RE: about DNS RRL
You're thinking that the rate limit is intended to protect YOUR server. It's actually to prevent your server from being used as a reflector to attack some OTHER server. The spoofed addresses all point to that server. Sorry I just can't understand that why my server is being used to attack other's servers? People (bad people) spoof a query source (the victims address) and fire a query at your server. If your server allows queries from the Internet (etc), then it will reply to the victim. Generally speaking, the query is smaller than the reply, so the attacker uses your server to amplify the attack, which is why this is a DNS amplification attack. If you do this at 50qps from 10,000 botnet servers, you can generate a lot of traffic very easily, for a very small investment. This attack relies on open resolvers on the internet, so if you don't need your DNS server to be queried by the entire internet, throw an ACL in front of it/on it and limit who can talk to you. Because I like pictures, here's a simple one to show what I'm getting at: http://infosecurity.jp/wp-content/uploads/2011/02/113.jpg Hope that helps. t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: records via GENERATE
If I remember correctly, $GENERATE is a zone file syntax only. When you start up BIND, it parses those out and loads the generated records as if you'd written them out manually. $GENERATE just helps condense the zone file, but has no impact on overall operation. I'm sure someone from ISC could provide a much more technically in depth answer, but hopefully my memory serves correctly. t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of hugo hugoo Sent: Monday, May 14, 2012 12:14 PM To: bind-users@lists.isc.org Subject: records via GENERATE Dear all, Is there a difference between the configuration of a set of A records using: 1) GENERATE command like: $GENERATE 0-255 $-1.2.3 A3.2.1.$ 2) Defining all the records one by one. - difference in the amount of memory used? - difference in the speed to retrive the answer. If GENERATE command is used == is the answer calculated at the query incoming or are all the records already present in memory? Thanks in advance for your feedback, - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Hi;
When you do a dig, the TTL is the 2nd column: ;; ANSWER SECTION: www.google.com. 604800 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 74.125.225.20 www.l.google.com. 300 IN A 74.125.225.19 www.l.google.com. 300 IN A 74.125.225.18 www.l.google.com. 300 IN A 74.125.225.16 www.l.google.com. 300 IN A 74.125.225.17 Although, it will provide the TTL of the cached record if the record is cached, so it may not be the original TTL. If you want to know the TTL, you can query the authoritative nameservers directly for the record: # get their nameservers # dig google.com NS ;; ANSWER SECTION: google.com. 345600 IN NS ns4.google.com. google.com. 345600 IN NS ns1.google.com. google.com. 345600 IN NS ns3.google.com. google.com. 345600 IN NS ns2.google.com. # pick one, and ask for the record you want # dig @ns4.google.com www.google.com A +norec ;; ANSWER SECTION: www.google.com. 604800 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 74.125.225.148 www.l.google.com. 300 IN A 74.125.225.147 www.l.google.com. 300 IN A 74.125.225.144 www.l.google.com. 300 IN A 74.125.225.146 www.l.google.com. 300 IN A 74.125.225.145 Cheers From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of William Thierry SAMEN Sent: Thursday, May 10, 2012 8:03 AM To: bind-users@lists.isc.org Subject: Hi; Hi, Bind'ers, i'm trying to have a TTL of a zone just by typing a command, but i can't seen which command line i can used to have the solution. Can someone have an idea? is it possible to found that? PS: The zone file is not created by me. For example, i made a dig +dnssec www.google.frhttp://www.google.fr and i want to know what is the TTL of www.google.comhttp://www.google.com not the period of querry. Thx -- Cordialement. Thierry SAMEN. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: re-bind named to all interfaces
You can set interface-interval to a low number to make BIND scan for new interfaces frequently: interface-interval interface-interval minutes; interface-interval defines the time in MINUTES when scan all interfaces on the server and will begin to listen on new interfaces (assuming they are not prevented by a listen-on option) and stop listening on interfaces which no longer exist. The default is 60 (1 hour), if specified as 0 NO interface scan will be performed. The maximum value is 40320 (28 days). This option may only be specified in a 'global' options statement. (source: http://www.zytrax.com/books/dns/ch7/periodic.html) -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Mihai Moldovan Sent: Thursday, April 12, 2012 10:33 AM To: bind-users@lists.isc.org Subject: re-bind named to all interfaces Hello list, I'm running bind9 on my local router which is connected to the internet via a ppp link over my ADSL modem. This link has a static IP assigned, but is not permanently up. Once a day the connection is dropped for a few seconds and re-established, which leads to the following problem: - starting bind9 (configured with listen-on { any; };) works fine, it binds to the following interfaces: 127.0.0.1:domain (lo), 192.168.0.1:domain (br0), 85.183.67.131:domain (ppp0) - once ppp0 goes down, bind9 will drop the binding on 85.183.67.131:domain (ppp0) - once ppp0 goes up again, bind9 won't detect the new network topology, thus remains bound to lo and br0 only; any nameserver on the internet won't be able to contact my bind9 anymore. Is there any way to tell bind9 to re-evaluate the network situation and bind to all new interfaces (if allowed, see listen-on)? I have tried firing up rndc reload and rndc reconfig via the pppd if-up/if-down scripts, but neither try was successful. Seems like the only viable solution for now is to restart bind9 completely over the init script on ifup/ifdown, but this sounds hacky and is disrupting service in a way I don't like. Does anyone here have a similar setup and solved this (admittedly minor) problem? If not, I'd opt for re-discovering the network topology on reload/reconfig (as a restart is flushing caches, loading all zones and discovering network topology too.) Best regards, Mihai - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Anycast DNS
The reason I've heard a few times is that users are uncomfortable using only 1 address. In the past I've done 2 or 3 addresses just so that we can give out 3 addresses that all point to the same pool of servers. Silly, I know, but sometimes it's easier to placate than to change someone/groups understanding of the world/networking/resilience/dns/loadbalancing. $0.02 t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of ju wusuo Sent: Tuesday, February 28, 2012 10:56 PM To: bind-users@lists.isc.org Subject: Anycast DNS Have seen some anycast DNS implementations using more than one address, some times even on the same subnet, any considerations or reasons for doing that? - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: load balance of DNS
do you propose he specify the ratios with BIND? One (icky) solution is to hand out more addresses for one server than the otherŠ www.example.com IN A 192.168.1.1 www.example.com IN A 192.168.1.2 www.example.com IN A 192.168.1.3 www.example.com IN A 192.168.2.1 Bind 192.168.1.[1-3] to server1 and 192.168.2.1 to server2. Unless things have changed since I last checked this (many years ago), BIND ignores the duplicates. In this case, there are no dupes - I thought this at first, but noticed it's 1.2 and 2.1 after my dyslexia turned off for a moment. The idea is novel, if ugly - bind multiple unique addresses and the BIND daemon won't know they're all for the same physical box. It'd work, but ug. t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
I have had a tendency to dig axfr from my Windows workstation +1 to you for using `dig' on Windows; most don't even know it exists and suffer the `nslookup' pain. ;-) First thing I do on a new windows box is download the BIND package and throw dig on the box ... well, right after I get FF/Chrome. I don't understand why Windows doesn't include dig by default, even now. Free software hate? t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Named.conf logical blocks
