Re: Bind: Standard Ports And Non Standard Ports

On Fri, Feb 11, 2022 at 10:21 AM Tim Daneliuk via bind-users < bind-users@lists.isc.org> wrote: > > After some months of poking around, we are now certain that our so-called > "Business" > service from Comcast is compromising our DNS servers because of their > execrable "Security Edge" garbage.

Re: Change records in DNS slave if master is offline

On Thu, Dec 16, 2021 at 10:37 AM Roberto Carna wrote: > Dear all, I have one BIND9 server as master and 3 as slaves. > > The master and one slave are in a given site #1, and the other two > slaves are in a geographical different site #2. > > In case site #1 goes offline, I need to edit records

Re: forwarders used in order or based on RTT ?

On Mon, Oct 19, 2020 at 11:26 AM Victoria Risk wrote: > > The ARM was updated in 9.16.6. Sorry it took us so long! > > from https://gitlab.isc.org/isc-projects/bind9/-/issues/2030 > Forwarders are typically used when an administrator does not wish for > all the servers at a given site to

Re: forwarders used in order or based on RTT ?

On Sun, Oct 18, 2020 at 2:32 PM @lbutlr wrote: > > On 16 Oct 2020, at 08:36, Bob Harold wrote: > > That is certainly not obvious. How do I request improving the manual? > > > > "in turn" would seem to imply "in order", and the order would logically be > > the order I listed them.] > > I

Re: No response from localhost with "allow-query { any; };"

What is 'localhost'? The output you included doesn't really show very much, other than that nc connect to port 53. I'd suggest: dig ns5.lrau.net @localhost dig ns5.lrau.net @127.0.0.1 dig ns5.lrau.net @::1 Also, have a look in /etc/hosts and make sure that you have something like: 127.0.0.1

Re: Reverse lookup response format

On Tue, Aug 25, 2020 at 10:30 AM Brad Stevenson wrote: > > Hello, I apologize if this has been discussed before. I tried to search the > archives but couldn’t find anything. > > > > I would like to have the behavior of the reverse lookup responses to only > include the hostname, not the

Re: A And Cname-record

Yup - that’s because you cannot (legally) have a CNAME and any other RR type at the same name — see https://en.m.wikipedia.org/wiki/CNAME_record for an explanation as to why... W On Wed, Jun 17, 2020 at 5:44 PM Ejaz Ahmed wrote: > when i am trying to add A and CNAME record together for the

Re: Batch updating all DNS records on my Bind server

On Sat, Apr 18, 2020 at 12:52 PM Tony Finch wrote: > > @lbutlr wrote: > > > > Is it possible to batch update all the domains? Looking at nsupdate it > > looks like I have to step through and do every domain individually. > > An UPDATE request can change many records, so long as they are all in

Re: Try to figure a basic conf for BIND on Mac Catalina

On Tue, Apr 14, 2020 at 9:53 AM David Chandler wrote: > > I have been working on this for days. Anything other than Caching-only > configuration will not register anything. Port 53 will not open. It is unclear what you are meaning by "Port 53 will not open" - is BIND binding to the port? Does

Re: DNSSEC - many doubts

On Thu, Apr 2, 2020 at 11:14 AM David Alexandre M. de Carvalho wrote: > > Hello, good afternoon. > My first post in this list :) > > I'm running BIND Chroot for many years (currently version 9.8.2) on some old > hardware running Oracle Linux 6. > I believe it was last year when I was reading

Re: How to get random subset of large rrset (30+ IPs for round robin)?

gt;> With bind, I'd need to serve a single A record with 30+ IP addresses and > >> these addresses have to be returned in random order round robin, > >> which is done with: > > >> Now I'd like bind to just return a random subset of e.g. 5 IP addresses > >>

Re: How to get random subset of large rrset (30+ IPs for round robin)?

