er. Unfortunately, tor's name server
>>> only answers A and requests, but not e.g. ANY requests.
>>>
>>> 192.168.1.3 is running the tor dns,
>>> 192.168.1.13 is running bind9 forwarding to 192.168.1.3:9053
>>>
>>> $ dig +sho
On 30-Nov-18 06:04, Erich Eckner wrote:
> Hi,
>
> I'm running a bind9 name server (9.13.4 on debian) which forwards some
> zone (onion.) to tor's name server. Unfortunately, tor's name server
> only answers A and requests, but not e.g. ANY requests.
>
> 192.168.1.3 i
Hi,
I'm running a bind9 name server (9.13.4 on debian) which forwards some
zone (onion.) to tor's name server. Unfortunately, tor's name server
only answers A and requests, but not e.g. ANY requests.
192.168.1.3 is running the tor dns,
192.168.1.13 is running bind9 forwarding to 192.168.1.3
Doug Barton do...@dougbarton.us wrote:
On 06/05/2013 11:33 AM, Tony Finch wrote:
I believe the ANY hack on mail servers was a Sendmailism 20ish years ago.
s/Send/q/
No, I meant Sendmail - see http://fanf.livejournal.com/10.html
Sendmail at one time tried to use ANY for combined MX+A
Vernon Schryver v...@rhyolite.com wrote:
[ANY query for combined MX/A lookup was] a bad hack then and it
has remained a bad hack :-)
I would not agree if you could rely on the open resolvers continuing
to do what they're doing, if you didn't care about parsing 3 or 4
KBytes of irrelevant
In article mailman.488.1370508226.20661.bind-us...@lists.isc.org,
Tony Finch d...@dotat.at wrote:
The ANY query does not trigger alias processing, so if there is a CNAME
chain you have to follow it yourself. This is a waste because if you made
an MX query in the first place the server would
Barry Margolin bar...@alum.mit.edu wrote:
In article mailman.488.1370508226.20661.bind-us...@lists.isc.org,
Tony Finch d...@dotat.at wrote:
The ANY query does not trigger alias processing, so if there is a CNAME
chain you have to follow it yourself. This is a waste because if you made
an
From: Tony Finch d...@dotat.at
Sendmail at one time tried to use ANY for combined MX+A lookups, which
doesn't work.
That would be true and relevant if sendmail did that. Requesting ANY,
not getting all of the MX, A, and/or records needed, and failing
to continue making other DNS
Vernon Schryver v...@rhyolite.com wrote:
About chasing CNAMEs safely or otherwise, please recall the somewhat
controversial DontExpandCnames. The current cf/README says:
confDONT_EXPAND_CNAMES DontExpandCnames
[False] If set, $[ ... $] lookups that
Leonard Mills l...@yahoo.com wrote:
If your some of your clients are SMTP relays, then ANY is the default
lookup for an MX and is perfectly normal. Much better from the point of
view of the mail servers to do one lookup instead of several.
You are not quite correct. See
Vernon Schryver v...@rhyolite.com wrote:
If you have a domain to which you can can add records for a subdomain
with differing 5-30 second TTLs and can spend not just 5 seconds but
a few minutes playing around, you might come to my conclusion. I think
they treat ANY as if it were
On 06/05/2013 11:33 AM, Tony Finch wrote:
I believe the ANY hack on mail servers was a Sendmailism 20ish years ago.
s/Send/q/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
On Jun 5, 2013, at 11:59 AM, Doug Barton do...@dougbarton.us wrote:
On 06/05/2013 11:33 AM, Tony Finch wrote:
I believe the ANY hack on mail servers was a Sendmailism 20ish years ago.
s/Send/q/
That makes even more sense. DJB always thinks he knows best.