there is a perl module out there that may help: http://cpan.uwinnipeg.ca/htdocs/BIND-Config-Parser/BIND/Config/Parser.html I don't know - I'm not much of a perl monkey (or any of one, really), but I may work for what you'd like. t. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Stefan Certic Sent: Tuesday, June 28, 2011 4:55 PM To: bind-users@lists.isc.org; d...@maplepark.com Subject: Re: Named.conf logical blocks I am more looking for a solution to read data with perl and convert to some native data structure, like hash reference, or multidimenzional array, so i can access and change data in form of: $named_conf_file-{view1}-{zoneblah} = 'somedata' and then dump it back into original format. Regards, On Tuesday, June 28, 2011 09:46:29 pm David Forrest wrote: On 06/28/2011 05:53 PM, Stefan Certic wrote: Hi Guys, Does anyone have a sample grammar for pharsing named.conf into a data structure? Perl or PHP are preffered, but anything would be fine just to get a clear picture about grammar and logical blocks. I send mine through named-checkconf to put it in a consistent state. This helps to reduce the includes and sort out the views and blocks logically. See man named-checkconf. /usr/local/sbin/named-checkconf -p /var/named/named.conf.canonical ||\ echo -e \nConversion failed, as will named if attempted \ /var/named/named.conf.canonical -- Stefan Certic RoutoMessaging 48 Charlotte Street London, W1T 2NS United Kingdom http://www.routomessaging.com GSMA Associate Member Switchboard +44 (0) 870 231 Fax + 44 (0) 870 231 7775 Email : ste...@routotelecom.com MSN ID : ste...@routotelecom.com DISCLAIMER This email contains information provided by Routo Telecommunications Ltd, which may be privileged or confidential. It is meant only for the individual(s) or entity named above. If you are not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you have received this email in error, please let me know immediately on the email address above. Routo Telecommunications Ltd may not be held responsible for the content of this email as it may reflect the personal view of the sender and not that of the company. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. We monitor our email system and may record your emails. Routo Telecommunications Ltd Registration Number 04546322 has its principal place of business at 48 Charlotte Street, London, W1T 2NS, United Kingdom. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Slaves and views
With a static-stub zone (new in BIND 9.8), your server would not prime its cache with the bad NS rrset from the authoritative server. It would simply start all query resolution for the domain in question (possibly bigger than the zone) at that server, thus bypassing the bad NS rrset. Then, what is the different between static-stub and a forwarding zone? My understanding .. I am sure there are others here who can speak more authoritatively or with more correct terminology, but: A forwarder simply forwards all queries to the indicated servers, and expects an answer back. A stub will tell the resolver for any zones matching this one, use these nameservers. The resolver will use them like normal NS records, not expecting them to give an answer necessarily (could simply give back a referral). Basically, it's short cutting the delegation process, but that's it, the server still has to do all the work. Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Having trouble with logging syntax
Change: file /var/log/query.log version; 3 size 5m; to: file /var/log/query.log versions 3 size 5m; -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Nate Homier Sent: Thursday, March 03, 2011 3:30 PM To: bind-users@lists.isc.org Subject: Having trouble with logging syntax I got my logging setup but named-checkconf is spitting out an error. $named-checkconf /home/nate/named.conf.local /home/nate/named.conf.local:11: missing ';' before '3' /home/nate/named.conf.local:11: unknown option '3' I'm pretty sure we don't put an ; after version. I can't see anything wrong with my config. All my ; look to be in place. I'm using Ubuntu 10.04. This is strictly a resolver server on my personal PC at home. My logging setup. logging { channel query.log { file /var/log/query.log version; 3 size 5m; severity warning; print-time yes; print-severity yes; print-category yes; }; category lame-servers { null; }; category default { syslog; }; }; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: get a domain's dns records
It seems to do a regular lookup, plus maybe an ANY But I've also noticed that it seems to find test.domain.com. I often put a 'test.whatever.com. IN A 127.0.0.1' into zones and a couple I checked it found them, even though it shouldn't have by normal means it also found a 'blog' record I had on one of my domains ... so, it must be looking for some specific records in addition to general lookups. t. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of p...@mail.nsbeta.info Sent: Friday, January 21, 2011 1:20 AM To: bind-users Subject: get a domain's dns records I'm jsut curious, how does who.is know the dns records in my domain (nsbeta.info)? The page shows some of my RRs exactly: http://who.is/dns/nsbeta.info/ Regards. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DIG Source IP
dig -b {srcip} -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of John Williams Sent: Thursday, December 09, 2010 9:51 AM To: bind-users@lists.isc.org Subject: DIG Source IP If I have a Linux host with multiple IP's, is there a way to utilize the DIG command such that the query appears like it's coming from different IP addresses? So If I have 10 virtual IP's, is there a way to control the source IP of the query? I've referenced the DIG man page and it doesn't appear to be possible. Thanks in advance. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: limiting number of recursion/queries per IP address
What version of bind, on what OS? There may be some things you can do with iptables to limit connections http://www.debian-administration.org/articles/187 I don't recall seeing anything native to BIND that would allow for limits per src. t. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Kebba Foon Sent: Tuesday, October 26, 2010 2:27 PM To: bind-users@lists.isc.org Subject: limiting number of recursion/queries per IP address Dear List, Is is possible to limit the number of recursion/queries per IP address. there is some kind of virus thats bombarding my dns servers with a lot of queries, i realize that when ever the total number of recursion clients reach 1000 dns resolution stop working. i have increase the recursive-clients to 1 but still these those not help. and also i have increase the number of max open files on my OS which at one point was complaining about too many open files. can someone please direct me to how best to solve this problem its some kind of DDOS. Thanks Kebba ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: One host serving both internal and external nameservice, which view should match-clients for the local host?
What I have done is add another IP to boxes with views, one per view (ie: 127.0.1.1/2/3/4). Then put one of those ips in each view match statement. When you do your dig, you tell it to source from a specific interface (dig -b 127.0.1.1 @localhost record.ext). That will ensure that you can hit the view you want to hit, without any guess work. YMMV. Cheers, Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Stewart Dean Sent: Monday, October 25, 2010 2:54 PM To: bind-users@lists.isc.org Subject: Q: One host serving both internal and external nameservice, which view should match-clients for the local host? I have set up a nameserver as per pg 249 of DNS Bind, 5th Ed. The host is on two networks, serving the internal 10 based network as nsi at 10.5.0.5 with an internal view and the external network as nsx at 192.246.229.x with an external view. Everything makes sense until I get to the match-clients definition. Using the example on 249, named will serve the internal addresses, and the external view match-clients { any; } will take everything elseincluding the local host 127.0.0.1. That would seem to me to make it so the local host would be unable to resolve (for itself) internal addresses, forcing it to only be able to resolve external addresses for itself. Is this as it should be? Am I missing something? -- One must think like a hero to behave like a merely decent human being. - May Sarton Stewart Dean, Unix System Admin, Bard College, New York 12504 sd...@bard.edu voice: 845-758-7475, fax: 845-758-7035 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Recover deleted zone file
If you haven’t restarted the server, you could do an rndc dumpdb and grab the zone content I’d think From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Jay Moore Sent: Tuesday, October 05, 2010 1:13 PM To: bind-users@lists.isc.org Subject: Recover deleted zone file I am running BIND 9.4.3-P1 on slackware 12.2. The server is only for internal use. I have accidentally removed one of my zone files, and I have no backup! Is there a way to restore this zone file from the cache? I looked at rndc and named options, but don't see anything that will help? -- Jay Moore, CIO The National Beta Club UT PROSIM - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains
If you are trying to reach RIM.com (makers of BlackBerry), we are at rim.com ;; QUESTION SECTION: ;rim.com. IN MX ;; ANSWER SECTION: rim.com. 600 IN MX 10 mx05.rim.net. rim.com. 600 IN MX 10 mx03.rim.net. rim.com. 600 IN MX 10 mx04.rim.net. ;; AUTHORITY SECTION: rim.com. 600 IN NS xns01lhr.rim.net. rim.com. 600 IN NS xns01ykf.rim.net. ;; ADDITIONAL SECTION: xns01lhr.rim.net. 213 IN A 193.109.81.21 xns01ykf.rim.net. 213 IN A 206.51.26.10 If you are really looking for rimm.com, I don't see MX records for them either: dig rimm.com MX ; DiG 9.7.0-P1 rimm.com MX ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7908 ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;rimm.com. IN MX ;; AUTHORITY SECTION: rimm.com. 3600IN SOA ns1.netincomehost.com. admin.netincomehost.com. 2010012200 3600 600 1209600 3600 From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Samad Agha Sent: Thursday, August 19, 2010 2:18 PM To: bind-users@lists.isc.org Subject: I get No mail exchanger (MX) records available for rimm.com error just for a couple of domains #nslookup set query=mx rimm.comhttp://rimm.com *** No mail exchanger (MX) records available for rimm.comhttp://rimm.com Obviously Rimm's DNS cannot be down! What gives? Any ideas? - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Split view - differing SOA serial number
You need to specify different file locations for each of the slaved zones (even if the data is the same) in each view. Does that apply for master zones which are common (i.e. the same data) to both views as well? In my experience, you can use a shared file for mastering. We have adopted the convention of zonename-viewname for our views, and use -common for zones shared between views. t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: named-checkzone
If you wanted to throw CVS into the mix, it would make all this pretty easy. You can have it run scripts on checkin, and you know all the files changed from a cvs diff, so it’s easy to run that through the named-checkzone. CVS doesn’t have to make things much more complicated. You could create a script that when run (ex: vizone zonename) would checkout the zonefiles project, and open a vi for the session. then, when closed, it would checkin the zonefile and run the verification script. Heck, you could just alias “vi” to your script if that is all your user does with vi, or if you use a unique account for DNS changes. t. From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of P.A Sent: Thursday, June 24, 2010 4:38 PM To: 'Taylor, Gord'; bind-us...@isc.org Subject: named-checkzone I was thinking more instantaneous without moving things around. I looked at vim vimrc autocmd but I couldn’t get named-checkzone to execute and I would still have to somehow have named-checkzone look at the last zone that was edited. Good suggestion though. From: Taylor, Gord [mailto:gord.tay...@rbc.com] Sent: Thursday, June 24, 2010 4:32 PM To: P.A; bind-us...@isc.org Subject: RE: named-checkzone My suggestion is to create a backup copy of the (current) zone files in another directory. Only allow the users to edit those files, then execute a shell script that checks them, and only moves them to the production directory once the named-checkzone (and named-checkconf) works correctly. Otherwise, returns an error. The only thing we don't check is that the SOA serial has been incremented because our DNS file editor does that automatically... From: bind-users-bounces+gord.taylor=rbc@lists.isc.org [mailto:bind-users-bounces+gord.taylor=rbc@lists.isc.org] On Behalf Of P.A Sent: 2010, June, 24 3:47 PM To: bind-us...@isc.org Subject: named-checkzone Hi, im trying to get some ideas how I can exec named-checkzone on a zone file that has just been executed. We have com users who edit zone files but forget to run the command when they are do editing the file. Trying to figure out if anyone has a good way of enforcing that the zone gets checked after its been edited. Thanks Paul. ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courriel peut contenir des renseignements protégés et confidentiels. Lexpéditeur ne renonce pas aux droits et obligations qui sy rapportent. Toute diffusion, utilisation ou copie de ce courriel ou des renseignements quil contient par une personne autre que le destinataire désigné est interdite. Si vous recevez ce courriel par erreur, veuillez men aviser immédiatement, par retour de courriel ou par un autre moyen. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: max-cache-size query
What version of BIND are you running? If you're getting FD limits, I'd think it's an older version with a bug, and your problems might also be alleviated by upgrading. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Techi Sent: Tuesday, June 01, 2010 8:36 AM To: bind-users@lists.isc.org Subject: max-cache-size query Hallo, Recently, I faced huge problems with my DNS servers (bind crashed with no apparent reason). Some of the symptons were: * Huge number of connections on our firewalls (15). * A lot of errors in syslog about max file descriptors limits reached (currently on system, the FD limit is 4096, the default of centos) Anyway, after the proposal of a friend of mine, I removed the the max-cache- size limit (that was set to 256MB. After a restart of bind, the FW guys reported a huge drop on connections (1)! Additionally, I have no crashes so far (in contract with 1-2 per week). So, why: a. bind generated so much traffic? b. Is it possible to have bind crash because I could not handle the cache clean-up and on the same time to serve requests? Thank you ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind9 logging options
The DNS Servers are authoritive. I have more than 100 users for them, and the number of queries performed per minute is very high due to the nature of our organization. Moreover, I do not have a specific time window in which the timeouts occur, so, it is impossible to run it 24/7! From your answer I conclude that there is no such option, correct? Well, it depends on the reason for the timeouts. If the packet is getting lost along the way due to network issues, it would never hit the server, and you wouldn't have any logs of it. You could use filters on tcpdump (tcpdump -tt host x.y.z.a port 53)and setup a script on a remote host to send a stream of queries. You don't necessarily have to capture all traffic to troubleshoot the problem. Make sure your servers are time sync'd properly so you can correlate the logs. Otherwise, if the issue is happening after the packet reaches the server, then I'd bump up the debug level and turn on a bunch of logging and make sure ntp is working fine and start watching logs while generating a bunch of traffic from a test box. Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How to prevent slaves from contacting master for name resolution?
Are all the slaves authoritative for all the zones? If so, unless you're using forwarding, or some really odd delegation, queries shouldn't be going to the master servers. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Keith Christian Sent: Monday, May 17, 2010 5:59 PM To: bind-users@lists.isc.org Subject: How to prevent slaves from contacting master for name resolution? Our redundant DNS configuration is one master and three slaves, spread across two colo facilities. master and slave1 are in colo_ALPHA. slave2 and slave3 are in colo_BETA. During an extended maintenance window, the master DNS was offline. Slave2 was trying to contact the master, and lookups failed. Usually, slave2 resolves without contacting the master, but occasionally it does. The IP for the master does not appear in slave2's /etc/resolv.conf, and I'm not sure what else to check for on slave machines. Where else would I look? Would any settings in named.conf account for this behavior? Versions are Linux (CentOS 5) and BIND 9.5.x. Thanks. ==Keith ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Help for a Windows installation
Alessandro, Generally people won't want to lay out entire configurations for you. Spend a little time with the DNS BIND book which will be your loving companion as a BIND admin (available on google books for free if your google-fu is good), and come back with direct questions/configuration examples if there is something you can't figure out and I'm confident people will more readily help out. Specific things to look for: -ACLs - acl - allow-recusion - allow-query-cache - allow-query -logging statement -rndc flush Cheers, Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Alessandro Magno Sent: Tuesday, May 18, 2010 9:37 AM To: bind-users@lists.isc.org Subject: Re: Help for a Windows installation Any help for me? :,-( 2010/5/17 Alessandro: Hi, I'm trying to install the last version of Bind in a standalone Windows 2003 Server. I would set a caching-only nameserver, but I'm not so expert. I would: - limit who can use this nameserver - log the failed queries - delete the cache if necessary How should I fill in these files? Thanks! Alex named.conf nr. 1 options { directory C:\WINDOWS\system32\dns\etc; }; key rndc-key { algorithm hmac-md5; secret ; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; }; }; named.conf nr. 2 acl corpnets { 192.168.1.0/24; }; options { // Working directory directory /etc/namedb; allow-query { corpnets; }; }; // Provide a reverse mapping for the loopback // address 127.0.0.1 zone 0.0.127.in-addr.arpa { type master; file localhost.rev; notify no; }; key rndc-key { algorithm hmac-md5; secret ; }; controls { inet 192.168.1.46 port 953 allow { 192.168.1.46; } keys { rndc-key; }; }; zone . IN { type hint; file db.root.hint.txt; }; ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Drawing complex deployments