On Fri, Mar 20, 2020 at 3:14 AM David Klatt wrote: > > Hi, > > I can't find a way to do the following although I invested plenty of time > in research - maybe you guys have an idea: > > With bind, I'd need to serve a single A record with 30+ IP addresses and > these addresses have to be

Re: Unable to browse from external network in SplitDNS

> wget/browse and not the same is happening in Case I. > > > Case III > Executed for Troubleshooting. > > Request from DMZ host(SNat to 196.1.113.242) to Google DNS(8.8.8.8). > We are able to do NSLOOKUP for "registry.npmjs.org". > We are able to wget/browse "

Re: Unable to browse from external network in SplitDNS

On Wed, Mar 18, 2020 at 9:03 AM Purva Rawan wrote: > Hello , > > We have configured splitDNS .Bind version is 9.9.2.We are able to lookup > and browse to particular URL( e.g.https://registry.npmjs.org) from > internal network but the same URL when we tried from external network ,it > failed to

Re: Unable to completely transfer root zone

also like to thank you for calling me on it - if that had been my intended tone it would have been inappropriate, and not alright for this list. w > > On 16/02/2020 03:08, Warren Kumari wrote: > > > > > > On Fri, Feb 14, 2020 at 10:49 PM Ed Daniel > <mailto:esdan...@esd

Re: Unable to completely transfer root zone

On Fri, Feb 14, 2020 at 10:49 PM Ed Daniel wrote: > On 11/02/2020 15:28, Warren Kumari wrote: > > On Tue, Feb 11, 2020 at 3:12 AM Stephane Bortzmeyer > wrote: > >> > >> On Mon, Feb 10, 2020 at 02:32:55PM -0500, > >> Warren Kumari wrote > >> a

Re: Unable to completely transfer root zone

On Tue, Feb 11, 2020 at 3:12 AM Stephane Bortzmeyer wrote: > > On Mon, Feb 10, 2020 at 02:32:55PM -0500, > Warren Kumari wrote > a message of 70 lines which said: > > > Also, can you try: > > dig +tcp . axfr @192.0.32.132 > > dig +tcp . axfr @192.0.4

Re: Unable to completely transfer root zone

On Mon, Feb 10, 2020 at 12:53 PM von Dein, Thomas wrote: > > Hi everyone, > > we are unable to complete root zone transfer from our nameservers. This is > the error we're getting: > > Feb 10 18:33:32 bedns2 named[61444]: transfer of './IN' from 192.0.47.132#53: > connected using

Re: Using different OS for Master and Slaves

On Thu, Nov 14, 2019 at 4:58 AM Barry Margolin wrote: > > In article , > Reindl Harald wrote: > > > Am 12.11.19 um 14:00 schrieb G.W. Haywood via bind-users: > > > Hi there, > > > > > > On Tue, 12 Nov 2019, Mundile wrote: > > > > > >> Is it good idea and possible to create Master and Slaves

Re: Zoneformat

On Mon, Oct 28, 2019 at 6:08 AM MEjaz wrote: > > > > > > From: MEjaz [mailto:me...@cyberia.net.sa] > Sent: Monday, October 28, 2019 10:27 AM > To: 'bind-users-boun...@lists.isc.org' > Subject: Zoneformat > > > > Hi all, > > > > Is ther any way I can create the zone without the (.) I mean non

Re: Bind-Efficientip

On Sun, Oct 20, 2019 at 10:26 PM John W. Blue wrote: > > There is a ton of fluff on the EfficientIP website about carrier grade this > and carrier grade that. So it feels like to me that you are getting trapped > in the marketing goo when you really should be asking if an IPAM solution is >

Re: A policy for removing named.conf options.

bind-users On Behalf Of Warren Kumari > Sent: Thursday, June 13, 2019 2:53 PM > To: Evan Hunt > Cc: Ondřej Surý ; comp-protocols-dns-b...@isc.org > Subject: Re: A policy for removing named.conf options. > > On Thu, Jun 13, 2019 at 2:43 PM Evan Hunt wrote: > > > > >

Re: A policy for removing named.conf options.

On Thu, Jun 13, 2019 at 2:43 PM Evan Hunt wrote: > > > > Is it really much of a hassle to leave the obsolete options in the > > > parser, but just ignore them? > > IMHO, it depends on the option. For something like "managed-keys" and > "trusted-keys", there are clear security implications. Once

Re: dnssec-validation auto vs yes

On Wed, Jun 12, 2019 at 8:25 PM Evan Hunt wrote: > > On Wed, Jun 12, 2019 at 11:40:27PM +, Shawn Zhou via bind-users wrote: > > The default BIND9 installation for CentOS7 has dnssec-validation set to > > "yes" and it also includes managed-keys as well. Do those managed-keys > > get updated

Re: A policy for removing named.conf options.

