 1918 zones, and zones associated with > reverse-IPv6 and other "special" address ranges, locally, either explicitly > or by using the built-in mechanisms of the DNS software, in order to > *prevent* those queries leaking out and having to be answered by the AS112 > servers. Your attitude of "I'll just use the AS112 servers because that's > what they're there for" amounts to *abusing* resources -- that in most cases > are provided by volunteers -- that was set up to help protect the Internet > DNS infrastructure from misconfiguration and/or deliberate assault. Please do > the right and responsible thing. Don't be part of the problem. > > Having said that, if, out of idle curiosity, you want to know why you're not > getting answers from your closest AS112 Anycast node, I'd start by looking at > the problem from the routing perspective. Anycast routing can be tricky > sometimes (in my case, a traceroute shows a path going directly from our > border router through some ALTER.NET hops, but your mileage may vary). Or > maybe the operator of that node is having a problem with their nameserver. > Another possibility is that an intermediate IPS (Intrusion Prevention System > or Service), or firewall, is configured to drop your query packets or the > responses (RFC 6305 focuses on that particular scenario, although its main > recommendation for mitigation is to not send the queries to the AS112 servers > in the first place). > > - Kevin > > > > -Original Message- > From: bind-users <bind-users-boun...@lists.isc.org> On Behalf Of Roberto Carna > Sent: Wednesday, April 18, 2018 11:31 AM > To: bind-users@lists.isc.org > Subject: Re: Queries to DNS Blackholes don't respond > > Dear people, I know the best way is to make in-addr.arpa local zones in my > BIND. > > But also I think the BLACKHOLE SERVERS can be used, because they were created > for this reason.: respond to RFC 1918 networks queries. > > So why the BLACKHOLE servers don't respond anymore ? Just one time I could > get a responde from them. > > Regards!!! > > 2018-04-18 11:53 GMT-03:00 /dev/rob0 <r...@gmx.co.uk>: >> On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote: >>> Dear, I have impelmented a BIND9 server. It works OK, but some days >>> ago an application failed because it needed to resolve the reverse of >>> some IP addresses from range 10.x.x.x, and they waited for a long >>> time and failed, because they need a NXDOMAIN fast response. >>> >>> I don't want to make a local zone 10.IN-ADDR.ARPA, >> >> You don't need to. See the "built-in empty zones" section of the BIND >> 9 ARM, chapter 6. >> >>> because I want to >>> use the two public nameservers from Internet: >>> >>> BLACKHOLE-1.IANA.ORG (192.175.48.6) >>> BLACKHOLE-2.IANA.ORG (192.175.48.42) >> >> What?? Why? Those are not supposed to be used. BIND now includes >> empty zones for all RFC 1918 and other reserved netblocks which >> shouldn't ever appear on the open Internet. >> >> If you use some of these networks inside your organization, you can >> have authoritative zones for the corresponding in-addr.arpa zones. >> >> [snip] >>> Is it OK that I do? Are blackholes servers useful for this purpose ? >> >> Not at all. That's why we have the automatic empty zones. Sadly, >> many distributors are not aware of the feature, so they distribute >> named.conf with kludges. >> -- >> http://rob0.nodns4.us/ >> Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bi
Re: Queries to DNS Blackholes don't respond
Dear people, I know the best way is to make in-addr.arpa local zones in my BIND. But also I think the BLACKHOLE SERVERS can be used, because they were created for this reason.: respond to RFC 1918 networks queries. So why the BLACKHOLE servers don't respond anymore ? Just one time I could get a responde from them. Regards!!! 2018-04-18 11:53 GMT-03:00 /dev/rob0 <r...@gmx.co.uk>: > On Wed, Apr 18, 2018 at 11:44:27AM -0300, Roberto Carna wrote: >> Dear, I have impelmented a BIND9 server. It works OK, but some days >> ago an application failed because it needed to resolve the reverse of >> some IP addresses from range 10.x.x.x, and they waited for a long time >> and failed, because they need a NXDOMAIN fast response. >> >> I don't want to make a local zone 10.IN-ADDR.ARPA, > > You don't need to. See the "built-in empty zones" section of the > BIND 9 ARM, chapter 6. > >> because I want to >> use the two public nameservers from Internet: >> >> BLACKHOLE-1.IANA.ORG (192.175.48.6) >> BLACKHOLE-2.IANA.ORG (192.175.48.42) > > What?? Why? Those are not supposed to be used. BIND now includes > empty zones for all RFC 1918 and other reserved netblocks which > shouldn't ever appear on the open Internet. > > If you use some of these networks inside your organization, you can > have authoritative zones for the corresponding in-addr.arpa zones. > > [snip] >> Is it OK that I do? Are blackholes servers useful for this purpose ? > > Not at all. That's why we have the automatic empty zones. Sadly, > many distributors are not aware of the feature, so they distribute > named.conf with kludges. > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries to DNS Blackholes don't respond