Good day all, This isn't strictly BIND related, but I think it might have some relevance to the members of this list. I am working to document/diagram a very complex BIND deployment (multiple views, forwards, delegations, servers and environments) and I'm looking for advice/experience/examples of how to effectively diagram complex deployments. Specifically, how you may have diagrammed views in a visually simple manner. Examples are welcome, and feel free to reply privately if you don't want to share on the list. Thanks for your help, Todd. Todd Snyder, Systems Specialist Data Networks Systems Engineering / Global DNS bb 226.338.2617 dd 519.888.3176 Always On, Always Connected. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Split View DNS
Yes, assuming you want them to both have the same zone data. We use a naming convention so we know when we're sharing a file. Each view gets their zonefiles with -viewname (ie: example.com-internal) appended. Common zones get -common. This keeps us from modifying the wrong file, and lets us remember which ones are shared easily. Todd. -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Jason Gates Sent: Thursday, March 11, 2010 10:06 AM To: bind-users@lists.isc.org Subject: Split View DNS -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 When using split view, can one point to the same file in both views? example: view blah-internal { match-clients { internal-users; }; zone blah.org in { type slave; file /var/named/slave/blah.org; masters { ipaddress; }; }; zone 10.10.10.in-addr.arpa in { type slave; file /var/named/slave/10.10.10.reverse; masters { ipaddress; }; }; }; view blah-external { match-clients { any; }; zone blah.org in { type slave; file /var/named/slave/blah.org; masters { ipaddress; }; }; zone 10.10.10.in-addr.arpa in { type master; file /var/named/view/10.10.10.reverse; }; }; -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkuZBtkACgkQ3BaZWzk6Q2cm6wCgt8/qogkzaM4SosMpS9o+PT9k qugAoIwHOmvsZyrHDfbZEDsY1Rp1/tFZ =aL9s -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: socket.c:4524: unexpected error in BIND 9.4.3 P3
Good day, We've started seeing this bug on a couple servers, but I see no mention of it being fixed, so I don't know what version I should upgrade to. Nor can I find anything that lays out the impact/risk of this. Does anyone know the status of this bug? Thanks! From: bind-users-boun...@lists.isc.org bind-users-boun...@lists.isc.org To: bind-users@lists.isc.org Date: Jul 31 2009 - 7:49pm I have just reported this bug. Ticket number is [ISC-Bugs #20030]. Regards, Vu On Sat, Aug 1, 2009 at 4:06 AM, Paul Elist-bind-us...@dragon.net wrote: Le Vu, lev BTW, what can I do to help debugging this problem? If it doesn't lev involve with programming I will try. Submit this to ISC by emailing bind9-b...@isc.org. Thanks! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: query (cache) 'xxxxxxxxxxxx/A/IN' denied
checkout allow-query-cache -Original Message- From: bind-users-bounces+tsnyder=rim@lists.isc.org [mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Riccardo Castellani Sent: Tuesday, February 09, 2010 1:06 PM To: bind-users@lists.isc.org Subject: query (cache) '/A/IN' denied I'm using Debian Sarge with Bind 9.5.1 for my DNS server and I'd like understanding because my Fedora Core 3 client (machine A) is not able to solve domains when it queries to this DNS server. I can see this error on named.log of DNS server: security: client A.B.C.D# : query (cache) '/A/IN' denied allow-query option contains machine A allow-recursion option doesn't contain machine A I'd like machine A could resolve only domains which DNS server has in cache ! It has not to do resursive queries ! If record is in cache, server gives answer otherwise it gives nxdomain ! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: How reply the same MX RRs list for all kind of MX request
You can create an include file, and put it right under your SOA/NS records. The file should start with blanks... something like: @ IN SOA ns.example.com. root. ( 2009112601 ; Serial 1h ; Refresh 20m ; Retry 1w ; Expire 1h ; Minimum ) IN NS ns1. $INCLUDE mx-records.include #mx-records.include IN MX 10 mx.example.com that will end up putting an MX record for each zone in each zone without needing a bunch of different lines or includes. Hopefully that helps, or is even in the right direction. YMMV. Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Frank Abel Cancio Bello Sent: Thursday, November 26, 2009 11:20 AM To: bind-users@lists.isc.org Subject: How reply the same MX RRs list for all kind of MX request Hi all, First at all, I'm newbie in DNS, so excuse me if I'm posting something stupid here ;) I want DNS replying the same list of MX RRs for all MX request. I mean, any client that want send an email and query my DNS for a MX RRs must get the same MX RRs, not matter of what domain the client is requesting the MX RRs. Is that possible in any way? Thanks in advance. Cheers Frank Abel ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: cache dead records
Look at something like an F5 GTM ... it can do health checks on pools and respond with only available/geographically close/etc ips... http://www.f5.com/products/big-ip/product-modules/global-traffic-manager .html More than likely far too big for what you're looking for, but service availability checking isn't really what BIND is used for. If you wanted to do it on the cheap, you could write a script that would check for service on the IP for a domain, and if it doesn't answer, updates the zone to remove/change the record. Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of net...@royal.net Sent: Thursday, October 22, 2009 11:45 PM To: bind-users@lists.isc.org Subject: cache dead records Hello, We are using bind9 for DNS Cache. What the problem is, sometime the IP address for a domain is dead, but Bind won't know, and still responds the dead IP to clients, after that clients access the sites failed. So is there a way to do health check for destination IPs before responding the DNS answers? Thanks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNS Server
There are a few approaches you could take, and it depends on what you are trying to do. If you are actually trying to block traffic to a specific server/servers, I'd say use a firewall. If you're running on a linux box, it's pretty easy: http://www.cyberciti.biz/faq/howto-null-route-an-attackers-ip/ Failing that, I believe there is a bind directive (blackhole) that might do what you want, but I've never looked into it. Finally, if you are simply trying to block certain domains, you could load them as master zones on your server and leave them blank. Cheers, Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Agarwal Vivek-RNGB36 Sent: Wednesday, October 07, 2009 8:46 AM To: bind-users@lists.isc.org Subject: DNS Server Hi All Im using a BIND 9.3. I have been asked to block the responses from some of the DNS Servers in the internet. Is there any way how can I do that Regards Vivek Aggarwal +973-36583058 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A smarter stub resolver??
If you're on a closed network and not using forwarders, then you'll also need a hints file and associated hints-file definition in named.conf, of course, but even so, we're still not talking about adding a great deal of additional care and feeding... It's not much, I'll gladly concede, but the simple act of adding a large number of nameservers, even simple caching ones, introduces more complexity, more pieces in the puzzle. They may hum along nicely, until a day when you have DNS problems and negatively cache something important and suddenly you're rushing to flush hundreds/thousands of caches while you're under incident, all so the local system can handle a failed resolver in a better way. I don't disagree that this isn't a good solution, and I have used it myself many times, but to me, it doesn't scale to a DC/DCs full of servers well. I'd rather see a more clever resolver that realizes there is a fault and removes that nameserver from it's pool for $BACKOFFSECONDS then tries again with an increasing backoff, or background checks while using the other configured namesevers until it's back up. Again, it adds complexity, but it doesn't necessarily add an attack vector, nor a sysadmin task. I am sure there are drawbacks to idea, but there are benefits. If only I were a programmer ... Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: A smarter stub resolver??
