RE: SERVFAIL issues
My bad. Let me restate the request -- that all the information available via XML in the HTML statistics channel is also printed out when issuing rndc stats. Frank -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc. org] On Behalf Of Barry Margolin Sent: Monday, January 19, 2009 9:47 PM To: comp-protocols-dns-b...@moderators.individual.net Subject: Re: SERVFAIL issues In article gl3gns$1is...@sf1.isc.org, Frank Bulk frnk...@iname.com wrote: Sorry for not being more clear. It's my understanding that rndc stats dumps only a subset of what ARM provides. You still don't make sense. ARM is documentation, it doesn't provide any statistics. ARM = Administrator's Reference Manual for BIND. Regards, Frank -Original Message- From: JINMEI Tatuya / 神明達哉 [mailto:jinmei_tat...@isc.org] Sent: Monday, January 19, 2009 1:38 PM To: Frank Bulk Cc: bind-us...@isc.org Subject: Re: SERVFAIL issues At Sat, 17 Jan 2009 00:37:25 -0600, Frank Bulk frnk...@iname.com wrote: Thanks for the info -- is there a way that there can be feature parity, at least in terms of stats reported, between ARM and rndc stats? I don't understand the question...what do you mean by 'feature parity between ARM and rndc stats'? Anyway, the fact is that the ARM describes both the output of 'rndc stats' and the output from a HTML statistics channel (to some extent). In general, what is described in the ARM should be consistent with the actual behavior. Of course, there can always be a discrepancy between a manual (ARM) and the software behavior as long as it's done by a human. Please file a bug report if you find one. --- JINMEI, Tatuya Internet Systems Consortium, Inc. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Disable cache in bind 9.6
Hello! How to disable cache in bind-9.6? ttl=0 - bad idea. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: local zone forward
You can't. You can, however, create more specific zones (mail.zone.tld.) rather than the overlapping zone (zone.tld.). Chris Buxton Professional Services Men Mice On Jan 20, 2009, at 3:41 AM, Mikel Jimenez wrote: Hello I have a question relationated to forwarding. I have db.myzone.com in my local bind. I have my mail server in 192.168.1.1 so I define this enty in my db.myzone.com file. (mail.zone.com) I also have my web, and other services, but not in local net, I have in external hosting. How can I say to Bind that, when I ask *.zone.com first look at db.zone.com, and if it isn´ t defined in the file, make recursion to internet dns servers. Sorry for my English, thanks!! -- Mikel Jimenez Fernandez Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com +34 94.404.81.82 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: local zone forward
Chris Buxton escribió: You can't. You can, however, create more specific zones (mail.zone.tld.) rather than the overlapping zone (zone.tld.). Chris Buxton Professional Services Men Mice On Jan 20, 2009, at 3:41 AM, Mikel Jimenez wrote: Hello I have a question relationated to forwarding. I have db.myzone.com in my local bind. I have my mail server in 192.168.1.1 so I define this enty in my db.myzone.com file. (mail.zone.com) I also have my web, and other services, but not in local net, I have in external hosting. How can I say to Bind that, when I ask *.zone.com first look at db.zone.com, and if it isn´ t defined in the file, make recursion to internet dns servers. Sorry for my English, thanks!! -- Mikel Jimenez Fernandez Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com +34 94.404.81.82 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Yeah!! thanks!! One question... one more especific zone for each A register? -- Mikel Jimenez Fernandez Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com +34 94.404.81.82 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: local zone forward
Chris Buxton escribió: On Jan 20, 2009, at 6:23 AM, Mikel Jimenez wrote: Chris Buxton escribió: You can't. You can, however, create more specific zones (mail.zone.tld.) rather than the overlapping zone (zone.tld.). Chris Buxton Professional Services Men Mice On Jan 20, 2009, at 3:41 AM, Mikel Jimenez wrote: Hello I have a question relationated to forwarding. I have db.myzone.com in my local bind. I have my mail server in 192.168.1.1 so I define this enty in my db.myzone.com file. (mail.zone.com) I also have my web, and other services, but not in local net, I have in external hosting. How can I say to Bind that, when I ask *.zone.com first look at db.zone.com, and if it isn´ t defined in the file, make recursion to internet dns servers. Sorry for my English, thanks!! -- Mikel Jimenez Fernandez Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com +34 94.404.81.82 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Yeah!! thanks!! One question... one more especific zone for each A register? Yes, that is correct. Chris Buxton Professional Services Men Mice Yeah!! It works perfect!! Thanks!! -- Mikel Jimenez Fernandez Irontec, Internet y Sistemas sobre GNU/LinuX - http://www.irontec.com +34 94.404.81.82 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
