th a CIDR block)?
For
individual devices that are offering to accept connections, dynamic DNS could be
useful: if someone connects to you and is willing to receive connections, an
individual
PTR record let you could find out their name first.
These comments don’t apply to PTR records for individual
ction.
The actual issue I was investigating is indeed unrelated. I was merely
eliminating possibilities.
John Wobus
Cornell IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users maili
configuration.
FYI:
$ ./named -v
BIND 9.9.8-P4 (Extended Support Version)
John Wobus
Cornell University IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
re continuity.
Or other variants. Such a feature might address Ron’s concern.
(I believe I recall discussions on this or another list, perhaps even
a feature in the wings.)
In any case, I cringe at the thought of overriding TTLs. They’re there
for a reason. In some instances, overriding could “help
n between
how much memory DNS operators provide and client demands to support this
otherwise-wonderful app.
John Wobus
Cornell IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
b
tive the nameservers don’t happen to
be in synch.
John Wobus
Cornell University IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
,
its more of a challenge to focus such a packet capture. If the server also has
a FW configuration including NAT, that could be doing it as well.
John Wobus
Cornell University IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubsc
that a bind rrl configuration could affect
this, but a little thought told me that was unlikely to be the
issue.
John Wobus
Cornell IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
for a lot of low-level services.
Overall architectures can take this into account.
John Wobus
Cornell University IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users
. If that nameserver isn't in the domain to which
flushtree was directed, another flush aimed at that nameserver's name
would be needed. I recall the fun of hunting down some of those.
CNAMEs can also create fun.
John Wobus
Cornell University IT
___
Please visit
that. Such a
problem could just kill communications but it could
also cause symptoms that only show under load.
Another thought is a firewall in front of your server.
And speaking of firewalls, some have a feature to
govern the level of load they allow into of a part.
John Wobus
Cornell University
-dl.elavon.net
was listed among the authoritative NS records but
answered an MX query as described. I tested both with
and without requesting recursion. In fact, every name
and record type I asked it got a response of
NOERROR, no answer section, and no aa flag.
John Wobus
Cornell
On Dec 16, 2014, at 4:26 PM, Mark Andrews wrote:
We tried to check aa for just this reason but there are to many
broken authoritative servers which just don't set aa=1 on all the
servers for the zone that we had to back the code change out.
I would just use a server clause to mark nameserver as
On Oct 21, 2014, at 4:00 PM, Evan Hunt wrote:
On Tue, Oct 21, 2014 at 12:07:15PM -0700, Warren Kumari wrote:
dig A $name | awk '$0 ~ /status/ $0 !~ /status: NOERROR,/ {
sub(,, , $6 ); print $6; x=1
}
$4 == A { print $5; x=1 }
In cases analogous to this, software often saves both
text and binary, and when initializing, uses mtime to
decide whether it can safely use the binary. Some resources
are spent storing the extra file and admins have yet
another way to screw things up, but the strategy
does have benefits.
John
interesting. If the main
point is to eliminate single points of failure, a three masters
with quorum system might serve the purpose.
I like the idea of configuring zone information in a zone, and think
it would be fun to be on the team brainstorming how to guard against
sneaky config attacks.
John
thing to know.
John Wobus
Cornell U
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
?
-If neither of the above, is there
a hidden practice that knowing folk
often follow to dodge remote
nameserver deficiencies?
FYI, I only received the report fourth hand
and can't tell you the nameserver software
that had this issue.
John Wobus
Cornell University IT
P.S. This made me wonder
if both give the same unwanted answer,
you have evidence it is a server configuration issue.
John Wobus
Cornell University IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind
The other DNS server software is working around or ignoring
the issues. Server software varies in how much it ignores or
works around bad domain setups. Also, in some situations,
configuration problems result in symptoms that come and go.
One reason DNS software is picky about correct setups
Other possibility is to implement packet rate limiting - a patch was
discussed here a few days/weeks ago.
I endorse this suggestion: we were faced with such attacks and were
naturally leery about issues we might run into running a patched bind
and the additional tuning it could require. Our
On Jun 28, 2013, at 3:54 PM, Ward, Mike S wrote:
I want to thank everyone for their input. It sounds like they do
need the reverse address entries in specific circumstances so I’m
going to recommend that they add them.
Lack of reverse records made a big difference in the distant past.
Now,
the (hopefully temporary) inconsistency doesn't cause issues.
John Wobus
Cornell Univ IT
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org
DNAME? runs away, giggling…
Or SRV records. Surely browsers are adding support
in the next day or two?
John
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
fortunate for the
SPF effort that TXT records were available to them without
a lot of earlier-established complicated rules of use, so they
could use TXT records to jump-start their efforts.
John Wobus
Cornell U
___
Please visit https://lists.isc.org/mailman
need to
serve identical
versions of the zone, then you need to arrange things so the zone is
in just one
view.
The master of a zone with no dynamical updating could reference the
same zone
file from multiple views but that is about the only case that it would
work.
John Wobus
Cornell
Will bind run on VMware?
Yes, if the guest operating system supports it.
Of more interest to me is: are there limitations?
