Re: Which timeouts are used by BIND when resolving recursive queries?

RFC say all read RFC BIND is a DNS system not an alien so follow RFC Go and read RFC From: bind-users on behalf of ip admin via bind-users Sent: Friday, October 5, 2018 4:13 PM To: bind-users@lists.isc.org Subject: Which timeouts are used by BIND when

Re: PRNG not seeded, service won't start

ON INTERNET IS LIKE TO BE LINKED TO RANDOM SEED GENERATION check # ls -l /dev/random /dev/urandom crw-r--r-- 1 root system 39, 0 Jan 22 10:48 /dev/random crw-r--r-- 1 root system 39, 1 Jan 22 10:48 /dev/urandom From: bind-users on behalf of Howard,

Re: PRNG not seeded, service won't start

are your compiler and libs updated ? From: bind-users on behalf of Howard, Christopher Sent: Tuesday, September 18, 2018 1:11 AM To: bind-users@lists.isc.org Subject: PRNG not seeded, service won't start I'm attempting to upgrade from bind 9.10.4-P8 to

Re: Need to move an NS server out of service

sorry for missing letters but my keyboard ia broken so to say, usually DNS admin low TTL on NS and/or A records that will have a change look bind docs to apply it without specific record TTL , SOA ttl is used From: bind-users on behalf of King, Harold

Re: Need to move an NS server out of service

and stop engine https://en.wikipedia.org/wiki/SOA_record Alberto Colosi From: bind-users on behalf of King, Harold Clyde (Hal) Sent: Monday, August 6, 2018 7:37 PM To: Bind Users Subject: Need to move an NS server out of service I have ns2.example.com one

Re: problems changing NS records

have you changed zone registration? there is DNS FQDN reference if you change dns fqdn you have to update zone on your NIC as it on NIC it or where you registered the domain From: bind-users on behalf of Lucio Crusca

Re: Somehow my DNS is not starting up

Hi is a common problem! when you start as user or root service take shell permission not service permission check if exist group and user named if directory and file access mask is right and if owner is right as last check bind log not systemd for any error now I don't remember but should

Re: clean up an ddns zone

radius is only an AAA and transmit Auth OK/KO to VPN terminator and IP allow/deny rules to VPN terminator (ip filtering like iptable) So radius only Auth termination of VPN tunnel and transmit per user linked policy deny and allow rules (like iptable as said). I think VPN terminator can be

Re: baby steps...

In the years I had bad issue with ISC bind and Fedora box. Possible was my box but moving to NIC IP all was fine. yes inside resolv.conf NIC IP instead of localhost eg 127.0.0.1 in all case IP socket have to open on layer 3 and shouldn't go on layer2 as socket know that IP as REACHED. it

Re: "rule based" A records

go to read isc bind view --- Alberto Colosi ITC NetWork & Security From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Lucio Crusca <lu...@sulweb.org> Sent: Sunday, January 14, 2018 12:27 PM To: bind-users@lists

Re: bind-pkcs11-9.9.4-51.el7.x86_64 using bind-dyndb-ldap in CentOS it triggering an assertion failure

SELinux in passive ? , you can putSETEnforce OFF in conf From: bind-users on behalf of Radu Pantiru Sent: Friday, October 13, 2017 10:49 AM To:

Re: Forcing external domains TTL value

TTL if not record specific on other DNS is defined inside SOA usually shoulbe be 24H on internet and if an admin as me , put it low , it is for a specific purpose as a server change. is strange u have so many low ttl. I think u only can work on cache ttl on ur dns if are other way to

Re: SOA serial increment when we update SOA RR

SOA is a special record. As already said to read you update SOA (should be only for email address if not ONLY intranet NS). In all case if u make n update mean is needed n update. So the question is: wy to not reflect on slave NSif any Increasing SN ,

Re: Logging resolved IP

strange as need , see channels inside logging engine is user query log , create a log channel for queries done it does not change if done from a client or another dns really it is a huge volume log (depending on number of queries) From: bind-users

Re: Different forwarder for cerain response ip (result ip )

arder for cerain response ip (result ip ) Am 16.09.2017 um 13:30 schrieb Alberto Colosi: > I read so well your answer and wasn't an answer to you > > > in all case ,who said I can't use port 53 if blocked ? >  are many ways without a VPN that usuall

Re: Different forwarder for certain response ip (result ip )

port 53 is only open directed to forwarders as I read , you think to use different forwarders so , port 53 should be open to all IP , right ? I think u should read how DNS works, TLD and so on simply drop forwarders only use TLD From:

Re: Different forwarder for cerain response ip (result ip )

oun...@lists.isc.org> on behalf of Reindl Harald <h.rei...@thelounge.net> Sent: Saturday, September 16, 2017 12:59 PM To: bind-users@lists.isc.org Subject: Re: Different forwarder for certain response ip (result ip ) Am 16.09.2017 um 12:50 schrieb Alberto Colosi: > even on hotel .