On Thu, Jun 13, 2019 at 6:46 AM Matthijs Mekking wrote: > > Dear BIND 9 users, > > BIND 9 has a lot of configuration options. Some have lost value over > the years, but the policy was to keep the options to not break old > configurations. > > However, we also want to clean up the code at some

Re: Useful tip on nsupdate -- readline support.

On Tue, Jun 11, 2019 at 10:59 AM Mukund Sivaraman wrote: > > On Tue, Jun 11, 2019 at 10:03:30AM -0400, Warren Kumari wrote: > > Hi there all, > > > > I manually use nsupdate to make some changes to some of my zones - > > most recently I had to add a bunch of reverse

Re: BIND ignores queries from specific privileged source ports

On Mon, Jun 10, 2019 at 12:37 PM Grant Taylor via bind-users wrote: > > On 6/7/19 8:44 PM, Mark Andrews wrote: > > Named drops those ports as they can be used in reflection attacks. > > Sane NAT developers avoid those ports for just that reason. The full > > list is below. > > I understand the

Re: Bind9 stops responding for some clients

On Thu, May 30, 2019 at 8:10 PM Gregory Sloop wrote: > > So, this is a very odd situation and I'm kind of grasping at straws here. > So, I've come to see if any of you have any good straws! > > The setup. > --- > Ubuntu 18.04 LTS is the distro we're running on. > All software is packaged [from

Re: Should we remove the DLV code?

At this point I think DLV is actively dangerous -- I'm not sure if it "easy" to remove the code without too much risk, but an initial start would be to make it impossible^whard to enable it (and initially log an error message for people who already have it configured...). W On Tue, May 21, 2019

Re: DNS flag day

ecture team, I'll get them to call you back the week after next. Pardon? I didn't take your phone number? Oh well", or even "sorry, I'm going through a tunnel and my reception is poor... EDNS, yes .. comp.. mitiga.." :-P W > On Fri, Jan 18, 2019, 3:20 PM Warren Kumari >>

Re: DNS flag day

On Fri, Jan 18, 2019 at 2:58 PM Ben Croswell wrote: > I would say we had one provider go as far as saying this whole flag day > thing is a hoax. > That's a weird stance / position. "The whole flag day thing is [stupid|overblown|annoying|confusing|on a Friday]" are all positions I can understand

Re: EDNS Compliance

On Fri, Jan 18, 2019 at 12:07 PM Ben Croswell wrote: > As long as all 4 DNS servers are running the same version, my first > suggestion would be to check firewalls for dropped packets. > > Some FW/IPS drop packets with edns versions other 0 because they see it as > an attack. > This can be

Re: Can I use multi-purpose servers for authoritative bind dns servers?

On Sat, Jan 5, 2019 at 7:06 AM Tom Browder wrote: > I have two remote servers: (1) one with one IP (used mainly for backups) > which is planned to be an OpenStreetmap tile server and (2) one with five > IP addresses used for serving my personal websites with Apache and planned > to be a mail

Re: no port randomization with dig over IPv6 on mac os

On Fri, Dec 7, 2018 at 5:19 AM Ralph Seichter wrote: > * Jakob Dhondt: > > > I have just noticed that when using dig (different versions) on Mac OS > > (High Sierra) over IPv6 the source port is not randomized. Hmmm. I’d never noticed that, but I certainly wouldn’t have expected it - I’m also

Re: Book Bind - DNS ?

On Sat, Oct 13, 2018 at 11:38 AM Maurizio Caloro via bind-users < bind-users@lists.isc.org> wrote: > Hello together > > > > I asking if the documentation from Bind Homepage are enought > >- https://www.isc.org/downloads/bind/docs > > > > or better to buy the version from Oreilly, 5th Edition

Re: Question about visibility

On Thu, Oct 11, 2018 at 1:26 PM Admin Hardy wrote: > > I realise this is not specifically a BIND/DNS question and a bit off > topic so please ignore if need be I realise people are often very busy. > > If you you have a website but the host IP you do not list with any > domain name in DNS, is it

Re: Which timeouts are used by BIND when resolving recursive queries?