Matus UHLAR - fantomas wrote: On 20.01.09 12:49, Dmitry Rybin wrote: How to disable cache in bind-9.6? ttl=0 - bad idea. if you know that setting TTL to 0 is a bad idea, why do yuo think that disabling a cache in BIND is not a bad idea? Because under high load cache grows to maximum system size and stop responding to queues. This is known problem. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
On 20.01.09 12:49, Dmitry Rybin wrote: How to disable cache in bind-9.6? ttl=0 - bad idea. Matus UHLAR - fantomas wrote: if you know that setting TTL to 0 is a bad idea, why do yuo think that disabling a cache in BIND is not a bad idea? On 20.01.09 18:39, Dmitry Rybin wrote: Because under high load cache grows to maximum system size and stop responding to queues. This is known problem. Did you set up maximum cache size to a sane value? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
in-addr.arpa delegation failure
I've been beating my head against the wall with this issue, and I'm out of ideas: I can't get reverse lookups for a particular, delegated RFC1918 net to work. Setup: Internal root dns.domain.com running bind 9.4.2-P2. This host is set up as a master for 172.30/16. It delegates 172.30 to a subdomain (A record for ns1.sub.domain.com is present elsewhere). db.172.30: @ IN SOA dns.domain.com. root. 2009012001 10800 3600 604800 300 IN NS ns1.sub.domain.com. Working query (status: NOERROR) returns as expected: $ dig @dns.comain.com 30.172.in-addr.arpa. soa ; DiG 9.3.4-P1 @dns.comain.com 30.172.in-addr.arpa. soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41833 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUESTION SECTION: ;30.172.in-addr.arpa. IN SOA ;; ANSWER SECTION: 30.172.in-addr.arpa.86400 IN SOA dns.comain.com. root. 2009012001 10800 3600 604800 300 ;; AUTHORITY SECTION: 30.172.in-addr.arpa.86400 IN NS ns1.sub.domain.com. ;; ADDITIONAL SECTION: ns1.sub.domain.com. 1818 IN A 172.30.112.4 ... $ Now, the setup of ns1.sub.domain.com: bind 9.4.2-P2 This host is set up as a master for 172.30/16 and 172.30.10/24. It delegates 172.30.10 to itself. db.172.30: @ IN SOA ns1.sub.domain.com. root. 2009011900 10800 3600 604800 300 10.30.172.in-addr.arpa. IN NS ns1.sub.domain.com. A lookup for 10.30.172.in-addr.arpa. fails everywhere except on ns1.sub.domain (status: NXDOMAIN): $ dig @dns.comain.com. 10.30.172.in-addr.arpa. soa ; DiG 9.3.4-P1 @dns.comain.com. 10.30.172.in-addr.arpa. soa ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 54056 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.30.172.in-addr.arpa.IN SOA ;; AUTHORITY SECTION: 30.172.in-addr.arpa.0 IN SOA dns.domain.com. root. 2009012001 10800 3600 604800 300 ... $ Why is the delegation chain not working? Is it a conflict for having both the top level dns.domain.com. and ns1.sub.domain.com. as master for 172.30? Would it be better to use stubs to delegate 172.30 down from the top level? I have a feeling they wouldn't solve this particular problem, though. Do I need to delegate all 255 /24 subnets explicitly at the top level server? That would kind of defeat the purpose of having delegation in the first place. I think I'm missing something fundamental here ... ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: in-addr.arpa delegation failure
On Tue, Jan 20, 2009 at 04:14:01PM +, Lars Hecking lheck...@users.sourceforge.net wrote a message of 87 lines which said: This host is set up as a master for 172.30/16. It delegates 172.30 to a subdomain (A record for ns1.sub.domain.com is present elsewhere). Hold on! There is already a contradiction. It is supposed to be an authoritative name server (a master is a special case of an authoritative name server) but it delegates to a different machine. You cannot have both. Either dns.domain.com is authoritative for 30.172.in-addr.arpa or it is not. db.172.30: @ IN SOA dns.domain.com. root. 2009012001 10800 3600 604800 300 IN NS ns1.sub.domain.com. I do not see a delegation of 10.30.172.in-addr.arpa. Now, the setup of ns1.sub.domain.com: bind 9.4.2-P2 This host is set up as a master for 172.30/16 Now, you have *two* masters for 30.172.in-addr.arpa. Again, it is a contradiction (unless the two masters get their data from an external source such as a DBMS but it does not appear to be the case here). Why is the delegation chain not working? Is it a conflict for having both the top level dns.domain.com. and ns1.sub.domain.com. as master for 172.30? Partly. You can have only one master. But you may have several authoritative name servers for one zone (actually, this is recommended). Would it be better to use stubs to delegate 172.30 down from the top level? No. Do I need to delegate all 255 /24 subnets explicitly at the top level server? All those you use, yes. I think I'm missing something fundamental here ... IMHO, you need to go back to the drawing board and, before writing named.conf and zone files, deciding on a general architecture. Who will be the master for 30.172.in-addr.arpa? Who will be authoritative for 30.172.in-addr.arpa? Who will be the master for 10.30.172.in-addr.arpa? Who will be authoritative for 10.30.172.in-addr.arpa? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarding but no recursion?
