date:20171218

RE: DNS-Format-Eroor

2017-12-18 Thread Mohammed Ejaz

Thanks all. 

 

No this IP 212.76.76.18  doesn’t belongs to us and even not  in a  trusted list 
of our DNS.  After looking at my logs I noticed this IP asked for this domain 
mumbai-m.site to which our name server denied as shown in the below logs. 
Whereas our NCSA claiming that massive malicious requests from our dns. Just I 
want to understand how is this possible massive attack towards the internet for 
 deny requests. 

 

Thanks in advance for any explanation. 

 

 

 

 

Dec 17 12:21:02 ns10 named[27539]: client @0x7f15305e6c90 212.119.73.60#17378 
(6717654C4C4544004EB007.mumbai-m.site): query: 
6717654C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2)

Dec 17 12:21:02 ns10 named[27539]: client @0x7f1598233f50 212.76.76.18#60568 
(12807636354C4C4544004EB007.mumbai-m.site): query: 
12807636354C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2)

Dec 17 12:21:02 ns10 named[27539]: client @0x7f1598233f50 212.76.76.18#60568 
(12807636354C4C4544004EB007.mumbai-m.site): query (cache) 
'12807636354C4C4544004EB007.mumbai-m.site/A/IN' denied

Dec 17 12:21:02 ns10 named[27539]: client @0x7f1598233f50 212.76.76.18#60568 
(12807636354C4C4544004EB007.mumbai-m.site): query failed (REFUSED) for 
12807636354C4C4544004EB007.mumbai-m.site/IN/A at query.c:6896

Dec 17 12:21:32 ns10 named[27539]: client @0x7f15942605b0 212.119.73.60#32691 
(528987404C4C4544004EB007.mumbai-m.site): query: 
528987404C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2)

Dec 17 12:21:32 ns10 named[27539]: client @0x7f15b413f3a0 212.119.73.60#14605 
(62532260314C4C4544004EB007.mumbai-m.site): query: 
62532260314C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2)

Dec 17 12:22:02 ns10 named[27539]: client @0x7f15aa1e8320 212.119.73.60#50861 
(4373834C4C4544004EB007.mumbai-m.site): query: 
4373834C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2)

Dec 17 12:22:32 ns10 named[27539]: client @0x7f159427fc30 212.76.76.18#34089 
(812918874C4C4544004EB007.mumbai-m.site): query: 
812918874C4C4544004EB007.mumbai-m.site IN A +E(0)D (212.119.64.2)

Dec 17 12:22:32 ns10 named[27539]: client @0x7f159427fc30 212.76.76.18#34089 
(812918874C4C4544004EB007.mumbai-m.site): query (cache) 
'812918874C4C4544004EB007.mumbai-m.site/A/IN' denied

 

From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Sten 
Carlsen
Sent: Monday, December 18, 2017 8:16 PM
To: bind-users@lists.isc.org
Subject: Re: DNS-Format-Eroor

 

Hi

Don't forget that any traffic may be spam, also the reject messages if they are 
directed towards the victim.

I think this is how it works here:

a large number of hosts send requests to your server for some domain. All these 
requests have a fake sender: IP 212.76.76.18, this means that all those reject 
messages come to that IP even he never asked one question himself.

What you should do for the poor guy is to stop any reply going to that address, 
probably easier to do in a firewall with a temporary rule.

 

On 18/12/2017 14:54, Mohammed Ejaz wrote:

 

Thank you for the detail explanation really appreciated . 

 

We have asked by our National cyber  Security Center  to investigate  on this, 
as they have detected massive malicious requests from our DNS servers which are 
 ( 212.119.64.2 and 212.119.64.3). 

 

Malicious domain is mumbai-m.site which linked to dns-bot campaign, this 
campaign uses DNS  tunneling for exchanging messages transferring files, 
executing commands through dns protocol 

 

Malicious IPS are 

1.2.3.4 

11.24.237.110

46.105.221.247

 

but when i checked my name server logs request comes from  single IP 
212.76.76.18 asked for this domain and  my server gets refused their  request 
since this IP doesn't belongs to us as I have ACLs in placed in named.conf. 