The problem with this approach is when you are running a couple thousand servers - suddenly, you are running a couple thousand more instances of BIND that need monitoring/patching/care/feeding. A more clever resolver, or a simpler caching setup locally would be ideal. Otherwise, you could redo your overall DNS architecture to use something like anycasting so that there are multiple sources (potentially) for each of your nameserver entries, so you're less likely to have one drop. However, this isn't ideal. A smarter resolver would be fantastic, but with smarts comes complexity, which brings more room for errors and/or vectors for attack. You'd think this would be a common concern in large server deployments. As soon as you lose one of your resolvers, even if it's painfully obvious that the resolver is down, the resolver will continue to send queries to that host. I guess it's a trade off, but there's really only 2 options ... maybe more are needed. t. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Monday, July 20, 2009 1:30 PM To: bind-users@lists.isc.org Subject: Re: A smarter stub resolver?? Rather than applying lipstick to the pig, why not run a local caching-only resolver? Move up and out of the stub-ville slums. A local instance of named doesn't take up that much server resources (disk, memory, CPU), and pays you back by *not*, as a stub resolver does, using network resources, and incurring network latency, for each and every lookup. - Kevin Taylor, Gord wrote: I should mention, that I've looked at options rotate, but the concern is that this will mean retransmits if ANY of the nameservers are down. So, any DNS outage would cause some level of impact to the application. It also makes it harder for applications to determine if slowdowns are due to DNS name resolution issues. Since 1/3 of the queries will be slower, they'll not think to look at DNS as root cause; they'd probably see it as a utilization issue, or something along those liens. While that may mean I don't get paged, it's not great for the business :) Gord Taylor (CISSP, GCIH, GEEK) -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Taylor, Gord Sent: 2009, July, 15 10:05 AM To: bind-users@lists.isc.org Subject: A smarter stub resolver?? I've frequently run into a problem that the stub resolver just isn't very dynamic in its selection of name servers - especially when dealing with time-sensitive apps. If the first DNS server in the list is down, the applications may slow down due to the constant retransmits. Given a resolv.conf like the one below, the xNix box will ALWAYS query the first DNS server, event if it's down. So, every single DNS query (think of how many reverse lookups a mail server, or Kerberos will do), there's a 2 second delay. Is there a smarter stub resolver that acts more like a DNS server using Round Trip Time (RTT) to pick the best DNS server from the list? We run well over 500 xNix boxes (and growing), so running DNS on each of these just isn't a viable option to get round the DNS timing issues. Nameserver 10.10.10.1 Nameserver 10.10.10.2 Nameserver 10.10.10.3 Options retry:2 Options retrans:2 Gord Taylor (CISSP, GCIH, GEEK) ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier électronique est confidentiel et protégé. L'expéditeur ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) désigné(s) est interdite. Si vous recevez ce courrier électronique par erreur, veuillez m'en aviser immédiatement, par retour de courrier électronique ou par un autre moyen. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce
RE: Bind9.5.1 under no Root Name Servers
Martin, It looks like you were relying on an odd mechanism to determine an outage. What you were seeing is the server filling up all the available recursive slots because they weren't getting answered, backing up the queue. It wasn't necessarily an indication of an outage, it could have meant that you had too many people trying to do lookups at once. However, I suspect that worked well for you, and would generally indicate there was a problem. I'd suggest instead using stats to look for problems. We've been testing running rndc stats every couple of minutes on a server, then parsing that data to both dump into a DB to graph the results, and to raise alerts. With some pretty simple programming, you can keep a rolling average of errors. Then, if you get a value that's more than X above that average, you could raise an alert, or consider that to be an outage. What's harder is getting a really good way to detect abnormal numbers of queries, as the average isn't the best way. Weekends are lower, weekdays are higher ... I guess the best way to do it would be to have a daily average (Monday-Sunday) and if the current errors is greater than that days norm, it's abnormal. But I digress... In your situation, looking for hard downs on your connectivity, you would see successful queries drop to 0 (or near 0), and your errors ramp up. that wouldn't be a hard one to detect programmatically. The other nice thing about putting this all into a DB is that you can look back and get historical stats quite easily. Look at tools like rrd/cacti for graphing, and we've been using perl for the monitoring stuff. Not quite as simple as looking for log lines, but all pretty easy overall, and has some nice bonuses. Cheers, Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Martin McCormick Sent: Friday, July 17, 2009 9:20 AM To: bind-us...@isc.org Subject: Bind9.5.1 under no Root Name Servers What does bind9.5.1 do when there is an Internet issue and we loose all root name servers? The bind9.3.x we had been running always began producing tons of lines saying that there were no more recursive clients. I had written a program that looked for the time stamp when the mess starts and then for the time stamp of the last distress call and we called that an outage since bind certainly wasn't happy. We had a very brief outage on the day we switched to bind9.5.1 and I saw nothing remarkable in the named.log file during the period where we lost all roots. Either bind9.5.1 doesn't produce this message or the hit just didn't last long enough for all the recursive slots to fill up. We do allow recursion from within our network but disallow it for 3RD parties. Bind is an excellent place to take the pulse of one's whole network since it is so closely tied to everything else. Here is an actual example of the message we look for: 08-Jul-2009 08:38:20.296 client 139.78.102.224#53631: no more recursive clients: quota reached Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
namespace verification
Good day all, I am looking at making some sweeping changes to some zone files, cleaning up NS records primarily. As I'm pondering the impact of this, I got to thinking about how to validate every single record in my namespace, and therefore the entirety of my change. What I'm thinking of is a script that will go through each zone file and do a dig against a server (localhost, or otherwise) for each record, verifying that every record resolves correctly. Has anyone written such a beast or know of a tool like this? Am I being obtuse in thinking that this would be useful to me to verify my changes? Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Changing CHROOT at BIND compile time
Good day, I am working at building BIND, and I will admit right now that I am not much of a developer. I noticed that when you compile/make/install BIND, it creates /var/named/chroot as the default chroot jail. We don't use that particular standard, and have been simply moving things afterwards. However, I'm wondering if there is a way to define, at compile time, where the chroot will be created, so that we don't have to do the intermediate movement step? I've been trying to dig through the configure script, and through the Makefile to find this, but as I said before, I'm not much of a developer, and I'm not really familiar with the processes. I'm guessing that there must be a way to change this, as everything is just makefiles/source at compile time, but I am not sure where to look. Thanks much, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Changing CHROOT at BIND compile time
Please ignore me - I realized too late that someone else was installing BIND as I was compiling, and that created the directory I was seeing. I realize now that BIND wouldn't be creating this ... it was silly of me to assume that. Cheers, Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder Sent: Wednesday, June 10, 2009 11:45 AM To: bind-users@lists.isc.org Subject: Changing CHROOT at BIND compile time Good day, I am working at building BIND, and I will admit right now that I am not much of a developer. I noticed that when you compile/make/install BIND, it creates /var/named/chroot as the default chroot jail. We don't use that particular standard, and have been simply moving things afterwards. However, I'm wondering if there is a way to define, at compile time, where the chroot will be created, so that we don't have to do the intermediate movement step? I've been trying to dig through the configure script, and through the Makefile to find this, but as I said before, I'm not much of a developer, and I'm not really familiar with the processes. I'm guessing that there must be a way to change this, as everything is just makefiles/source at compile time, but I am not sure where to look. Thanks much, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delegation of already loading zones?
Good day, Looking through configuration of one of my servers (ns01.local), I have example.com loading, and test.example.com loading. In example.com, someone has delegated test.example.com back to the server: test.example.comIN NS ns01.local Since I am loading test.example.com specifically, that delegation appears redundant. Are there cases where that delegation is required? Is there a standard that says I should do that for all zones I'm loading that are subzones of another zone I'm loading? Is this just an oddball configuration that should be cleaned up? Thanks, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Transfer delays
Do you have notify no; in your config options? -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Michael Di Martino Sent: Thursday, May 28, 2009 10:17 AM To: bind-users@lists.isc.org Subject: Transfer delays List Members, This is a new and quite basic install of BIND-9. I am experiencing a 15 min delay from the time a zone file is updated and reloaded w/ rndc and transferred to the slave server. What could cause this delay. I am at a total loss. Please advise. Michael DiMartino ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Delegation not working
+trace forces the server to go to the root. It doesn't necessarily represent the path your query would normally take. If the server you are querying is authoritative for the zone you are querying, it will still trace from the root. This feature is, sadly, not as useful in an internal DNS configuration, where recursion from the root isn't used. That seems to be the situation you're in (not able to reach the root) At least, that is my interpretation of it. Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mike Bernhardt Sent: Thursday, May 07, 2009 3:22 PM To: 'Chris Buxton' Cc: bind-users@lists.isc.org Subject: RE: Delegation not working Reformatting the dig request gives the following: dig +trace @athena -x 10.0.2.252 ; DiG 9.3.4 +trace @athena -x 10.0.2.252 ; (1 server found) ;; global options: printcmd . 163824 IN NS K.ROOT-SERVERS.NET. . 163824 IN NS L.ROOT-SERVERS.NET. . 163824 IN NS M.ROOT-SERVERS.NET. . 163824 IN NS A.ROOT-SERVERS.NET. . 163824 IN NS B.ROOT-SERVERS.NET. . 163824 IN NS C.ROOT-SERVERS.NET. . 163824 IN NS D.ROOT-SERVERS.NET. . 163824 IN NS E.ROOT-SERVERS.NET. . 163824 IN NS F.ROOT-SERVERS.NET. . 163824 IN NS G.ROOT-SERVERS.NET. . 163824 IN NS H.ROOT-SERVERS.NET. . 163824 IN NS I.ROOT-SERVERS.NET. . 163824 IN NS J.ROOT-SERVERS.NET. ;; Received 500 bytes from 148.165.30.30#53(148.165.30.30) in 0 ms ;; connection timed out; no servers could be reached Since this server can't reach the root servers, this makes sense. But apparently it isn't following delegation. -Original Message- From: Chris Buxton [mailto:cbux...@menandmice.com] Sent: Thursday, May 07, 2009 12:19 PM To: Mike Bernhardt Cc: bind-users@lists.isc.org Subject: Re: Delegation not working On May 7, 2009, at 12:06 PM, Mike Bernhardt wrote: dig -x +trace @athena 10.0.2.252 ;; QUESTION SECTION: ;+trace.in-addr.arpa. IN PTR ;; QUESTION SECTION: ;10.0.2.252.IN A You've given dig the wrong arguments. You gave it two queries, indicated above, neither of which is what you wanted. Try this: dig @athena -x 10.0.2.252 Chris Buxton Professional Services Men Mice ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delegation or PEBKAC problems?