Hello,
Is this possible to disable recursion for all incoming queries except
for those listed in zone statement with a forwarder.
I know that no forwarding is allowed if we disable recursion.
Something like this ( but this doesn't work I know ):
I can't match people so I can't create a view.
options {
allow-query { any; };
allow-query-cache { none; };
allow-recursion { none; };
};
zone example.fr {
type forward;
forwarders { x.x.x.x; };
forward only;
};
Thank you for your advice.
Emmanuel
*
This message and any attachments (the message) are confidential and intended
solely for the addressees.
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration.
France Telecom Group shall not be liable for the message if altered, changed or
falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
compiling BIND on AIX
I have compiled BIND many times on Solaris/OpenSolaris and several different *BSD's, and this has always been a pretty simple procedure. I currently need to compile (a current) BIND on AIX 5.2 and it appears to me that there is a little more work involved to get a successful compile on this platform vs. others that I have worked with. Can anyone who is currently compiling/running BIND on AIX share any getting started pointers ( i.e. BIND only compiles with gcc, etc)?? A search of the archives indicate that there are people on the list running BIND on AIX, but I was unable to uncover any specific tips, hints, etc. as to getting a good compile. TIA, Jerry K. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Disable cache in bind 9.6
Disabling the cache makes sense if the purpose of your nameserver is to provide your authoritative zone data and you have a different nameserver to handle your site's general DNS queries. TTL settings are part of authoritative zone data, which is completely independent of whether you disable caching in the nameserver. On Jan 20, 2009, at 4:49 AM, Dmitry Rybin wrote: Hello! How to disable cache in bind-9.6? ttl=0 - bad idea. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding but no recursion?
I believe the behavior of the following configuration is to send back
the IP address of the forwarders to the clients, and rely on clients
to do the recursive query against the forwarders.
On Tue, Jan 20, 2009 at 9:25 AM, etirado@orange-ftgroup.com wrote:
Hello,
Is this possible to disable recursion for all incoming queries except
for those listed in zone statement with a forwarder.
I know that no forwarding is allowed if we disable recursion.
Something like this ( but this doesn't work I know ):
I can't match people so I can't create a view.
options {
allow-query { any; };
allow-query-cache { none; };
allow-recursion { none; };
};
zone example.fr {
type forward;
forwarders { x.x.x.x; };
forward only;
};
Thank you for your advice.
Emmanuel
*
This message and any attachments (the message) are confidential and
intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
Messages are susceptible to alteration.
France Telecom Group shall not be liable for the message if altered, changed
or falsified.
If you are not the intended addressee of this message, please cancel it
immediately and inform the sender.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarding but no recursion?
On Jan 20, 2009, at 9:25 AM, etirado@orange-ftgroup.com etirado@orange-ftgroup.com
wrote:
Hello,
Is this possible to disable recursion for all incoming queries except
for those listed in zone statement with a forwarder.
I know that no forwarding is allowed if we disable recursion.
Something like this ( but this doesn't work I know ):
I can't match people so I can't create a view.
According to the ARM for BIND 9.4, forward zones support only a few
substatements. The same is true of hint zones (for the root hints
list). Therefore, I see only one ungainly way to achieve this,
creating a slave of the root zone and restricting access to it.
__
options {
directory /some/path;
allow-query { any; };
allow-recursion { any; }; // no need for allow-query-cache
};
zone . {
type slave;
masters { 192.5.5.241; 192.228.79.201; 192.33.4.12; };
file root.zone;
allow-query { none; };
allow-transfer { none; };
};
zone example.fr {
type forward;
forwarders { ... };
forward only;
};
__
Chris Buxton
Professional Services
Men Mice
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
denied NS/IN
Hello, looking at my logs today, I am getting hammered with these: 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: query (cache) './NS/IN' denied 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: query (cache) './NS/IN' denied Repeated over and over, how do I tell what they are, and if they are bad, what is the best way to block them? -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: denied NS/IN
That's being discussed on NANOG, here's one thread:
http://markmail.org/message/ydiqnztzmz5qmusf
See here for more details in blocking them:
http://www.cymru.com/Documents/secure-bind-template.html
specifically:
blackhole {
// Deny anything from the bogon networks as
// detailed in the bogon ACL.
bogon;
};
Note that isprime is suggesting an ACL on your firewall or router.