On Fri, Oct 5, 2018 at 11:12 AM Alberto Colosi wrote: > RFC say all > > read RFC > > > BIND is a DNS system not an alien so follow RFC > No, BIND is an **implementation** of DNS software. There is much in the RFCs that is subject to interpretation, or not necessarily well defined. Things like

Re: NTP through DNS?

On Fri, Sep 21, 2018 at 7:57 AM Danny Mayer wrote: > On 9/19/2018 10:12 AM, Andrew Latham wrote: > > You can add SRV records for NTP to your domain if that is what you are > > asking. > > > > NTP doesn't use SRV records and I don't see a use case to do so. > Well, apparently at one point you

Re: load balancing

On Tue, Sep 18, 2018 at 4:01 PM SIMON BABY wrote: > Hi, > > Are we support load balancing with latest DNSSEC ? I have a DNSSEC > application with unbound library. Do i have to add any extra configuration > to support Load Balancing? > Your question is sufficiently light on detail that it cannot

Re: DNSSEC will eventually generate Identical Key ID's

On Mon, Sep 10, 2018 at 4:45 AM Ray Bellis wrote: > On 09/09/2018 18:51, Mark Elkins wrote: > > Just for the record, although I do look from a curiosity point of view > > for Identical Key ID's once every few month - I've never seen them - > > until now. > > > > Now I have them - generated by

Re: DNSSEC will eventually generate Identical Key ID's

On Sun, Sep 9, 2018 at 2:30 PM Anand Buddhdev wrote: > On 09/09/2018 19:51, Mark Elkins wrote: > > > Never assume a KeyID is unique. :-) > > One of the DNSSEC RFCs specifically says that the KeyID is not meant to > be unique. I can't remember which one, and it's too late on a Sunday > evening

Re: Domain name based multihome routing?

On Tue, Jun 26, 2018 at 12:45 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 06/25/2018 11:08 PM, Dale Mahalko wrote: > > * The secondary program looks up the domain in a database, which also > > includes the multihome destination for each domain. If a match is found, > >

Re: Stopping name server abuse

Unfortunately I don’t think that there is, other than the nuclear option of becoming authoritative and pointing them elsewhere. That would be a jackass move though. W On Sun, Jun 24, 2018 at 3:30 PM Alex wrote: > Hi, > We had a former customer who parked about 300 domains with his > registry

Re: Slow reply under heavy load (on a specific NIC ip)

On Mon, Jun 4, 2018 at 8:20 AM Ict Security wrote: > Hi guys, > > we are running a Bind 9.x Server, everything is going fine. > Under particular heavy load mometns, with some hundreds of concurrent > queries coming in, sometime Bing stops answering for some seconds or > answer with important

Re: extranet.aro.army.mil - not resolving

Try it with +cd and see if that fixes it. The DNSSEC stuff for this domain is all borked up -- sufficiently that I felt like I was playing snakes and ladders while looking at: http://dnsviz.net/d/extranet.aro.army.mil/dnssec/ On Thu, May 31, 2018 at 5:45 PM John Miller wrote: > > Hi Con, > > May

Re: Test mail to bind-users

On Thu, May 31, 2018 at 3:48 AM Matus UHLAR - fantomas wrote: > > >On Wed, 30 May 2018, Michael McNally wrote: > >>We have had reports that posts to bind-users are (in at least some > >>cases) triggering unwelcome direct-to-the-submitter messages from > >>spammers. > > it was about time ;-) > >

Re: also-notify and allow-notify

On Fri, May 18, 2018 at 9:41 AM Blason R wrote: > Hi there, > Thanks for the update and here is my config and error I am getting. Can you please suggest correct method that should be implemented? I believe (but don't have a machine to confirm on) that the syntax should be:

Re: DNS primary and secondary receiveing queries at the same time

On Thu, May 17, 2018 at 4:26 PM Roberto Carna wrote: > Dear Tony, so you say that it's impossible what I want... > In this scenario that my two DNS servers respond queries at the same > time, suppose the primary server goes downhow do clients know that > they have

Re: DNS primary and secondary receiveing queries at the same time

On Thu, May 17, 2018 at 4:07 PM Roberto Carna wrote: > Hi people, I've implemented two BIND9 servers for my company, one as > primary public DNS server and the other as secondary public DNS > server. > I always believed that all the client queries coming from Internet