Types of configs or workloads that should
not be run under VMware?
John
P.S. Aps are sometimes distributed bundled with an OS,
i.e., forming a package that does run
to implement
policy, e.g.
to make it less likely to reach known phishing sites.
John Wobus
Cornell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
with your
diagnosis.
John Wobus
Cornell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
could cause such a different.
John Wobus
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
to accomplish.
John Wobus
Cornell U
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-file-equivalent is arbitrary.
Makes DNSSEC interesting.
It's always helpful to be able to tell your customer yes, we gave
you a CNAME, just like you asked for. We do it even if our competitors
say no!
John Wobus
P.S. Hm, I wonder if a TLD will give me a three part CNAME:
if they've given me
advantages you'd get from running separate
instances.
John Wobus
Cornell University
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https
independent of your
client's dns-related behavior and configuration. It's the one
widely-distributed tool with that property. Such a tool
is invaluable when trying to determine or confirm specific server
behavior.
John Wobus
Cornell U
___
Please visit
also gets an IP of its own.
With the latter solution, depending on the situation, you might
figure out some short cuts. But TSIG looks awfully attractive
in comparison.
The book DNS BIND Cookbook addresses the issue.
John Wobus
Cornell U
___
Please
I assume ISC does not deliberately insert aborts
triggerable by bad data in DNS queries and answers.
Much more likel,y they do it when something happens
that is supposed to be logically impossible whatever the
incoming data, and implies continuing to run is
potentially insecure and/or will just
On Nov 17, 2011, at 8:51 AM, Rick Dicaire wrote:
On Thu, Nov 17, 2011 at 8:46 AM, Aleksander Kurczyk
aleksanderkurc...@o2.pl wrote:
Hello,
Yesterday I asked here how can I run multiple named processes on
different ports in one OS. Now I have some troubles with that. How
can I specify the
. . . both Evan's blog post http://www.isc.org/community/blog/201109/isc-bind-990a1-feature-preview
and the announcement of next week's webinar include NXDOMAIN
redirection as the first new feature. I'm really surprised by that
- is this something that BIND users were clamoring for?
Yes.
2011/9/23 Kevin Darcyk...@chrysler.com:
You're almost certainly getting the NXDOMAIN because you're spoofing
the
root servers, and your fake root servers don't have the same
knowledge as
the real ones, so they'll return NXDOMAIN for some queries (whereas
dig
+trace does not, because it
Barry Finkel wrote:
I ran a test this morning on one of the Solaris 10 slave servers.
A query to the server showed serial numbers:
_tcp 1238
_udp842
Both of these match the zone on the MS Windows DNS Server.
I checked the zone files on the slave server:
_tcp 1239
filter retrieves
its data via dns records, that could push up your
query rate and cache size.
John Wobus
On Jun 15, 2011, at 5:52 PM, Mark K. Pettit wrote:
One of the things that got us is we didn't know BIND 8 automatically
created delegation records in a zone at the zone cut
cases?
John Wobus
Cornell University
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
happening long before
the expiration, and if the zone is pretty static (e.g. a single
www.example.com address), you don't have to jump very fast to
address things if the expire interval is weeks. If folks are
depending upon records that are dynamic, you want to respond
pretty quickly.
John Wobus
pint use Net::IP
pint $foo = new Net::IP '2001:db8::42'
3
pint $foo-reverse_ip()
2.4.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.
0.1.0.0.2.ip6.arpa.
pint
Or you could just dash off the simple perl expression to do the job:
my $ptr = do {
my($head,$tail) =
map { join '', map
On Apr 8, 2011, at 10:58 AM, Martin McCormick wrote:
I am trying to set up bind9.7.2P3 in a special manner such as is
used in network registration setups in which named always
returns the address of a registration server except for a few
other domains that supply updates and antivirus scans,
All the previously-mentioned issues apply, but (obviously)
round robin could be made to offer a select server twice as
often by giving that server an additional address and
A record. Something similar for nameservers could
be devised.
I had a vague recollection that one could simply
duplicate
On Mar 29, 2011, at 10:49 AM, Tony Finch wrote:
Kay ch...@daumcorp.com wrote:
some domain has 12 IPs but traffic of the server is not equal.
The traffic of 11 IPs is same and just 1 IP is higher than others.
If you use round-robin DNS you are relying on the clients not to muck
around with
On Mar 18, 2011, at 5:07 AM, mattias.o.anders...@gavle.se wrote:
Hi,
I work for a small ISP in Sweden and we recently starting to provide
IPv6 for customers. I have a problem thou with the reverse DNS
lookups for IPv6. I don’t have a good way of doing this, maybe
someone can help.
When
On Wed, Mar 9, 2011 at 1:01 PM, John Wobus jw...@cornell.edu wrote:
On Mar 9, 2011, at 1:09 PM, Matt Rae wrote:
Hi, I'm working on setting up a slave dns server. Dots have
historically been used in the hostnames here. The dots cause the
resulting zone file from a zone transfer to have $ORIGIN
On Mar 9, 2011, at 1:09 PM, Matt Rae wrote:
Hi, I'm working on setting up a slave dns server. Dots have
historically been used in the hostnames here. The dots cause the
resulting zone file from a zone transfer to have $ORIGIN automatically
set assuming the dots are indicating a subdomain.
