Re: Bogus Wild Card DNS
Stacey Marshall writes: The master NS would only need to load the root.zone file, Other name servers within the private network would load the hint file. That was it! The bogus DNS now does it's special resolution like it should. Many thanks. Martin McCormick ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bogus Wild Card DNS
On 11 April 2011 14:04, Martin McCormick mar...@x.it.okstate.edu wrote: Stacey Marshall writes: I'm not certain as to what it is your trying to do exactly, but the hint zone should provide addresses of root servers. One of which will be contacted to download the list of root nameservers. This is a special-purpose DNS used for network registration in which unauthenticated clients can only get either a registration server or a few lookups to places like Apple and Microsoft to download patches before we let them on the production network. It is not meant to be the least bit normal as far as the usual application of DNS goes. the hint zone basically serves itself as root. Fair enough, the root server listed in the fake list would also need to load the zone, for example: zone . in { type hint; file root.hint; }; zone . in { type master; file root.zone; } The hint file has a format that simply lists the Address and PTR records, as observed from a simple dig | grep -v '^;', for example: . 518400 IN NS our.fake.root. our.fake.root. 360 IN A 192.168.0.1 The actual master zone must have the SOA, NS records, glue and the wildcard. Hope that helps. Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bogus Wild Card DNS
http://netreg.sourceforge.net/ The howto on that page has detailed setup for faked root. Schilling On Fri, Apr 8, 2011 at 10:58 AM, Martin McCormick mar...@dc.cis.okstate.edu wrote: I am trying to set up bind9.7.2P3 in a special manner such as is used in network registration setups in which named always returns the address of a registration server except for a few other domains that supply updates and antivirus scans, etc. In this case, I have microsoft.com as the one allowed domain and everything else should return the wild card A record. What is happening right now is that the one special allowed domain works fine and all else returned a SERVFAIL rather than resolving to what will eventually be the registration server. The microsoft allowed zone is defined in named.conf with forwarders My understanding is that the only real zone one needs is the hint zone or . and here is mine: @ IN NS netreg.it.okstate.edu. microsoft.com. IN NS netreg.it.okstate.edu. * IN A 139.78.6.193 Why am I not getting resolution to 139.78.6.193 for any other query? The log isn't complaining about much of anything but any query that is not microsoft returns that SERVFAIL message. I must remind anybody experimenting with something like this to be sure to put a bogus DNS clause in your functional production DNS's so that anything that might somehow leak out of this experiment is treated as junk and ignored. Many thanks. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bogus Wild Card DNS
On 11 April 2011 17:56, Stacey Marshall stacey.marsh...@gmail.com wrote: On 11 April 2011 14:04, Martin McCormick mar...@x.it.okstate.edu wrote: Stacey Marshall writes: I'm not certain as to what it is your trying to do exactly, but the hint zone should provide addresses of root servers. One of which will be contacted to download the list of root nameservers. This is a special-purpose DNS used for network registration in which unauthenticated clients can only get either a registration server or a few lookups to places like Apple and Microsoft to download patches before we let them on the production network. It is not meant to be the least bit normal as far as the usual application of DNS goes. the hint zone basically serves itself as root. Fair enough, the root server listed in the fake list would also need to load the zone, for example: zone . in { type hint; file root.hint; }; zone . in { type master; file root.zone; } actually, that's not correct! The master NS would only need to load the root.zone file, Other name servers within the private network would load the hint file. Stace The hint file has a format that simply lists the Address and PTR records, as observed from a simple dig | grep -v '^;', for example: . 518400 IN NS our.fake.root. our.fake.root. 360 IN A 192.168.0.1 The actual master zone must have the SOA, NS records, glue and the wildcard. Hope that helps. Stace ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bogus Wild Card DNS