Frank
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Scott Haneda
Sent: Tuesday, January 20, 2009 5:41 PM
To: BIND Users Mailing List
Subject: denied NS/IN
Hello, looking at my logs today, I am getting hammered with these:
20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517:
query (cache) './NS/IN' denied
20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593:
query (cache) './NS/IN' denied
Repeated over and over, how do I tell what they are, and if they are
bad, what is the best way to block them?
--
Scott
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
On Jan 20, 2009, at 3:52 PM, Frank Bulk wrote:
That's being discussed on NANOG, here's one thread:
http://markmail.org/message/ydiqnztzmz5qmusf
See here for more details in blocking them:
http://www.cymru.com/Documents/secure-bind-template.html
specifically:
blackhole {
// Deny anything from the bogon networks as
// detailed in the bogon ACL.
bogon;
};
Note that isprime is suggesting an ACL on your firewall or router.
Thank you, curious, why does it say block all but 53, isnt that
exactly what we want to block?
--
Scott
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
RE: denied NS/IN
According to ISPrime, 66.230.128.15 and 66.230.160.1 are authoritative DNS
servers, but do not make outbound requests. As such, they only *receive*
queries from remote DNS servers (or clients). So all UDP or TCP-based DNS
requests to those two DNS servers are made *to* port 53. And those two DNS
servers respond to those requests on port 53. The spoofers are sourcing
their queries from non-port 53 ports, so it's easy to tell what is spoofed
and what's not.
Frank
-Original Message-
From: Scott Haneda [mailto:talkli...@newgeo.com]
Sent: Tuesday, January 20, 2009 6:12 PM
To: frnk...@iname.com
Cc: BIND Users Mailing List
Subject: Re: denied NS/IN
On Jan 20, 2009, at 3:52 PM, Frank Bulk wrote:
That's being discussed on NANOG, here's one thread:
http://markmail.org/message/ydiqnztzmz5qmusf
See here for more details in blocking them:
http://www.cymru.com/Documents/secure-bind-template.html
specifically:
blackhole {
// Deny anything from the bogon networks as
// detailed in the bogon ACL.
bogon;
};
Note that isprime is suggesting an ACL on your firewall or router.
Thank you, curious, why does it say block all but 53, isnt that
exactly what we want to block?
--
Scott
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
In message 232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com, Scott Haneda writ es: Hello, looking at my logs today, I am getting hammered with these: 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: query (cache) './NS/IN' denied 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: query (cache) './NS/IN' denied Repeated over and over, how do I tell what they are, and if they are bad, what is the best way to block them? -- Scott You should talk to your ISP to chase the traffic back to its source and get BCP 38 implemented there. BCP 38 is ~10 years old now. There is no excuse for not filtering spoofed traffic. If the source doesn't want to implement BCP 38 then de-peering the source should be considered. Mark http://www.ietf.org/rfc/rfc2267.txt January 1998 http://www.ietf.org/rfc/rfc2827.txt May 2000 (BCP 38) http://www.ietf.org/rfc/rfc3704.txt March 2004 (BCP 84) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
On Jan 20, 2009, at 5:44 PM, Mark Andrews wrote: In message 232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com, Scott Haneda writ es: Hello, looking at my logs today, I am getting hammered with these: 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: query (cache) './NS/IN' denied 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: query (cache) './NS/IN' denied Repeated over and over, how do I tell what they are, and if they are bad, what is the best way to block them? -- Scott You should talk to your ISP to chase the traffic back to its source and get BCP 38 implemented there. BCP 38 is ~10 years old now. There is no excuse for not filtering spoofed traffic. If the source doesn't want to implement BCP 38 then de-peering the source should be considered. Is BCP 38 really as solid and plug and play as it sounds? In a shared, or colo'd environment, can that ISP really deploy something like this, without it causing trouble for those that assume unfettered inbound and outbound traffic to their servers? -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What to do about openDNS
