HA: RE: BIND 9 windows XP builds
Hello all. Regarding the "critical mass": I'm the one who downloads BIND from XP box and I do it just to set it up on internal Linux machine. The reason to use XP as PC OS is company's policy and lack of money after all. :) P. S.: I can not imagine any user of BIND to even try to run it from Windows machine but I think if it is possible to provide Windows XP builds and there are still plenty of BIND users running Windows XP (Even if it is botnets. Bontnet is just a piece of software like Windows XP or BIND. Why do you want to drop botnet support?) there is a reason to build binaries for Windows XP. Still it is all about money. Not everyone are able to pay Microsoft for the new OS. And there might be legacy software too. Why do users have to update and break everything if it works for them? So, my final answer is: "Don't drop the Windows XP binaries if it's technically possible to build them." -- With best regards, Igor Chudov. Tel.: +7 937 266-51-34 От: "Darcy Kevin (FCA)"Кому: "bind-users@lists.isc.org" , Дата: 19.04.2017 02:59 Тема: RE: BIND 9 windows XP builds Отправитель: "bind-users" I guess I'm not so worried about a non-Internet-connected Windows XP box forwarding to an Internet-connected box that's running a modern (preferably non-Windows) OS. Assuming that the BIND versions are patched up to date, of course. To be sure, all things must come to end, and XP support for BIND is no exception. But, the risk calculation runs something like: is there still enough critical mass of BIND-on-XP out there that there is a *bigger* risk incurred by no longer incorporating new security updates, or, has the population dwindled to the point where *only* the withdrawal of support will get the remainder to upgrade/replace/refresh their XP boxes? - Kevin -Original Message- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Paul Kosinski Sent: Tuesday, April 18, 2017 5:09 PM To: bind-users@lists.isc.org Subject: Re: BIND 9 windows XP builds Yes, I suppose not every machine running BIND is connected to the Internet. But how many are network inaccessible to every machine that *is* connected to the Internet and might be compromised? We run a local BIND for our LAN to avoid HOSTS files, but that same machine is connected to the Internet -- and runs a different instance of BIND to be authoritative for our domain. (No, not a separate machine, it's a very small installation.) So, how many BINDs are completely isolated from the Internet, even under transitive closure of the internal network? It's surely a proper subset of all instances of BIND, but I doubt if it's other than a quite small subset. On Tue, 18 Apr 2017 17:22:24 + "Darcy Kevin (FCA)" wrote: > Unspoken and false assumption: that every machine running BIND is > connected to the Internet. > > I'm no fan of old, broken Microsoft OSes (or even the newer ones, for > that matter), but let's be clear here: BIND is for anyone who doesn't > want to maintain a "hosts" file. "Connected to the Internet" is a much > smaller subset of *that* set. > >- Kevin > > -Original Message- > From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf > Of Paul Kosinski Sent: Monday, April 17, 2017 9:08 PM > To: bind-users@lists.isc.org > Subject: Re: BIND 9 windows XP builds > > I can see somebody running XP for some "legacy" software that doesn't > run nicely on newer versions of Windows, but I would think it > extremely risky to have such a machine connected to the Internet. > > Maybe whoever runs BIND on XP should consider converting that machine > to Linux, and running BIND on Linux? > > > On Mon, 17 Apr 2017 20:30:43 + > Evan Hunt wrote: > > > Greetings, > > > > For some time ISC has been providing three Windows builds for each > > release of BIND 9: x64, win32, and windows XP. > > > > Windows XP is well past its end of life and is no longer receiving > > security updates. I'd like to stop supporting it after the upcoming > > maintenance release, but it's been pointed out to me that a > > significant number of people -- many thousands -- are downloading > > the XP version every time we put out a new release. > > > > This information surprised me. If you're one of those people, would > > you mind responding, either on or off the list, to discuss it? Why > > are you using XP to run a name server? Is it possible you're still > > using the XP build out of inertia, but your OS would work equally > > well with the win32 build? If you're really still running XP, do > > you have a plan for transitioning to something newer? > > > > We want to support the needs of our users, but to do that we have to > > understand those needs, so please let us know what yours are. > > Thanks, > > > > -- > >
