HA: RE: BIND 9 windows XP builds

2017-04-18 Thread i . chudov 
Hello all.

Regarding the "critical mass": I'm the one who downloads BIND from XP box 
and I do it just to set it up on internal Linux machine. The reason to use 
XP as PC OS is company's policy and lack of money after all. :)

P. S.: I can not imagine any user of BIND to even try to run it from 
Windows machine but I think if it is possible to provide Windows XP builds 
and there are still plenty of BIND users running Windows XP (Even if it is 
botnets. Bontnet is just a piece of software like Windows XP or BIND. Why 
do you want to drop botnet support?) there is a reason to build binaries 
for Windows XP. Still it is all about money. Not everyone are able to pay 
Microsoft for the new OS. And there might be legacy software too. Why do 
users have to update and break everything if it works for them? So, my 
final answer is: "Don't drop the Windows XP binaries if it's technically 
possible to build them."
--
With best regards, Igor Chudov.
Tel.: +7 937 266-51-34



От:
"Darcy Kevin (FCA)" 
Кому:
"bind-users@lists.isc.org" , 
Дата:
19.04.2017 02:59
Тема:
RE: BIND 9 windows XP builds
Отправитель:
"bind-users" 



I guess I'm not so worried about a non-Internet-connected Windows XP box 
forwarding to an Internet-connected box that's running a modern 
(preferably non-Windows) OS. Assuming that the BIND versions are patched 
up to date, of course.

To be sure, all things must come to end, and XP support for BIND is no 
exception. But, the risk calculation runs something like: is there still 
enough critical mass of BIND-on-XP out there that there is a *bigger* risk 
incurred by no longer incorporating new security updates, or, has the 
population dwindled to the point where *only* the withdrawal of support 
will get the remainder to upgrade/replace/refresh their XP boxes?

 - Kevin



-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of 
Paul Kosinski
Sent: Tuesday, April 18, 2017 5:09 PM
To: bind-users@lists.isc.org
Subject: Re: BIND 9 windows XP builds

Yes, I suppose not every machine running BIND is connected to the 
Internet. But how many are network inaccessible to every machine that
*is* connected to the Internet and might be compromised?

We run a local BIND for our LAN to avoid HOSTS files, but that same 
machine is connected to the Internet -- and runs a different instance of 
BIND to be authoritative for our domain. (No, not a separate machine, it's 
a very small installation.)

So, how many BINDs are completely isolated from the Internet, even under 
transitive closure of the internal network? It's surely a proper subset of 
all instances of BIND, but I doubt if it's other than a quite small 
subset.


On Tue, 18 Apr 2017 17:22:24 +
"Darcy Kevin (FCA)"  wrote:

> Unspoken and false assumption: that every machine running BIND is 
> connected to the Internet.
> 
> I'm no fan of old, broken Microsoft OSes (or even the newer ones, for 
> that matter), but let's be clear here: BIND is for anyone who doesn't 
> want to maintain a "hosts" file. "Connected to the Internet" is a much 
> smaller subset of *that* set.
> 
>- Kevin
> 
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf 
> Of Paul Kosinski Sent: Monday, April 17, 2017 9:08 PM
> To: bind-users@lists.isc.org
> Subject: Re: BIND 9 windows XP builds
> 
> I can see somebody running XP for some "legacy" software that doesn't 
> run nicely on newer versions of Windows, but I would think it 
> extremely risky to have such a machine connected to the Internet.
> 
> Maybe whoever runs BIND on XP should consider converting that machine 
> to Linux, and running BIND on Linux?
> 
> 
> On Mon, 17 Apr 2017 20:30:43 +
> Evan Hunt  wrote:
> 
> > Greetings,
> > 
> > For some time ISC has been providing three Windows builds for each 
> > release of BIND 9: x64, win32, and windows XP.
> > 
> > Windows XP is well past its end of life and is no longer receiving 
> > security updates.  I'd like to stop supporting it after the upcoming 
> > maintenance release, but it's been pointed out to me that a 
> > significant number of people -- many thousands -- are downloading 
> > the XP version every time we put out a new release.
> > 
> > This information surprised me. If you're one of those people, would 
> > you mind responding, either on or off the list, to discuss it?  Why 
> > are you using XP to run a name server?  Is it possible you're still 
> > using the XP build out of inertia, but your OS would work equally 
> > well with the win32 build?  If you're really still running XP, do 
> > you have a plan for transitioning to something newer?
> > 
> > We want to support the needs of our users, but to do that we have to 
> > understand those needs, so please let us know what yours are.
> > Thanks,
> > 
> > --
> >

Troubleshooting BIND stops responding

2017-03-29 Thread i . chudov 
Greetings to everyone!