Re: root hints

On Wed, May 2, 2018 at 5:02 PM Greg Rivers wrote: > On Wednesday, May 02, 2018 16:48:00 Rick Dicaire wrote: > > ... what is the official/best practise/recommended way to update > root.hints? > > > https://www.iana.org/domains/root/files > > But you don't really need

Re: Somehow my DNS is not starting up

nt from containerd: r >> Apr 18 23:09:43 dnsfw.isn.in <http://dnsfw.isn.in> dockerd-current[880]: >> time="2018-04-18T23:09:41.859430667+05:30" level=info >> msg="libcontainerd: new containerd process, pid: 1877" >> Apr 18 23:09:43 dnsfw.isn.in <h

Re: Somehow my DNS is not starting up

On Wed, Apr 18, 2018 at 5:13 AM, Daniel Stirnimann wrote: > On 18.04.18 10:57, Blason R wrote: >> Well it just loads fine when I run from command line i.e. named -u named >> -n 4 -c /etc/named.conf > ... and how long does it take to start up when doing so (in case it

Re: BIND Server running but not responding

I'm *really* not a Windows person, but all of the "could not listen on UDP socket: permission denied" log messages strongly imply that BIND is not able to bind() to the socket -- can you try start this with something like Administrator privileges? W On Wed, Apr 18, 2018 at 9:51 AM, Admin Hardy

Re: "Hiding" version.bind in /etc/bind/named.conf.options doesn't work

On Wed, Feb 28, 2018 at 12:57 PM, G.W. Haywood via bind-users wrote: > Hi there, > > On Wed, 28 Feb 2018, (Ing. Pedro Pablo Delgado Martell) wrote: > >> Good morning, I'm trying to make it more difficult for an attacker to >> get my DNS server version. > > > Waste of

Re: bind-users Digest, Vol 2842, Issue 2

On Wed, Feb 21, 2018 at 3:06 PM, SIMON BABY wrote: > Hi, > > > 1. Can I use BIND9, for implementing only the client resolve/validation > part? My system has limited memory and CPU power. Yup, sure can. BIND isn't the smallest / lowest CPU software out there, but you can

Re: DNSSEC validation

On Tue, Feb 13, 2018 at 3:42 PM, SIMON BABY wrote: > Hello Evan, > > Thank you so much for the quick response. > > My requirement is to implement only the recursive resolve and validation > part of the DNSSEC in my client application. Our CPU and memory are very > limited.

Re: Minimum TTL?

Ok, so I've never used forwarders (actually, that's not strictly true; I've used them twice, but it was to work around weird issues, and I felt dirty), but couldn't increasing the TTL cause stupid configuration issues to become immortal RRs? I've seen a number of instances where people who *do*

Re: Minimum TTL?

Leave off the "protocol fixup feature", its cleaner :-P On Fri, Feb 9, 2018 at 7:15 AM, Tony Finch wrote: > Reindl Harald wrote: >> >> CISCO router with "DNS-ALG" > > Oh god, never turn on PIX/ASA protocol fuxup features. > > Tony. > -- >

Re: disable dnssec for particular domain

On Wed, Feb 7, 2018 at 7:41 AM, Tony Finch wrote: > Michelle Konzack wrote: > >> If someone is interested making a slave for me, I can do >> the same with him/her/whatelse. > > I'm cheap, so for my personal domains I use free secondaries from >

Re: SOA settings

On Fri, Feb 2, 2018 at 3:31 PM, Dave Warren <d...@thedave.ca> wrote: > On Fri, Feb 2, 2018, at 11:57, Warren Kumari wrote: >> Hopefully Lewis knows / understand that we are just squabbling amongst >> ourselves because we've know each other for a long time and this is in &

Re: SOA settings

On Fri, Feb 2, 2018 at 1:17 PM, Dave Warren via bind-users wrote: > On 2018-02-01 17:21, Lyle wrote: >> >> Bind does default to seconds. >> >> >> However this is not the SOA record. > > > Who said it was a SOA record? Ooghf. You are right. The OP simply said "a config

Re: SOA settings

On Fri, Feb 2, 2018 at 1:48 AM, Reindl Harald wrote: > > > Am 02.02.2018 um 01:21 schrieb Lyle: >> >> Bind does default to seconds. >> However this is not the SOA record. > > > surely, at least a part of it > > @ IN SOA srv-rhsoft.rhsoft.net. admin.rhsoft.net. ( >

Re: Possible To Log NXDOMAIN At The Server?