Good day, (BIND 9.6.0-P1) Although, to me, delegation seems like a fairly simple configuration, I seem to be having problems. What I am trying to do is very simple - I have a lab, and I want to delegate part of the namespace to someone else in the lab. My configuration looks like this: (zone lab.foo.example) ;delegation group.lab.foo.example. IN NS group-ns01.lab.foo.example. group.lab.foo.example. IN NS group-ns02.lab.foo.example. ; glue group-ns01 IN A 1.1.1.1 group-ns02 IN A 1.1.1.2 I load the zone, it loads just fine. I can resolve the 2 ns servers directly, so I know the glue is good. However, when I dig for a record in that zone, I get [10:43:08 r...@ns01.lab.foo.example:~ ()]# dig @ns01.lab.foo.example record.group.foo.example any ; DiG 9.6.0-P1 +qr @s01.lab.foo.example record.group.foo.example any ; (1 server found) ;; global options: +cmd ;; Sending: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 59035 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;record.group.foo.example.IN ANY ;; connection timed out; no servers could be reached When I dig directly at the delegated nameserver, I can get the record just fine. When I run tcpdump on the nameserver, I see the requests come in, timeout, come in, time out, come in, timeout, then the resolver gives up. I don't see packets going out to the other server, nor do I see the server returning anything to the resolver (ie: authority records) If I disable recursion on this view, the server, loading the same zone, returns NS records immediately, which tells me that the server is loading the zone properly, and that the data is good. My understanding of delegation is that the resolver goes out to it's configured nameserver. That nameserver returns the NS records for the delegated namespace, then the resolver goes to the delegated server to ask the next question. Am I incorrect in that? We've been fiddling with this for a bit now, and I can't see what I've done wrong. My best guess right now is that we're htiting some oddness with views/delegation. Can anyone think of something I've missed? Can anyone clarify my view of delegation? Thanks, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Delegation or PEBKAC problems?
It works that way, sometimes. If recursion is enabled on your server, it will query the other servers in the NS records on behalf of the resolver and return what it finds. If recursion is off, it will just return the NS records and the resolver is expected to follow them (and some really dumb resolvers might not be able to do that). If your first server can't talk to the other (delegated zone's) NS's (say because of a firewall issue) you can get something that matches what you seem to be getting. Thanks John. From the first server, I can talk to the delegated nameserver no problem. We thought it might be firewall/acl related, but digs confirm that they can talk directly without problem. They are, logically speaking, on the same switch, with no firewalls between. Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Delegation or PEBKAC problems?
With help of a list member, we got this figured out. The problem is that, outside of the config I showed you, I had a forwarder setup. zone foo.example IN { type forward; forward only; forwarders { x; y }; }; My understanding of things was that BIND would answer most specifically. So I thought that because I was authoritative for lab.foo.example, it would only use the foo.example for things that didn't fall under lab.foo.example. That doesn't seem to be the case. BIND was using the forwarding, and not even looking at the authoritative zone. From my reading of DNS and Bind (pg 244, 4th paragraph), I'm wondering if the book or BIND are mistaken: If a resolver requests records that are already in the nameserver's authoritative data or cached adata, the nameserver answer that with the information, this part of its operation hasn't changed. However, if the records aren't in its database, the nameserver sends the query to a forwarder ... (this relates to forward only mode) For forward first mode, the book states (pg 245, 2nd paragraph): A nameserver in forward-only mode is a variation on a nameserver that uses forwarders. It still answers queries from its authoritative data and cached data. So, in both cases, the server should be answering authoritatively first, then going to the forwarders. Having said that, I reconfigured it to use forward first and I'm getting the behaviour I was looking for - so the server seems to behave as I thought in forward first mode, but not in forward only mode. Has the logic here changed, or am I misinterpreting the book? Thanks! Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder Sent: Tuesday, May 05, 2009 11:59 AM To: bind-us...@isc.org Subject: RE: Delegation or PEBKAC problems? it's been pointed out that I made a mistake cleaning up my example data below .. my dig should read: [10:43:08 r...@ns01.lab.foo.example:~ ()]# dig @ns01.lab.foo.example record.group.lab.foo.example any -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder Sent: Tuesday, May 05, 2009 11:08 AM To: bind-us...@isc.org Subject: Delegation or PEBKAC problems? Good day, (BIND 9.6.0-P1) Although, to me, delegation seems like a fairly simple configuration, I seem to be having problems. What I am trying to do is very simple - I have a lab, and I want to delegate part of the namespace to someone else in the lab. My configuration looks like this: (zone lab.foo.example) ;delegation group.lab.foo.example. IN NS group-ns01.lab.foo.example. group.lab.foo.example. IN NS group-ns02.lab.foo.example. ; glue group-ns01 IN A 1.1.1.1 group-ns02 IN A 1.1.1.2 I load the zone, it loads just fine. I can resolve the 2 ns servers directly, so I know the glue is good. However, when I dig for a record in that zone, I get [10:43:08 r...@ns01.lab.foo.example:~ ()]# dig @ns01.lab.foo.example record.group.lab.foo.example any ; DiG 9.6.0-P1 +qr @s01.lab.foo.example record.group.foo.example any ; (1 server found) ;; global options: +cmd ;; Sending: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 59035 ;; flags: rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;record.group.foo.example.IN ANY ;; connection timed out; no servers could be reached When I dig directly at the delegated nameserver, I can get the record just fine. When I run tcpdump on the nameserver, I see the requests come in, timeout, come in, time out, come in, timeout, then the resolver gives up. I don't see packets going out to the other server, nor do I see the server returning anything to the resolver (ie: authority records) If I disable recursion on this view, the server, loading the same zone, returns NS records immediately, which tells me that the server is loading the zone properly, and that the data is good. My understanding of delegation is that the resolver goes out to it's configured nameserver. That nameserver returns the NS records for the delegated namespace, then the resolver goes to the delegated server to ask the next question. Am I incorrect in that? We've been fiddling with this for a bit now, and I can't see what I've done wrong. My best guess right now is that we're htiting some oddness with views/delegation. Can anyone think of something I've missed? Can anyone clarify my view of delegation? Thanks, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received
RE: name server zone list
You say my DNS servers - if you own them, why not just look at the named.conf? grep zone named.conf should tell you pretty quickly. If you are using external hosting, you will need to talk to your provider. They should be able to provide you a list. t. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sandy Mackenzie Sent: Friday, April 03, 2009 9:15 AM To: bind-users@lists.isc.org Subject: name server zone list Hi, I want to be able to produce a simple list of the zones on my DNS servers. Is there anyway to do this with dig or any other tool? I can currently transfer a single zone with dig @nameserver zone axfr but I want to see all zones hosted on my DNS server. -- Sandy Mackenzie The contents of this e-mail message and all attachments are intended for the confidential use of the addressee and where addressed to our client are the subject of solicitor and client privilege. Any retention, review, reproduction, distribution or disclosure other than by the addressee is prohibited. Please notify us immediately if we have transmitted this message to you in error. Thank you. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: name server zone list
BIND already creates an internal view _bind with class CH to contain the zones version.bind, hostname.bind, authors.bind, etc. I was thinking in terms of zones.bind living there as well. Of course there's the barber-shaving question: should zones.bind contain an entry describing itself? My view would be that it should list every zone being answered for by the server, so it should include itself. Maybe it could be prefixed/suffixed/named in a pattern so it can be removed easily from a listing, but I know I'd like to be able to see every zone being loaded on my server (including empty zones). $0.02 CDN T. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: name server zone list