 

Now I am bit confused since the query gets  rejected, how come our national 
cyber security center can claim that there were malicious massive traffic from 
our DNS server to the internet world. 

 

Any explanations would be highly appreciated.  Thanks in advance. 

 

Ejaz 

 

 

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
Elkins
Sent: Monday, December 18, 2017 1:58 PM
To: bind-users@lists.isc.org  
Subject: Re: DNS-Format-Eroor

 

$ dig mumbai-m.site ns

 

; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY: 1, 
ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

 

;; QUESTION SECTION:

;mumbai-m.site.INNS

 

;; ANSWER SECTION:

MUMBAI-M.site.3380INNSwin-1ikkrphg9jj.

 

I seemed to have cached only one nameserver - which does not make operational 
sense - neither does the name I've cached.

 

$ dig mumbai-m.site 

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

 

;; QUESTION SECTION:

;mumbai-m.site.IN

 

;; AUTHORITY SECTION:

MUMBAI-M.SITE.

Re: DNSSEC validation without current time

2017-12-18 Thread Dave Warren via bind-users


On 2017-12-18 06:44, Timothe Litt wrote:


On 18-Dec-17 01:07, Dave Warren wrote:

On 2017-12-15 06:23, Petr Menšík wrote:


Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):

Hi there,

On Fri, 15 Dec 2017, Petr Men??k wrote:


... current time is not available or can be inaccurate.


ntpdate?


Sure, of course. What would be default host after installation, that can
be used in default installation image without manual configuration? And
how does it resolve that name, when date of the system is 1970-1-1 or
something a only a bit more accurate?

Current pool.ntp.org adresses are unsigned now, so that would work
anyway. If I want spoof protection, what should I do?


Do two passes. First: Use DNS without DNSSEC validation to obtain a 
list of NTP servers, and thereby determine the current time. Second: 
Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and 
verify the time.


The second pass might detect the list of IPs has changed and bypass 
the second NTP pass as we now know the previous IPs were valid, but 
you must be prepared for DNS to return different IPs from a pool and 
to therefore re-verify the time -- We don't care if the IP list has 
changed, only that the time is valid.


The only real challenge is to avoid letting anything else trust the 
time received in phase 1 until it has been validated by phase 2.




This proposal is involved, but doesn't seem to robustly solve the problem.

  * Pass 1 obtains "current time".  But you don't trust that the IP
addresses of the NTP servers were correctly resolved.  So you don't
trust this time.  However, you need a reasonably trustworthy time to
bootstrap DNSSEC.  (On the order of minutes).  Else DNSSEC
validation can fail.


Right, this is the whole point and why it works. If either DNS or NTP is 
malicious, pass 2's DNSSEC validation fails and we know we don't yet 
have valid time.




  * If you're using the pools (and they resolve correctly), you're
pretty much guaranteed that any two queries will produce a different
set of servers.  So IP addresses will change.


DNS caching may provide the same IP addresses. It is irrelevant as this 
is just an optimization which fails gracefully, or can be skipped entirely.




  * Pass 2 requires "trusted" NTP servers.  If you have that list, why
not resolve those names without validation in the first place?  You
could assume that a hostile actor knows which names you resolve, and
assume that they will substitute bad timekeepers.  But if they can
do that, they can do the same for the pools' names.


I think that this is the whole point -- There is no hardcoded list of 
trusted NTP servers. We need to obtain the list from DNS (pass 1) and 
verify that the list can be trusted using DNSSEC (pass 2).

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Daisy chaining slaves

2017-12-18 Thread Tony Finch

Mark Andrews  wrote:

> The expiry inflation can be removed if you use a servers that support
> the EDNS EXPIRE option.