I brought this up a few months back. For me, it is getting worse, and I am not able to come up with a solution. I have many clients who reg domains. They all point to my NS. Sometimes, the client lapses hosting with me, and I delete the zones. They usually leave the domain reg'd and my NS's listed. I also have other clients who register thousands of domains, some get used, some do not. In the end, I am listed as an NS. Going back to clients and asking them to delete the NS from their registrar; it just is not going to happen. I do not always know, so to add a zone, can not happen, and even then, I have to add a wildcard for them all to resolve them. I have heard varying levels of disapproval for wildcards to solve this as well. The problem is with openDNS, which grows every day. If one uses them as a rr, when someone requests a domain that is not setup, openDNS will make around 50 requests for that domain. Then the browser will inject www. to the domain, and it asks for another 50. Add in spam for MX's and any number of other requests, and I have on average, 40 queries per second. When it gets really bad, is a heavily used domain that the client lets go, where there are img src links in a forum, which can get popular on occasion. I have tested this with my own NS, as the rr, and it makes 2 or 3 queries, sees there is no zone, and goes away. OpenDNS *never* caches the result, and happily goes about this all day long. My first question is, I assume they are ignoring some TTL, and in doing so, are they in violation of any standard in this regard? Second would be, is this exploitable as I think it is? In that, one could enter any NS they want into their registrar, and create a situation in which openDNS is used as a way to attack that NS. Is there any way for me to locally block this act? I do not think there is, aside from blocking openDNS, which would have negative repercussions since they are used by so many people. Looking for automated blocking, not to sit on my logs all day long. For what it is worth, I did email them, first email was ignored, second email was not understood and they told me they did not support grep, which I was simply using to extract the number of lines in my log to show them the issue. My reply to that, was ignored as well. To be honest, if I wanted to make named behave this way, I would not even know how to do so, I would certainly have to take effort to try. This represent the last 4 hours of my query log, for one domain that is not even the best example. I have my logs set to 10M, and this case already caused a roll of the logs in only 4 hours: grep -i 'juliansummerhill.com' query.log | wc -l 1289 Thanks for any pointers and eduction on this issue. -- Scott ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
unwanted delegations was: What to do about openDNS
Scott Haneda wrote: I brought this up a few months back. For me, it is getting worse, and I am not able to come up with a solution. I have many clients who reg domains. They all point to my NS. Sometimes, the client lapses hosting with me, and I delete the zones. They usually leave the domain reg'd and my NS's listed. The system should recognise the rights of nameserver operators. There should be some process by which unwanted delegations can be removed. Obviously doing this on the basis of an email is not a good idea, but perhaps the nameserver operator can publish their desire in a credible fashion: dig @ns1.uq.edu.au 71.155.in-addr.arpa any ~ ; DiG 9.4.2-P2 @ns1.uq.edu.au 71.155.in-addr.arpa any ; (1 server found)9C ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 436 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 3 ;; QUESTION SECTION: ;71.155.in-addr.arpa.INANY ;; ANSWER SECTION: 71.155.in-addr.arpa.3600INSOAnoddns.cc.uq.edu.au. hostmaster.uq.edu.au. 2008121901 10800 1800 360 3600 71.155.in-addr.arpa.259200INNSns1.uq.edu.au. 71.155.in-addr.arpa.259200INNSns2.uq.edu.au. 71.155.in-addr.arpa.259200INNSns3.uq.edu.au. 71.155.in-addr.arpa.3600INTXTzone transfers are allowed to show the zone is useless 71.155.in-addr.arpa.3600INTXTplease remove delegations to the name-servers listed in this zones NS records Danny ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: denied NS/IN
In message fb979b33-df83-4460-a3e4-040cd165e...@newgeo.com, Scott Haneda writ es: On Jan 20, 2009, at 5:44 PM, Mark Andrews wrote: In message 232b45f8-acd3-427a-95e9-bc3ca5fc9...@newgeo.com, Scott Haneda writ es: Hello, looking at my logs today, I am getting hammered with these: 20-Jan-2009 15:39:06.284 security: info: client 66.230.160.1#48517: query (cache) './NS/IN' denied 20-Jan-2009 15:39:06.790 security: info: client 66.230.128.15#31593: query (cache) './NS/IN' denied Repeated over and over, how do I tell what they are, and if they are bad, what is the best way to block them? -- Scott You should talk to your ISP to chase the traffic back to its source and get BCP 38 implemented there. BCP 38 is ~10 years old now. There is no excuse for not filtering spoofed traffic. If the source doesn't want to implement BCP 38 then de-peering the source should be considered. Is BCP 38 really as solid and plug and play as it sounds? In a shared, or colo'd environment, can that ISP really deploy something like this, without it causing trouble for those that assume unfettered inbound and outbound traffic to their servers? Yes it is. Everyone in a colo should be able to tell you which source address (prefixes) they should be emitting. You filter everything else. The closer to the edge that you do this the easier it is to do. Mark -- Scott -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: mark_andr...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