I agree with Rick Dicaire that this should not be done as a zone at all. Instead, this should be implemented in rndc. I do agree with the premise that it would be nice to be able to have a list of all zones on the server. I would tend to agree that rndc is the best place for it, except in places where doing the r part of rndc isn't possible. If you're in a tightly controlled environment, where rndc isn't used because of security/firewalls, you'd be stuck using another method to get the data, instead of utilizing a data channel that already exists. Additionally, there may well be times where I'd want to give access to people to see what zones are on the server, without giving them access to the console, or to run rndc. This a NOC doing troubleshooting - they may not have access to the box, or be able to use RNDC, but it would be handy if they could look and see what zones are loaded on the server. Granted, these are edge cases really, but ones where having the data available as a zone would be more useful than through rndc. Any which way, having access to the data would be good. t. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Stats
I know that people may laugh, but when I need to look at the stats, I pump the data into excel. A quick script turns that data into csv, pull into excel, highlght, graph, done! I've seen people using Cacti for graphing the numbers. RRD would work too, I believe. I expect you could feed the data in Concord (etc) if you wanted to be able to generate alerts. As for your error, it looks like that client is trying to update the zone with a record that already exists. Cheers, Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo Sent: Friday, March 27, 2009 9:25 AM To: bind-users@lists.isc.org Subject: Stats What do you guys use to turn this: --- Statistics Dump --- (1238151600) +++ Statistics Dump +++ (1238155200) success 3280261 referral 363 nxrrset 745513 nxdomain 392614 recursion 1173408 failure 1115632 --- Statistics Dump --- (1238155200) into something more meaningful? Also, what does this mean? I keep getting them in my logs: client 68.143.179.98#59977: updating zone 'gardencity.com/IN': update failed: 'RRset exists (value dependent)' prerequisite not satisfied (NXRRSET) TGIF! -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Servers loading zones with lower serials
This was a slave server hitting a master. Both were hitting the same master in this case. Cheers, Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Barry Margolin Sent: Wednesday, March 25, 2009 8:45 PM To: comp-protocols-dns-b...@isc.org Subject: Re: Servers loading zones with lower serials In article gqaoi6$1j7...@sf1.isc.org, Todd Snyder tsny...@rim.com wrote: Good day, I saw some strange behaviour from BIND and am trying to understand it. In one of the labs, someone mucked up a DNS change and made the serial lower than the previous version. Some of the nameservers complained: Mar 23 15:07:24 ns1001 named[5913]: zone 5.1.10.in-addr.arpa/IN: serial number (2008030900) received from master 10.1.1.1#53 ours (2008062600) But some others just went ahead and loaded the zone anyways. Were they masters or slaves? Serial number checking is only done by slaves when checking whether they need to perform a zone transfer from the master. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Servers loading zones with lower serials
Good day, I saw some strange behaviour from BIND and am trying to understand it. In one of the labs, someone mucked up a DNS change and made the serial lower than the previous version. Some of the nameservers complained: Mar 23 15:07:24 ns1001 named[5913]: zone 5.1.10.in-addr.arpa/IN: serial number (2008030900) received from master 10.1.1.1#53 ours (2008062600) But some others just went ahead and loaded the zone anyways. One of the servers that loaded the zone was BIND9.2.4 One of the ones that rejected it was 9.4.2-P2 I've done some searching but can't find anything that jumps out at me to explain this behaviour. Am I misunderstanding the serials? Thanks, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: number of zones not matching
I had to do this a couple times lately .. this is the simplest way I've found. It's not elegant or nifty, but it works. on the master: grep zone named.conf | awk '{print $2} | sort master.zones on the slave: grep zone named.conf | awk '{print $2} | sort slave.zones get the files on the same system and diff them. Are they both running the same version of BIND? -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo Sent: Friday, March 20, 2009 3:15 PM To: bind-users@lists.isc.org Subject: number of zones not matching Greetings: My master name server says it has 102 zones but my slave says it has 98. Without going through each and compare one with another, is there an easier way to see what's missing on the slave? Thanks. -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: number of zones not matching
I know at some point in the recent past, BIND started loading RFC1918 zones, which can increase the zone count, even though they don't show up in named.conf. That caused me 5 minutes of wtf before I remembered. I think it was well after 9.2.2, so I'm guessing you should be safe. t. -Original Message- From: John D. Vo [mailto:j...@eagle.net] Sent: Friday, March 20, 2009 3:27 PM To: Todd Snyder Cc: bind-users@lists.isc.org Subject: Re: number of zones not matching Yes, Todd. 9.2.2. Todd Snyder wrote: I had to do this a couple times lately .. this is the simplest way I've found. It's not elegant or nifty, but it works. on the master: grep zone named.conf | awk '{print $2} | sort master.zones on the slave: grep zone named.conf | awk '{print $2} | sort slave.zones get the files on the same system and diff them. Are they both running the same version of BIND? -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of John D. Vo Sent: Friday, March 20, 2009 3:15 PM To: bind-users@lists.isc.org Subject: number of zones not matching Greetings: My master name server says it has 102 zones but my slave says it has 98. Without going through each and compare one with another, is there an easier way to see what's missing on the slave? Thanks. -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. -- Best Regards, John D. Vo Eagle Teleconferencing Services, Inc. Network-System Administrator j...@eagle.net Office: (212) 200-2000 Ext. 105 Cell: (212) 200-3016 --- - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: number of zones not matching
BIND does NOT load RFC1918 zones. The Internet-Draft that will allow that has been stalled for over a year now. Once that draft clears the working group the #if 0/#endif around the RFC 1918 zones will be removed. Perhaps I am confused by terminology. I am referring to this: Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 0.IN-ADDR.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 127.IN-ADDR.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 254.169.IN-ADDR.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 2.0.192.IN-ADDR.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 255.255.255.255.IN-ADDR.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: D.F.IP6.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 8.E.F.IP6.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: 9.E.F.IP6.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: A.E.F.IP6.ARPA Mar 20 21:13:34 jump01 named[25739]: automatic empty zone: B.E.F.IP6.ARPA Those zones add to the count of zones loaded, but will not show up in your named.conf. If people are relying on the number of zones loaded verify that zones are available on the slaves, they need to take the automatic empty zones into consideration if they are using different versions of BIND. Sorry if I caused confusion. Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Dumping running config/named.conf
Good morning, We utilize a number of include files as part of our named.conf. I am looking to see if there is a clever way to dump the entire named.conf (or, even better, the entire RUNNING named.conf), which includes all the include files. I say running config, because sometimes you do an rndc reconfig and it rejects some lines, but loads the ones that work. I'd like to be able to dump the running config (like sh run). Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Error: isc_lex_gettoken() failed: I/O error
While running a checkzone, one of my users is getting this error: dns_master_load: /var/named/var/named:1: isc_lex_gettoken() failed: I/O error dns_master_load: /var/named/var/named:1: I/O error Google isn't helping me too much. We're thinking maybe it's terminal related - a user has had success using an xterm, but me and others are using SecureCRT and have problems. Can anyone say what this error actually means? We're a little stumped at what's going on. Thanks! Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
512 byte limit
Good day, I am stuggling to get my head around the 512 byte limit with regards to DNS queries/responses. I am sure there is much in the RTFM category, and I will continue to RTFM, but I wanted to ask a couple of specific questions. 1) If a reply is over 512 bytes, which can't in theory be done via UDP, should the queried server reply telling my resolver to ask again using TCP? Assuming, as one normally should, that there are firewalls, the queried server can't simply reply TCP, as it would get blocked. 2) Further to above, are responses over 512 bytes permissable using UDP? We are seeing some firewall messages indicating that one of our FW's is getting DNS respones at 600ish btyes: 2009 Jan 21 14:03:02 -- %FWSM: Dropped UDP DNS reply from /53 to yyy/2114; packet length 660 bytes exceeds configured limit of 512 bytes I was under the (likely mistaken) impression that over 512 wasn't allowed, but there it is ... I could very well be completely messed up regarding the rules, so please forgive my ignorance. If you know my answer is in TFM, please batter me about the head and tell me which FM at least :) Cheers, Todd. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Any options in named.conf to force recursion?