I'm an engineer at local ISP and we have to provide 2 DNS servers running 
BIND for our clients. We have logs full of various BIND errors but are 
unable to gain full understanding of the problem. The main problem is that 
the BIND at 213.80.236.18 sometimes stops responding after working fine 
for about a week. Then BIND just doesn't return any responses and we have 
to restart it. There is a suspicion of a weak (because other services are 
running normally) DoS attack but I don't know the right way to determine 
if it is so or not. I would be glad if anyone be so kind to help us to 
solve this issue.

The machines have the IPv4 addresses: 217.23.80.4 (BIND version 9.9.4) and 
213.80.236.18 (BIND version 9.9.5-r3) and have to resolve hostnames only 
for ISP customers (and refuse to resolve for others) BUT we want to be 
able to resolve our specific zones like vtt.net for anybody trying in case 
of authoritative nameserver failures.

I can post the configuration files like citation/attachment if it's 
appropriate.

And here is log samples from 213.80.236.18:
dns_more.log (configured as "channel enhlog/severity info;"):
30-Mar-2017 08:19:31.001 rate-limit: stop limiting NXDOMAIN responses to 
213.80.210.0/24 for .  ()
30-Mar-2017 08:19:38.822 resolver: DNS format error from 173.245.59.100#53 
resolving 82.51.18.104.in-addr.arpa/PTR for client 188.168.243.125#15693: 
Name 104.in-addr.arpa (SOA) not subdomain of zone 18.104.in-addr.arpa -- 
invalid response
30-Mar-2017 08:19:38.840 resolver: DNS format error from 173.245.58.100#53 
resolving 82.51.18.104.in-addr.arpa/PTR for client 188.168.243.125#15693: 
Name 104.in-addr.arpa (SOA) not subdomain of zone 18.104.in-addr.arpa -- 
invalid response
30-Mar-2017 08:19:51.428 resolver: clients-per-query decreased to 19
30-Mar-2017 08:19:54.725 resolver: DNS format error from 
205.251.192.232#53 resolving now.dolphin.com/ for client 
100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone 
now.dolphin.com -- invalid response
30-Mar-2017 08:19:54.786 resolver: DNS format error from 
205.251.195.198#53 resolving now.dolphin.com/ for client 
100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone 
now.dolphin.com -- invalid response
30-Mar-2017 08:19:54.848 resolver: DNS format error from 
2600:9000:5307:5600::1#53 resolving now.dolphin.com/ for client 
100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone 
now.dolphin.com -- invalid response
30-Mar-2017 08:19:54.925 resolver: DNS format error from 
2600:9000:5304:6600::1#53 resolving now.dolphin.com/ for client 
100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone 
now.dolphin.com -- invalid response
30-Mar-2017 08:19:54.998 resolver: DNS format error from 
2600:9000:5300:e800::1#53 resolving now.dolphin.com/ for client 
100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone 
now.dolphin.com -- invalid response
30-Mar-2017 08:19:55.060 resolver: DNS format error from 
2600:9000:5303:c600::1#53 resolving now.dolphin.com/ for client 
100.64.36.162#32772: Name dolphin.com (SOA) not subdomain of zone 
now.dolphin.com -- invalid response

process.log (configured as "channel process/severity notice;"):
29-Nov-2016 07:09:28.266 xfer-in: transfer of 'rpz/IN/global' from 
217.23.80.2#53: failed while receiving responses: connection reset
15-Dec-2016 09:56:41.637 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 10:23:37.125 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 10:53:32.581 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 11:20:08.997 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 11:49:11.461 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 12:20:39.845 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 12:48:14.245 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 13:21:37.708 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
15-Dec-2016 13:55:00.133 xfer-in: transfer of './IN/root' from 
2001:500:2f::f#53: failed to connect: timed out
12-Mar-2017 09:25:09.993 xfer-in: transfer of './IN/root' from 
2620:0:2830:202::132#53: failed while receiving responses: end of file

security.log (configured as "channel security/severity info;"):
30-Mar-2017 08:21:57.558 lame-servers: error (unexpected RCODE REFUSED) 
resolving 'echo-nl03.calyptra-soft.net/A/IN': 62.212.78.199#53
30-Mar-2017 08:21:57.630 lame-servers: error (unexpected RCODE REFUSED) 
resolving 'echo-nl03.calyptra-soft.net/A/IN': 83.149.64.123#53
30-Mar-2017 08:21:57.696 lame-servers: error (unexpected RCODE REFUSED) 
resolving '22.178.87.223.in-addr.arpa/PTR/IN':