On Tue, Jan 30, 2018 at 3:12 PM, Reineman, Rick wrote: > Hello, I recently migrated our internal DNS service to a newer OS and Bind. > Bind 9.9.4 on CentOS7. > > The previous service had a dataset that was in really bad shape and I did a > lot of cleanup for the

Re: 9.11 can't validate sss.gov

Unrelated to the DNS bit, but still silly / annoying: http://www.sss.gov works OK, but http://sss.gov always seems to return "The requested service is temporarily unavailable. It is either overloaded or under maintenance. Please try later.". There is a fair bit os disagreement over if a bare

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

e - >> From: "Kevin" <bind-users...@thesandiegos.com> >> To: "Kevin" <bind-users...@thesandiegos.com> >> Cc: "Warren Kumari" <war...@kumari.net>, "bind-users" >> <bind-users@lists.isc.org> >> Sent

Re: head scratcher: nsupdate, Bind views, and TLSA record updates

On Tue, Oct 31, 2017 at 1:50 PM, Kevin via bind-users wrote: > I'm running into an odd issue with Bind 9.9.4 whereby I'm trying to run a > scripted nsupdate to rotate TLSA records. I'm running nsupdate via a Bash > script that executes the following nsupdate batch

Re: Forcing external domains TTL value

On Sat, Oct 7, 2017 at 12:59 AM, Job wrote: > Dear guys, > > Due to heavy traffic caching performance, i would like to force external > domains TTL - for external domains - to at least 600 seconds. > > Is there a way to do it, maybe by recompiling the package? There

Re: NOAA.GOV domain not working

On Mon, Sep 18, 2017 at 10:40 AM, Levesque, Ricky (SNB) wrote: > Thank you for your reply, > When I notice too many failed queries from this domain name > (www.nhc.noaa.gov) restarting the service or clearing the cache (rndc > reload), seems to allow queries to work. But

Re: Is there a need for clients to advertize the capabilities for DNS Responses over TCP

On Fri, Sep 15, 2017 at 3:37 AM, Harshith Mulky wrote: > Hello Experts, > > > I had a query on advertising the payload size on client in DNS Responses > over UDP/TCP > > > This is as much I have understood from RFC 6891, that a requester(client) > can address his

Re: Re: Re: checkhints: view “internal”: b.root-servers.net/AAAA (2001:500:200::b) extra record in hints

On Sun, Sep 10, 2017 at 8:15 PM, Mark Andrews wrote: > > In message , Timothe Litt > writes: >> The most sensible thing to do is ignore the message, and keep named >> reasonably up-to-date. > > Well something in the resolution path is

Re: Testing...

... yes, yes you are. I'm explicitly responding in case you have the mailman "Don't send me my own posts" (not metoo) option. W On Wed, Aug 30, 2017 at 11:20 AM, Alan Clegg wrote: > I don't think I can post to this list for some reason. > > I'd like to be able to respond to

Re: Subdomain DNSSEC

On Mon, Aug 28, 2017 at 12:25 PM, Niall O'Reilly wrote: > On 28 Aug 2017, at 17:06, Michael Dahlberg wrote: > >> My apologies if this question has an easily discoverable answer but my >> google-fu seems to be failing me today. > > > Try "insecure delegation" against your

Re: [DNS] BIND 9.9.9-P8 issue

On Mon, Aug 21, 2017 at 4:33 AM, Daniel Rodrigues wrote: > Hello guys, > > > > We are facing to an important issue which is strongly annoying us on our DNS > resolvers. We saw our cache decrease and we got lot of SERVFAIL/recursion > during this period. The only way to solve it

Re: Can bind works without defining root servers

On Tue, Aug 15, 2017 at 11:36 AM, Matthew Pounsett wrote: > > > On 15 August 2017 at 11:29, King, Harold Clyde (Hal) wrote: >> >> How does Bind update the root servers? Does it go out and check, or is a >> release made for each change? > > > Yes. :) > > BIND has