From: Tony Finch d...@dotat.at
a few minutes playing around, you might come to my conclusion. I think
they treat ANY as if it were psuedo-rdataset containing some of the
RRs for the domain with a TTL equal to the minimum of all of the TTLs
of the contained rdatasets. (I thought I
On 2013-06-05 12:28, Vernon Schryver wrote:
I thought Google Public DNS re-fetched RRsets as they were expiring in
order to keep the cache populated, which would explain what you see,
I don't understand how they could pre-fetch the gazillions of RRsets
that are rarely requested.
As far as I
being wasted.
It sounds hard to see whether they are playing that sort of game from
outside. On the other hand, I think too many of the records in their
responses to my ANY requests for my test domain have TTLs of 0.
I think it would not be too hard to hack that early recursion into
BIND, and so
]
Sent: Tuesday, June 04, 2013 01:37 AM
To: comp-protocols-dns-b...@isc.org comp-protocols-dns-b...@isc.org
Subject: Re: any requests
In article mailman.424.1370323734.20661.bind-us...@lists.isc.org,
Novosielski, Ryan novos...@umdnj.edu wrote:
If it were not already in the cache, I would not need
Leonard Mills l...@yahoo.com wrote:
If your some of your clients are SMTP relays, then ANY is the default
lookup for an MX and is perfectly normal.
Not correct. This is only done by some brokenware. The vast majority of mtas do
correct MX and a/ lookups.
And as has been pointed out
the records?
Hugo,
Date: Sun, 2 Jun 2013 22:13:33 +
From: v...@rhyolite.com
To: bind-users@lists.isc.org
Subject: Re: any requests
From: Matus UHLAR - fantomas uh...@fantomas.sk
On 02.06.13 20:28, hugo hugoo wrote:
I plan to block these kind of requests on the dns cache servers
In article mailman.412.1370287583.20661.bind-us...@lists.isc.org,
hugo hugoo hugo...@hotmail.com wrote:
Hello,
Thanks for your answer.
I see ANY queries from my clients (we do not use open resolvers)
That's strange. Client applications shouldn't use ANY queries, because
you can't be sure
Schryver v...@rhyolite.com; bind-users@lists.isc.org
bind-users@lists.isc.org
Sent: Monday, June 3, 2013 12:26 PM
Subject: RE: any requests
Hello,
Thanks for your answer.
I see ANY queries from my clients (we do not use open resolvers)
I do not see why these kind of queries are present
from the point of view of the mail servers to do one lookup
instead of several.
Len
From: hugo hugoo hugo...@hotmail.com
To: Vernon Schryver v...@rhyolite.com; bind-users@lists.isc.org
bind-users@lists.isc.org
Sent: Monday, June 3, 2013 12:26 PM
Subject: RE: any requests
Hello
Not in my experience -- in fact, I often do an ANY query to refresh the cache.
From: Chris Buxton [mailto:cli...@buxtonfamily.us]
Sent: Monday, June 03, 2013 08:47 PM
To: Leonard Mills l...@yahoo.com
Cc: bind-users@lists.isc.org bind-users@lists.isc.org
Subject: Re: any requests
If you have
In article mailman.422.1370315514.20661.bind-us...@lists.isc.org,
Novosielski, Ryan novos...@umdnj.edu wrote:
Not in my experience -- in fact, I often do an ANY query to refresh the
cache.
That will work if the name is not currently in the cache -- the caching
server will query the auth
on a BIND-hosted domain.
- Original Message -
From: Barry Margolin [mailto:bar...@alum.mit.edu]
Sent: Tuesday, June 04, 2013 01:01 AM
To: comp-protocols-dns-b...@isc.org comp-protocols-dns-b...@isc.org
Subject: Re: any requests
In article mailman.422.1370315514.20661.bind-us...@lists.isc.org
In article mailman.424.1370323734.20661.bind-us...@lists.isc.org,
Novosielski, Ryan novos...@umdnj.edu wrote:
If it were not already in the cache, I would not need to refresh the cache.