I'm not certain as to what it is your trying to do exactly, but the hint zone should provide addresses of root servers. One of which will be contacted to download the list of root nameservers. Wildcard address are really not very nice as they make resolver searches ineffective when unexpected addresses are returned. Regards, Stace On 8 April 2011 15:58, Martin McCormick mar...@dc.cis.okstate.edu wrote: I am trying to set up bind9.7.2P3 in a special manner such as is used in network registration setups in which named always returns the address of a registration server except for a few other domains that supply updates and antivirus scans, etc. In this case, I have microsoft.com as the one allowed domain and everything else should return the wild card A record. What is happening right now is that the one special allowed domain works fine and all else returned a SERVFAIL rather than resolving to what will eventually be the registration server. The microsoft allowed zone is defined in named.conf with forwarders My understanding is that the only real zone one needs is the hint zone or . and here is mine: @ IN NS netreg.it.okstate.edu. microsoft.com. IN NS netreg.it.okstate.edu. * IN A 139.78.6.193 Why am I not getting resolution to 139.78.6.193 for any other query? The log isn't complaining about much of anything but any query that is not microsoft returns that SERVFAIL message. I must remind anybody experimenting with something like this to be sure to put a bogus DNS clause in your functional production DNS's so that anything that might somehow leak out of this experiment is treated as junk and ignored. Many thanks. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Bogus Wild Card DNS
I am trying to set up bind9.7.2P3 in a special manner such as is used in network registration setups in which named always returns the address of a registration server except for a few other domains that supply updates and antivirus scans, etc. In this case, I have microsoft.com as the one allowed domain and everything else should return the wild card A record. What is happening right now is that the one special allowed domain works fine and all else returned a SERVFAIL rather than resolving to what will eventually be the registration server. The microsoft allowed zone is defined in named.conf with forwarders My understanding is that the only real zone one needs is the hint zone or . and here is mine: @ IN NS netreg.it.okstate.edu. microsoft.com. IN NS netreg.it.okstate.edu. * IN A 139.78.6.193 Why am I not getting resolution to 139.78.6.193 for any other query? The log isn't complaining about much of anything but any query that is not microsoft returns that SERVFAIL message. I must remind anybody experimenting with something like this to be sure to put a bogus DNS clause in your functional production DNS's so that anything that might somehow leak out of this experiment is treated as junk and ignored. Many thanks. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bogus Wild Card DNS
On Apr 8, 2011, at 10:58 AM, Martin McCormick wrote: I am trying to set up bind9.7.2P3 in a special manner such as is used in network registration setups in which named always returns the address of a registration server except for a few other domains that supply updates and antivirus scans, etc. In this case, I have microsoft.com as the one allowed domain and everything else should return the wild card A record. What is happening right now is that the one special allowed domain works fine and all else returned a SERVFAIL rather than resolving to what will eventually be the registration server. The microsoft allowed zone is defined in named.conf with forwarders My understanding is that the only real zone one needs is the hint zone or . and here is mine: @ IN NS netreg.it.okstate.edu. microsoft.com. IN NS netreg.it.okstate.edu. * IN A 139.78.6.193 Why am I not getting resolution to 139.78.6.193 for any other query? The log isn't complaining about much of anything but any query that is not microsoft returns that SERVFAIL message. I must remind anybody experimenting with something like this to be sure to put a bogus DNS clause in your functional production DNS's so that anything that might somehow leak out of this experiment is treated as junk and ignored. Many thanks. Martin McCormick WB5AGZ Stillwater, OK Systems Engineer OSU Information Technology Department Telecommunications Services Group ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users I think you want a *.com entry as well as the * entry. The existence of the 'microsoft.com.' record, believe it or not, affects whether names of the form whatever.com match the * A record. DNS's rules for wildcarding have been known to trip up a lot of people, so look for a full explanation. John ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bogus Wild Card DNS
John Wobus writes: I think you want a *.com entry as well as the * entry. I have now put in an entry like: *.com. IN A 139.78.6.193 I still have the same behavior as before. The allowed domain succeeds and all others get a SERVFAIL where they should resolve to 139.78.2.193 which is the registration server. Right now, there is named.conf which has the allowed domain clause listing the forwarders. The only other file in the configuration is db.wildcard which is the root zone. That takes care of the allowed domains and is where the wild card records live. Are there are any other zones that should be there? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users