Re: designing the DNS from the scratch

On Sun, Jul 9, 2017 at 1:59 PM John W. Blue wrote: > Abdulhadi, > > > > Honestly, I think that a design spec of getting DNS responses in 3ms > across the board is unrealistic. My initial MX query for litc.ly took > 367ms: > > > Like many poorly written / articulated SLAs,

Re: difference in responses between UDP and TCP

On Thu, Jun 15, 2017 at 11:13 AM, Alan Clegg wrote: > > > On 6/15/17 6:20 AM, Arun Natarajan wrote: >> Hello, >> >> Wondering why we are seeing different serial numbers from a bind >> authoritative server for requests over UDP and TCP. >> >> dig +tcp soa @ns.example.com

Re: [Ext] Re: Redirect only second and third level domains

On Fri, Feb 24, 2017 at 1:12 PM, Edward Lewis wrote: > On 2/24/17, 03:42, "bind-users on behalf of Andrea Gabellini" wrote: > >>the server is a resolver for about 20K clients. My goal is to supply a >>courtesy page if a domain is not found. For every domain. > > No

Re: Redirect only second and third level domains

wrote: >> Il 23/02/2017 20:38, Warren Kumari ha scritto: >> > What are you actually trying t odo? > > On Fri, Feb 24, 2017 at 09:42:17AM +0100, Andrea Gabellini wrote: >> the server is a resolver for about 20K clients. My goal is to >> supply a courtesy page if

Re: switching entire DNS system to new servers and IP addresses

On Thu, Feb 23, 2017 at 3:03 PM, Reindl Harald wrote: > > > Am 23.02.2017 um 20:52 schrieb Eldridge, Rod A [ITNET]: >> >> >> Iowa State University is replacing 7 ISC NAMED/BIND servers and 4 ISC DHCP >> servers with Infoblox servers on March 14th. We want to keep the

Re: Redirect only second and third level domains

On Thu, Feb 23, 2017 at 7:21 AM, Andrea Gabellini wrote: > Hi, > > I would like to redirect the NXDOMAIN responses to a courtesy page but > only for second and third level domains. I mean something like: > > *.*. IN A 1.2.3.4 > *.*.*. IN A 1.2.3.4 > > that

Re: bind 9 goes rogue and revert zone information

This really sounds like the zone file is *in* the container itself, and that the container is restarting. You said that this is running under LXC -- is this actually a Docker container? How are you starting the container? W On Tue, Feb 7, 2017 at 11:35 AM, Raul Dias wrote: >

Re: bind 9 goes rogue and revert zone information

On Tue, Feb 7, 2017 at 9:34 AM, Raul Dias wrote: > Sorry, > Static files. > It is the master server. > No dynamic updates. > Host under lxc with only bind ports open. > ​If it is the master, and there are no automatic updates, I strongly suspect: 1: ​there is a cron job (or

Re: Bind Queries log file format

On Mon, Feb 6, 2017 at 7:44 AM, MURTARI, JOHN wrote: >> We may move it to the end of the log message (bugs ticket #44606 has >> been created for looking at it). Maybe its location was poor.. please >> can everyone who participated in this thread say whether having it at >> the end

Re: broken trust chain on forwarder

On Friday, September 30, 2016, /dev/rob0 wrote: > On Fri, Sep 30, 2016 at 12:04:33PM -0400, John Ratliff wrote: > > I am building a new recursive DNS server. I have it set to forward > > records for a single zone to our HQ DNS servers. When I try to > > resolve a record, I get

Re: Load balancer for Bind

I may be completely misunderstanding your question, but why not simply do Anycast / ECMP? Each DNS server has the same IP address (usually bound to the loopback interface), and runs a (very simple) health-check script. If the health-check passes the host injects a /32 route into the IGP (or a

Re: rndc on local host: need named running?

On Saturday, August 27, 2016, Tom Browder wrote: > My plan is to have two remote, authoritative name servers (master and > slave) for my owned domains. I would like to use rndc to control them from > my local host. > > A couple of questions: > > 1. Does named need to be

Re: Breaking trusted chain in dnssec

Or nsec3 with opt-out? The question is unclear... W On Wednesday, July 13, 2016, Tony Finch wrote: > rams > wrote: > > > Is any one explain how to break trusted chain in dnssec with example how > to > > create zone or data with trusted chain

Re: Additional Section - TXT Format?