If you don't host any zones on the server, then it would always recurse, no? The server will always answer for zones it's authoritative for, as far as my understanding. You might need to explain more about your confguration/desired outcome than you currently have. Todd. -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of anand.ba...@gmail.com Sent: Monday, January 12, 2009 5:02 PM To: comp-protocols-dns-b...@isc.org Subject: Re: Any options in named.conf to force recursion? I know that by default recursion is yes (recursion yes; ). I would like to know if it is possible to enforce recursion for all the DNS queries going out of the host on which the named is configured. Thanks Anand On Jan 12, 2:55 pm, anand.ba...@gmail.com wrote: Is there a option for use in named.conf to force recursion ? ___ bind-users mailing list bind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-us ers ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Fresh (non cached) dig
I've been doing some testing lately on query times. What I did was create a new zone and create a * record within it. Then, from a shell, I do dig @server $RANDOM.test.testdomain.com. For more randomness, you can combine: dig @server $RANDOM.$RANDOM.test.testdomain.com That's how I've worked around the caching issue. I also set the TTL on the * record to be 1 second, to ensure that I don't hit any cache. Cheers, Todd. If you're referring to your local system's cache, you can bypass this by specifying a DNS server for dig to query. use @dns.server.domain or @4.2.2.2(for example) for this. If you're referring to the cache on the server you're trying to query, sorry, that's beyond your control, unless you have root on that server. -wes On Fri, Jan 2, 2009 at 12:11 PM, Stephen Ward stephen.usenet.w...@wibblywobblyteapot.co.uk wrote: For all my attempts to read the manual on DIG I can't find a way to do something really simple. Is there a way to dig a domain name so even if the results are in cache, it will ignore these and re-read them? It's really from a testing perspective I'm looking at this. I can mash the keyboard each time to try and get a better handle on the query time, but there has got to be an easy way to do this? -- . . . ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --=_Part_21674_19533272.1230941795123 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline If you#39;re referring to your local system#39;s cache, you can bypass this by specifying a DNS server for dig to query. use @dns.server.domain or @a href=http://4.2.2.2;4.2.2.2/a (for example) for this.brbrIf you#39;re referring to the cache on the server you#39;re trying to query, sorry, that#39;s beyond your control, unless you have root on that server.br br-wesbrbrdiv class=gmail_quoteOn Fri, Jan 2, 2009 at 12:11 PM, Stephen Ward span dir=ltrlt;a href=mailto:stephen.usenet.w...@wibblywobblyteapot.co.uk;stephen.usene t.w...@wibblywobblyteapot.co.uk/ agt;/span wrote:br blockquote class=gmail_quote style=border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;For all my attempts to read the manual on DIG I can#39;t find a way to dobr something really simple.br br Is there a way to dig a domain name so even if the results are in cache,br it will ignore these and re-read them? It#39;s really from a testingbr perspective I#39;m looking at this. I can mash the keyboard each time to trybr and get a better handle on the query time, but there has got to be anbr easy way to do this?br font color=#88br br br --br . . .br ___br bind-users mailing listbr a href=mailto:bind-users@lists.isc.org;bind-users@lists.isc.org/abr a href=https://lists.isc.org/mailman/listinfo/bind-users; target=_blankhttps://lists.isc.org/mailman/listinfo/bind-users/ abr /font/blockquote/divbr --=_Part_21674_19533272.1230941795123-- --===3579383764054783402== Content-Type: text/plain; charset=us-ascii MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users --===3579383764054783402==-- I had a feeling forcing lookups against other servers was all I could do. Problem is, once you've done that it's cached there too. Not a major issue, just wanted to be sure it was not easily doable. -- . . . ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: recursion for reverse/in-addr.arpa zones
On our slave, there are no specific declarations for the 10.131.10 zone, or even 10.131, just 10. On the server we're slaving off of, there would probably be more, but I don't know as I'm not in control of that server/servers. Will reverse lookups by default continue to look for more specific domains, recursing as necessary? If so, how far will it go? I'm slaving an A class, and it went and found a C. If we'd had the B declared, would it have stopped there, or kept going? This behaviour seems odd to me, and I've not been able to find information about this behaviour in the book(s). Merci! Todd. From: Ben Croswell [mailto:ben.crosw...@gmail.com] Sent: Thursday, December 11, 2008 5:15 PM To: Todd Snyder Cc: bind-us...@isc.org Subject: Re: recursion for reverse/in-addr.arpa zones Are there NS records and/or zone forwarding for the 10.131.10.0? If there is the servers will look to the most specfic domain. -- -Ben Croswell On Thu, Dec 11, 2008 at 4:38 PM, Todd Snyder tsny...@rim.com wrote: Good day, We are working on an odd issue. I can provide more detail as necessary, but don't want to fill this email with snips of useless stuff. All IP's/names provided are made up, as they don't matter in this problem as far as I can tell. This is more a functional question than a specific operating question. We have 2 servers acting as a slave for the zone 10.in-addr.arpa. The master(s) for this server are 2 Windows AD servers. Our servers (all bind9.4 of some variety) are doing zone transfers fine, and we're getting whatever is in the zone. We've run in to a couple IP's that when we dig them on these slaves, they are timing out. They are in a specific location, which we have determined are firewalled differently. For example, we are doing a dig for 10.131.10.1 against these 2 different locations. In one location, we get an answer quickly. In the other, it times out. The problem in our case is that in one location, the slave we're querying can't reach anything but the masters. What we've figured out is that the 10.in-addr.arpa zone doesn't contain EVERY 10. address we thought, but is missing some. In this case, our slaved zone doesn't have 10.131.10.1. But, instead of the slave server (which should be authortative) returning an I don't know error, it appears to be doing a recusive query. Against what, we're not 100% sure of yet. Well, we know which server, because DIG tells us, but we aren't sure why that one. When I look at the 10.in-addr.arpa zone, there are approximately 20 NS records for other AD servers. My speculation is that the slave we're querying is recusively looking to one of the servers returned in the additional section? This behaviour seems odd to us, and therein lies my question. Does doing a reverse lookup (dig -x) cause the queried server to behave differently than a forward lookup? My slave server is technically authoritative for the 10.in-addr.arpa zone, but it is still recusively going to another server to find an answer. Why? Is this because we have defined the zone as 10.in-addr.arpa instead of creating/slaving more specific zones (ie: 10.131.10.in-addr.arpa)? How can we control this behaviour? Thank you for any light you can shed on this - we're confident we know what is going on, but we can't figure out why the server behaves differently for reverse zones than it would for forward zones. Cheers, Todd. -- Todd Snyder Data Networks Tools bb.226.338.2617 Always On, Always Connected. - This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users - This transmission (including any attachments) may contain confidential information, privileged material (including material protected