Sorry, after query succesfully the DNS Blackholes, I repeat the command and the same servers couldn't be reached anymore: DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6 ;; connection timed out; no servers could be reached DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.42 ;; connection timed out; no servers could be reached I don't know why the DNS Blackholes don't respond always.I continue quering the DNS Blackholes and they can't be reached anymorewhy ? Thanks a lot again. 2018-04-18 11:44 GMT-03:00 Roberto Carna <robertocarn...@gmail.com>: > Dear, I have impelmented a BIND9 server. It works OK, but some days > ago an application failed because it needed to resolve the reverse of > some IP addresses from range 10.x.x.x, and they waited for a long time > and failed, because they need a NXDOMAIN fast response. > > I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to > use the two public nameservers from Internet: > > BLACKHOLE-1.IANA.ORG (192.175.48.6) > BLACKHOLE-2.IANA.ORG (192.175.48.42) > > When I query these DNS's from my console from the BIND server, and > from any host I have available here, the result is this: > > root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6 > Using domain server: > Name: 192.175.48.6 > Address: 192.175.48.6#53 > Aliases: > > 10.in-addr.arpa name server blackhole-2.iana.org. > 10.in-addr.arpa name server blackhole-1.iana.org. > > and finally I get the NXDOMAIN I need: > > DNS:~# host -t NS 10.10.12.1 192.175.48.6 > Using domain server: > Name: 192.175.48.6 > Address: 192.175.48.6#53 > Aliases: > > Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN) > > Is it OK that I do? Are blackholes servers useful for this purpose ? > > Thanks a lot !!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Queries to DNS Blackholes don't respond
Dear, I have impelmented a BIND9 server. It works OK, but some days ago an application failed because it needed to resolve the reverse of some IP addresses from range 10.x.x.x, and they waited for a long time and failed, because they need a NXDOMAIN fast response. I don't want to make a local zone 10.IN-ADDR.ARPA, because I want to use the two public nameservers from Internet: BLACKHOLE-1.IANA.ORG (192.175.48.6) BLACKHOLE-2.IANA.ORG (192.175.48.42) When I query these DNS's from my console from the BIND server, and from any host I have available here, the result is this: root@DNS:~# host -t NS 10.IN-ADDR.ARPA 192.175.48.6 Using domain server: Name: 192.175.48.6 Address: 192.175.48.6#53 Aliases: 10.in-addr.arpa name server blackhole-2.iana.org. 10.in-addr.arpa name server blackhole-1.iana.org. and finally I get the NXDOMAIN I need: DNS:~# host -t NS 10.10.12.1 192.175.48.6 Using domain server: Name: 192.175.48.6 Address: 192.175.48.6#53 Aliases: Host 1.12.10.10.in-addr.arpa. not found: 3(NXDOMAIN) Is it OK that I do? Are blackholes servers useful for this purpose ? Thanks a lot !!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND transfers records to Windows DNS server
Dear, I have this scenario: 1) Windows DNS with dynamic update zone (Windows clients) 2) BIND with manually update zone (Linux and Cisco clients) Is there any way to transfer all BIND zone records to the Windows DNS in order to have just one and complete zone in the Windows DNS server ??? Thanks a lot, Roberto ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dig for a reverse zone transfer
Dear, what are the dig syntaxis in order to get a reverse zone transfer from a DNS server ??? is this correct: dig @name of DNS 1.168.192.in-addr.arpa axfr Thanks a lot !!! JeLo ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can Master replicate zone options in Slave's named.conf.local file ???
People, I have a Master / Slave BIND9 system.
When I add a new zone to the Master and set it up in named.conf.local
file as follow:
zone company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
};
Can Master write these options to Slave's named.conf.local file and
order to reload its config ???
Or do I always have to write by hand these options in Slave's
named.conf.local and after that restart the bind9 daemon ???
Thanks a lot.
Roberto
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Can Master replicate zone options in Slave's named.conf.local file ???
OK Jeff, thanksso the only way to write these bottom lines in the
Slave is by hand (except if use scp or something similar)???
zone company.com {
type slave;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
}
Bind per se can't do it ???
Thanks again.
2014-04-16 14:37 GMT-03:00 Lightner, Jeff jlight...@dsservices.com:
The slave should have different info such as the type being slave rather
than master
e.g.
zone company.com {
type slave;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
};
Also if you were allowing by IP rather than acl you might need to change the
transfer options. Others might apply as well.
I always do it by hand but it would probably be easy enough to script using
an sftp and sed on UNIX/Linux.
-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of
Roberto Carna
Sent: Wednesday, April 16, 2014 1:24 PM
To: bind-users@lists.isc.org
Subject: Can Master replicate zone options in Slave's named.conf.local file
???
People, I have a Master / Slave BIND9 system.
When I add a new zone to the Master and set it up in named.conf.local file as
follow:
zone company.com {
type master;
file /etc/bind/zones/company.com.db;
allow-transfer { key company; };
};
Can Master write these options to Slave's named.conf.local file and order to
reload its config ???
Or do I always have to write by hand these options in Slave's
named.conf.local and after that restart the bind9 daemon ???
Thanks a lot.
Roberto
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Athena(r), Created for the Cause(tm)
Making a Difference in the Fight Against Breast Cancer
-
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
information and is for the sole use of the intended recipient(s). If you are
not the intended recipient, any disclosure, copying, distribution, or use of
the contents of this information is prohibited and may be unlawful. If you
have received this electronic transmission in error, please reply immediately
to the sender that you have received the message in error, and delete it.
Thank you.
--
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