On Sat, Jul 9, 2016 at 12:56 AM, Ian Manners wrote: > Hi Jun Xiang X Tee, > >> I have a simple question here. Is it possible to have >> a TXT format tuple appearing at the additional section? > > Are you meaning to ask what switches dig requires to > return txt records that

Re: Can anyone tell me a good DNS server testing program

Kinda depends on what you are testing, but there is also Nominum's dnsperf: http://nominum.com/measurement-tools/ This is easy to install, simple to use, and comes with a sample query file. W On Wed, Jun 22, 2016 at 8:48 AM, Emil Natan wrote: > queryperf, supplied with BIND,

Re: disable ipv6 source query

On Tuesday, June 21, 2016, Mark Andrews wrote: > > server ::/0 { bogus yes; }; Eeeeww! That's gross, but in a bizarrely satisfying way. W > > In message < > cajs9+yby3vl3kehtjmt58ekqrf6qazfvt3khvy05q26lmpt...@mail.gmail.com > >, Hillary Nelson

Re: UDP Packet Hack

Sorry, but isn't this almost exactly the same question which you asked in: https://lists.isc.org/pipermail/bind-users/2016-June/097012.html ("Append a Hard-coded Text Tuple into Additional Section of "dig" Feature") ? And "Query "resolver" and "lwresd" via "dig"" ? Perhaps if you explained what

Re: Monitor DNS queries toward Root severs

On Wed, May 4, 2016 at 4:37 AM, Daniel Dawalibi wrote: > Hello > > > > Is there any tool or configuration that allows us to monitor/graph the > number of outbound DNS queries toward the Root servers? > Others have provided information on how to capture the traffic.

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

On Fri, Mar 25, 2016 at 12:49 PM John Wobus wrote: > On Mar 18, 2016, at 6:28 AM, Barry Margolin wrote: > > In article , > > Mark Andrews wrote: > > > >> How do you actually expect

Re: DNS Service Discovery

On Sun, Mar 13, 2016 at 2:34 AM David Li wrote: > Hi Everyone, > > Is this the right place ask general DNS-SD questions? If not, can > someone point me to the right list? I can't seem to find one. > It almost definitely is not the right place, but what is the question?

Re: Ns records rfc

... also, you mention TLD zone - if this is for a gTLD, ICANN has some additional requirements, including more than one AS number. W On Sun, Mar 6, 2016 at 5:11 AM S Carr wrote: > On 6 March 2016 at 04:08, rams wrote: > > Is there any rfc that a tld zone

Re: Interesting behavior with wildcard domains

On Wed, Feb 24, 2016 at 12:30 PM Mark Andrews wrote: > > In message , Mathew Ian Eis > write > s: > Illegal character '-' in input file. > > Hi BIND, > > > > Ive encountered (quite by accident) an interesting behavior in BIND with > >

Re: How to check slave zone freshness

The standard, compatible way to do this is simply to do a lookup for the SOA record and make sure that the serial number matches what you expect it to be / what is on the master. I'm not sure what monitoring tool you are using (or if you are writing your own), but most standard monitoring tools

Re: How to check slave zone freshness

There is also transfer logs -- you could watch those and see if you are getting any failures, but this seem, um, more brittle.. W On Mon, Feb 8, 2016 at 6:22 AM Klaus Darilion <klaus.mailingli...@pernau.at> wrote: > > > Am 08.02.2016 um 14:59 schrieb Warren Kumari: > > The

Re: DNS BIND traffic capture ICMP/UDP

On Fri, Jan 15, 2016 at 8:49 AM Daniel Dawalibi wrote: > Hello > > > > We observed an unusual traffic combining ICMP and UDP packets while > running the tcpdump command on the DNS caching server > > Kindly note that only UDP DNS traffic is allowed on this server (ICMP

Re: Allow-Query=any

inal Message- > From: bind-users-boun...@lists.isc.org [mailto: > bind-users-boun...@lists.isc.org] On Behalf Of Reindl Harald > Sent: Thursday, January 07, 2016 4:41 PM > To: bind-users@lists.isc.org > Subject: Re: Allow-Query=any > > > Am 07.01.2016 um 22:31 schrieb W

  1   2   3   >