Troubleshooting BIND stops responding
Greetings to everyone! I'm an engineer at local ISP and we have to provide 2 DNS servers running BIND for our clients. We have logs full of various BIND errors but are unable to gain full understanding of the problem. The main problem is that the BIND at 213.80.236.18 sometimes stops responding after working fine for about a week. Then BIND just doesn't return any responses and we have to restart it. There is a suspicion of a weak (because other services are running normally) DoS attack but I don't know the right way to determine if it is so or not. I would be glad if anyone be so kind to help us to solve this issue. The machines have the IPv4 addresses: 217.23.80.4 (BIND version 9.9.4) and 213.80.236.18 (BIND version 9.9.5-r3) and have to resolve hostnames only for ISP customers (and refuse to resolve for others) BUT we want to be able to resolve our specific zones like vtt.net for anybody trying in case of authoritative nameserver failures. I can post the configuration files like citation/attachment if it's appropriate. And here is log samples from 213.80.236.18: dns_more.log (configured as "channel enhlog/severity info;"): 30-Mar-2017 08:19:31.001 rate-limit: stop limiting NXDOMAIN responses to 213.80.210.0/24 for . () 30-Mar-2017 08:19:38.822 resolver: DNS format error from 173.245.59.100#53 resolving 82.51.18.104.in-addr.arpa/PTR for client 188.168.243.125#15693: Name 104.in-addr.arpa (SOA) not subdomain of zone 18.104.in-addr.arpa -- invalid response 30-Mar-2017 08:19:38.840 resolver: DNS format error from 173.245.58.100#53 resolving 82.51.18.104.in-addr.arpa/PTR for client 188.168.243.125#15693: Name 104.in-addr.arpa (SOA) not subdomain of zone 18.104.in-addr.arpa -- invalid response 30-Mar-2017 08:19:51.428 resolver: clients-per-query decreased to 19 30-Mar-2017 08:19:54.725 resolver: DNS format error from 205.251.192.232#53 resolving now.dolphin.com/ for client 100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone now.dolphin.com -- invalid response 30-Mar-2017 08:19:54.786 resolver: DNS format error from 205.251.195.198#53 resolving now.dolphin.com/ for client 100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone now.dolphin.com -- invalid response 30-Mar-2017 08:19:54.848 resolver: DNS format error from 2600:9000:5307:5600::1#53 resolving now.dolphin.com/ for client 100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone now.dolphin.com -- invalid response 30-Mar-2017 08:19:54.925 resolver: DNS format error from 2600:9000:5304:6600::1#53 resolving now.dolphin.com/ for client 100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone now.dolphin.com -- invalid response 30-Mar-2017 08:19:54.998 resolver: DNS format error from 2600:9000:5300:e800::1#53 resolving now.dolphin.com/ for client 100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone now.dolphin.com -- invalid response 30-Mar-2017 08:19:55.060 resolver: DNS format error from 2600:9000:5303:c600::1#53 resolving now.dolphin.com/ for client 100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone now.dolphin.com -- invalid response process.log (configured as "channel process/severity notice;"): 29-Nov-2016 07:09:28.266 xfer-in: transfer of 'rpz/IN/global' from 217.23.80.2#53: failed while receiving responses: connection reset 15-Dec-2016 09:56:41.637 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 10:23:37.125 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 10:53:32.581 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 11:20:08.997 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 11:49:11.461 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 12:20:39.845 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 12:48:14.245 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 13:21:37.708 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 15-Dec-2016 13:55:00.133 xfer-in: transfer of './IN/root' from 2001:500:2f::f#53: failed to connect: timed out 12-Mar-2017 09:25:09.993 xfer-in: transfer of './IN/root' from 2620:0:2830:202::132#53: failed while receiving responses: end of file security.log (configured as "channel security/severity info;"): 30-Mar-2017 08:21:57.558 lame-servers: error (unexpected RCODE REFUSED) resolving 'echo-nl03.calyptra-soft.net/A/IN': 62.212.78.199#53 30-Mar-2017 08:21:57.630 lame-servers: error (unexpected RCODE REFUSED) resolving 'echo-nl03.calyptra-soft.net/A/IN': 83.149.64.123#53 30-Mar-2017 08:21:57.696 lame-servers: error (unexpected RCODE REFUSED) resolving '22.178.87.223.in-addr.arpa/PTR/IN':