Re: Different forwarder for certain response ip (result ip )

Really better .. and don't use Google DNS ( 1) google know what you do 2) are really slow 3) I never seen any difference like protecion or other) Alberto Colosi ITC NetWork & Security Architect & Administrator &

Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

I haven't seen as from a while I have no servers to admin as I ever say to who I teach ... right source for right content. nist ok but .. better internic as maintaining DNS https://www.internic.net/domain/named.root [cid:2158d269-d79e-445b-8112-c7fce0fbb65f] as obvious , here is

Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

why to write here on the list ? simply is a problem rom your script (file overwrite) or nist file could be dirty. I hate automatic update special each day specia for roots inside dns (they change one time every twenty years ... if is a change). I don't kno nist file, I ever used internic

Re: How to pause master zone updates to slave for couple of minutes

simply firewall port TCP and UDP 53 if behind a firewall or use ACL or change NS records if not propagated in a public domain if you want to test from clients , see that RFC sap is around 5 minutes if I am not wrong and use PC firewall or simply firewall it or shutdown master engine and so on

Re: How do I reset a DNSSEC zone ?

is like is missing the file referenced in log SHA-1 RSA signing is obsolete and banned from NIST and ENRISA is a CVE or should if I remember ell All CA only use SHA-2 no more version 1 as said before. SHA-2 and 2048 or greater yor problem is like file permission or file is missing

Re: Systemd bind9.service file?

as just said inside previous mail ever if you edit some , you should understand From: bind-users on behalf of Tom Browder Sent: Friday, July 21, 2017 10:48 PM To: bind-users@lists.isc.org Subject: Re:

Re: Systemd bind9.service file?

Main needs are start stop and pid file location ater you change a file in systemd you need to reload config ith a systemd statement. read sometutorials like https://wiki.archlinux.org/index.php/systemd is obvious files need to go where are scripts and linked inside "dierent run level"

Re: How to generate authoritative DNS64 reverse zone

Hi, is hard an ISP give to you a reverse lookup zone first of all , is needed you to "own" all zone (ipv4 , all C class) for example. as second thing, is really hard to move definitions on TLD like ripe , arin, apnic or others is more possible ISP give to you (if first line is true)

Re: DNS forwarding

If u 've as forwarder the dns master for such zones (meaning that dns know how to resolve) >check acl inside conf >check authoritative (master dns) logs and if not implemented , put some log channels inside conf to check

Re: Query on the Overload control mechanism for DNS Server

isc bind RRL https://kb.isc.org/article/AA-00994/0/Using-the-Response-Rate-Limiting-Feature-in-BIND-9.10.html i use it on my auth dns box Alberto Colosi Network & Security Admin & Architect Engineer From: bind-users <bind-users-boun...@li

Re: Recognizing remote IP in shared connections

sorry, let me only to add a comment to previous mail if who make the query use a DNS Forwarding System (like use ISP DNS as forwarders or direct resolver) you'll only have ISP DNS on last forward action From: bind-users on

Re: Recognizing remote IP in shared connections

large log file (as network accounting, can't be live for "too much". Alberto Colosi IT NetWork & Security Architect Engineer From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Job <j...@colliniconsulting.it> Sent: Tuesday

Re: bind 9 goes rogue and revert zone information

et> To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: bind 9 goes rogue and revert zone information Date: Tue, Feb 7, 2017 23:38 Am 07.02.2017 um 23:31 schrieb Alberto Colosi: > lucky you say > > zombie host and hijacked resourced poisoned DNS are not an

Re: bind 9 goes rogue and revert zone information

revert zone information On 2/7/17 8:42 AM, Alberto Colosi wrote: > IP ports not open does not mean is not hacked. > > a vulnerability can be used to make a change or an access Occam's razor... if you were a hacker and broke into someone's DNS server, would the thing that you focus on be resett

Re: bind 9 goes rogue and revert zone information

or disable it From: Raul Dias <r...@dias.com.br> Sent: Tuesday, February 7, 2017 3:34 PM To: Alberto Colosi; bind-users@lists.isc.org Subject: Re: bind 9 goes rogue and revert zone information Sorry, Static files. It is the master server. No dynamic updates

Re: bind 9 goes rogue and revert zone information

hi is unclear named structure if is a slave a master if dynamic updates are enabled and if the unix box has been hacked as last , zones are static files on fs ? From: bind-users on behalf of Raul Dias Sent:

Re: rDNS

own a full C subnet or ISP don't want to delegate (if your DNS server will be unreachable could arm something on ISP) you only can try to ask the ISP to map names on their DNS , ISP DNS and even this not all ISP do or is done with default IN-ADDR-ARPA naming. Alberto Colosi ITC , NetWork

RE: How to modify A records on the slave when master is down?

, you could have a command line session too if used with SSH instead. The main difference is a bit of security more ;) --- Alberto Colosi IBM Global Business Services Sistemi Informativi S.P.A. IT NetWork Security Department *-* *-* *-* SECURITY IS EVERYONE'S BUSINESS