Are you absolutely certain? If so, it is possible that this is a difference
between BIND and AD DNS (I'm
All,
Can anyone explain me the purpose of ANY requests sent to cache dns servers?
I plan to block these kind of requests on the dns cache servers in order to
avoid any amplification attack.
But I was wondering if complaints can come if I do such limitation.
Thanks in advance for your help
On 02.06.13 20:28, hugo hugoo wrote:
Can anyone explain me the purpose of ANY requests sent to cache dns servers?
their point is to give every available information for the given domain.
I plan to block these kind of requests on the dns cache servers in order to
avoid any amplification
of amplification attacks instead
of only those using ANY. See http://www.redbarn.org/dns/ratelimits
Blocking DNS ANY requests is to DNS amplification DoS mitigation as
blocking SMTP envelope Mail_From values of is to spam filtering.
In early spam days, people who either knew far less than
message --
From: wbr...@e1b.org
Date: Fri, Jul 13, 2012 at 2:55 PM
Subject: Re: Fwd: disabling Any requests
To: Dns Administrator dnsadm...@gmail.com
Peter wrote on 07/13/2012 04:26:55 AM:
ps I haven't stumbled across any coax cabling since the last millenium
Wirecutters work on twisted
Regards Peter
ps I haven't stumbled across any coax cabling since the last millenium
-- Forwarded message --
From: Chuck Swiger cswi...@mac.com
Date: Thu, Jul 12, 2012 at 6:15 PM
Subject: Re: disabling Any requests
To: Lightner, Jeff jlight...@water.com
Cc: bind-users@lists.isc.org bind
On Fri, Jul 13, 2012 at 10:26:55AM +0200,
Dns Administrator dnsadm...@gmail.com wrote
a message of 186 lines which said:
Googling the issue I found that it was well known and had something
to do with dns amplification and denial of service.
Yes. Already discussed a lot on this list and on
On Jul 12, 2012, at 2:27 AM, Dns Administrator wrote:
Hi bind-users,
please excuse my ignorance being a novice to dns, but is there some way of
disabling or choking Any type requests?
Sure-- a firewall or even taking a pair of wire-cutters to the ethernet cable
will accomplish that. :-)
On 12/07/12 14:38, Chuck Swiger wrote:
On Jul 12, 2012, at 2:27 AM, Dns Administrator wrote:
Hi bind-users,
please excuse my ignorance being a novice to dns, but is there some way of disabling
or choking Any type requests?
This has been discussed on the list recently - see the archives.
] On Behalf Of
Chuck Swiger
Sent: Thursday, July 12, 2012 9:39 AM
To: Dns Administrator
Cc: bind-users@lists.isc.org
Subject: Re: disabling Any requests
On Jul 12, 2012, at 2:27 AM, Dns Administrator wrote:
Hi bind-users,
please excuse my ignorance being a novice to dns, but is there some way
On 12/07/12 15:16, Lightner, Jeff wrote:
Personally I don't know why dig -t any would be a problem. It's
not exactly the same as doing an axfr transfer of the zone - it still
only gets limited information.
They're the current query type du jour for DDoS amplification attacks,
which I
Personally I don't know why dig -t any would be a problem. It's
not exactly the same as doing an axfr transfer of the zone - it still
only gets limited information.
They're the current query type du jour for DDoS amplification attacks,
which I assume the OP is experiencing.
The
On 12/07/12 16:48, sth...@nethelp.no wrote:
Personally I don't know why dig -t any would be a problem. It's
not exactly the same as doing an axfr transfer of the zone - it still
only gets limited information.
They're the current query type du jour for DDoS amplification attacks,
which I
On Jul 12, 2012, at 7:16 AM, Lightner, Jeff wrote:
Your answer was clearly meant to be tongue in cheek but I'm not sure you
understood.
Please allow me to reassure you that I understood the intent of the question.
:-)
The point was that if one isn't clear about what one should allow and
39 matches
Mail list logo