Then the load balancer should return default records or 0.0.0.0/:: to
indicate the name is good but doesn't currently have a address.
I like that solution, actually. Even if the client doesn't recognize
it
as a special address, hopefully if it tries to connect to it, the
packet won't make it
much.
John Wobus
Cornell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On Feb 23, 2011, at 12:19 PM, Kevin Darcy wrote:
Unless one intimately knows the failure behavior of
*every*single*app*and*subsystem* in one's environment (which in a
large/complex environment is a constantly moving target, since new
apps
and subsystems are being implemented all the time),
To add to the story, I added a rule to our DNS administration
system that we'll only allow hostnames that include
at least one alphabetic.
John
On Feb 4, 2011, at 11:26 AM, John Wobus wrote:
So 10.14.22.11 is a legal hostname, right?
We had a recent experience where our DNS administration
to www.example.com just fine.
John Wobus
Cornell
On Jan 30, 2011, at 7:30 AM, p...@mail.nsbeta.info wrote:
From RFC 1123
One aspect of host name syntax is hereby changed: the
restriction on the first character is relaxed to allow either a
letter or a digit. Host software MUST support
It might not be your bug. It might be other sites.
As was said, bind can log info that would help
explain it.
Or if the number is rising continuously, you can capture a
bunch of dns queries with tcpdump or a similar program
and look over a sample of the rejected queries.
On Jan 18, 2011, at
instead, or it simply leave out that record. RFCs merely say 65535
is the maximum allowed. Specifying what to do when reading a
zone file that exceeds this maximum is one of an infinite
number of possible input errors that RFCs have nothing specific
about.
John Wobus
.
John Wobus
Cornell IT
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
On Feb 26, 2010, at 9:54 AM, Diosney Sarmiento Herrera wrote:
Hi!
Sorry for the delay.
It was very useful for me. Thanks!
In our nameserver we do not apply the bogon filter to the bogus
addresses because it will change with time and we not know how update
them automatically.
My question
own database: just load the data on all the
authoritative nameservers instead of one.
But it's either more difficult or impossible if you provide dynamic DNS.
(2) Run scripts periodically to check SOA serial numbers and report if
they are sitting longer than
they should out of synch.
John
How can observer the query count? Is there a command or table or
something or is it just how many hits the systems gets on port 53
identified from some form of logging software?
BIND logs hit statistics periodically to syslog, and you can use rndc
stats to append statistics immediately to a
On Aug 28, 2009, at 8:59 AM, Dave Sparro wrote:
On Thu, Aug 27, 2009 at 12:17 PM, Niall
O'Reillyniall.orei...@ucd.ie wrote:
Lisa Casey wrote:
Aug 26 12:48:56 netlink named[295]: client 207.191.185.6#60614: no
more
recursiv
e clients: quota reached
Any ideas on how I should go about
On Apr 20, 2009, at 2:55 AM, Ken Lai wrote:
let's take an example. my DNS server called SrvA, the outer DNS server
called SrvB.
normally, the client sent the query to SrvA, and SrvA forwards it to
SrvB. and SrvA return a result which came from SrvB to the client.
unfortunately the SrvB
On Apr 7, 2009, at 5:36 PM, Michelle Konzack wrote:
Hmmm, my own DNS is working, but HOW can I test a foreign DNS stup?
If your own DNS works at your own site, you can see what the rest of the
world is getting by any of the following:
-To do a quick check to see that the world is getting the
Besides all the methods discussed, you could invent your own zone that
has this data in a format
of your choosing., e.g.
example.com.myzones.example.com TXT example.com
example2.com.myzones.example.com TXT example2.com
Then:
dig @nameserver axfr myzones.example.com
Your design creativity and
On Mar 25, 2009, at 5:20 AM, Ram Akuka wrote:
Is there’s any way I can encrypt the zone files in the slave server,
that way no one can have access to the actual zone data beside the
master server.
(if for example someone will hack to the slave DNS he won’t have the
zones data).
No.
It's an excellent idea to make your systems handle such hostnames
without problems (e.g. not crashing) when they run across such a
name on the Internet.
It's unfriendly to propagate such hostnames when doing so impedes
others' ability to do something.
It's against your own interests to
Disabling the cache makes sense if the purpose of your
nameserver is to provide your authoritative zone data and you
have a different nameserver to handle your site's general
DNS queries.
TTL settings are part of authoritative zone data, which is
completely independent of whether you disable
I'm imagining you want a way to make dig act like the caching
nameserver and do what it would do and show you the answer.
dig +trace does something similar to this. There is no nameserver
operation
that dig could do to tell a caching nameserver to act differently
for one query. You could
Running an awk or perl script along with checkzones should be able
to do this site-specific check (and others you might find helpful)
quite easily.
On Dec 30, 2008, at 7:51 PM, Mark Andrews wrote:
In message
7227c6c70812300937s7a4be464h16db91c6ead84...@mail.gmail.com, Mike
Zupan writes:
70 matches
Mail list logo