Ooh, I forgot about that, thanks for the reminder! (It's reassuring too,
because it means my secondaries should never serve expired RRSIGs despite
my chained transfers.)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Faeroes, Southeast Iceland: Mainly southwesterly 6 to gale 8. Very rough or
high. Rain, fog banks. Moderate, occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

2017-12-18 Thread Grant Taylor via bind-users


On 12/18/2017 12:24 PM, Bob McDonald wrote:
I've seen cases where folks have added all of the Domain Controller 
addresses for an AD forest to the NS list for a domain.


I believe that DCs do this by themselves if they are using MS-DNS.  (I 
think the netlogon service does a dynamic DNS update and creates the 
records when it starts.)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Daisy chaining slaves

2017-12-18 Thread Mark Andrews

The expiry inflation can be removed if you use a servers that support the EDNS 
EXPIRE option.

-- 
Mark Andrews

> On 18 Dec 2017, at 23:03, Tony Finch  wrote:
> 
> vijay bommareddy  wrote:
>> 
>> I generally do multiple slaves to a set of masters. But I'm just wondering
>> if daisy chaining slaves i.e slave to a slave to a slave to a master, a
>> good practice in general? What are the pros and cons of it?
> 
> In my setup there are a couple of reasons for daisy-chaining secondaries.
> 
> I have a hidden primary master (well, firewalled rather than strictly
> hidden, since it appears in my SOA MNAME field) that only allows xfers to
> other servers I deirectly control.
> 
> I have a number of secondaries which xfer from my public authoritative
> servers, so they have a two-stage daisy chain. Here, daisy chaining allows
> me to implement a security boundary.
> 
> I also have a third-party anycast secondary service, which has a hidden
> xfer distribution server, the the actual anycast nodes are at the end of a
> three-stage daisy chain. Here, daisy chaining allows the details of an
> anycast cloud to be hidden from the primary servers.
> 
> On a high traffic system you'll probably want to separate xfers from
> normal authoritative service, to reduce the risk of performance gotchas.
> This may lead you to a daisy-chained xfer topology similar to the anycast
> case.
> 
> The consequence of daisy-chaining is that it inflates the SOA expire
> interval. Zone expiry is a timer local to each secondary since its most
> recent successful refresh, so (in my setup) if xfers start failing my
> anycast secondary might not expire the zones for three weeks (3x my SOA
> expire time).
> 
> Tony.
> -- 
> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
> Northwest Fitzroy, West Sole: Westerly backing southerly 4 or 5, occasionally
> 6 in west. Moderate or rough. Occasional drizzle, fog patches. Moderate or
> good, occasionally very poor.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

2017-12-18 Thread Tony Finch

Bob McDonald  wrote:

> I've seen cases where folks have added all of the Domain Controller
> addresses for an AD forest to the NS list for a domain. This results in
> huge TCP response packets for ALL requests to that domain.

You can safely reduce the size of answers using the `minimal-responses
no-auth` or `no-auth-recursive` options available in 9.11 and later.
The default in 9.12 changes from `no` to `no-auth-recursive`.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
South Biscay: Northerly 5 or 6, veering northeasterly 4 or 5. Moderate or
rough, becoming slight or moderate. Rain at first. Good, occasionally poor at
first.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

2017-12-18 Thread Bob McDonald

Barry has a good point. I've seen cases where folks have added all of the
Domain Controller addresses for an AD forest to the NS list for a domain.
This results in huge TCP response packets for ALL requests to that domain.
Folks don't seem to get the concept of stealth slaves and the associated
NOTIFY options to keep things current. (As an alternative to shortening the
REFRESH time for a domain)

Best,

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC validation without current time

2017-12-18 Thread Sten Carlsen



On 18/12/2017 14:44, Timothe Litt wrote:
>
> On 18-Dec-17 01:07, Dave Warren wrote:
>> On 2017-12-15 06:23, Petr Menšík wrote:
>>>
>>> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
 Hi there,

 On Fri, 15 Dec 2017, Petr Men??k wrote:

> ... current time is not available or can be inaccurate.

 ntpdate?

>>> Sure, of course. What would be default host after installation, that
>>> can
>>> be used in default installation image without manual configuration? And
>>> how does it resolve that name, when date of the system is 1970-1-1 or
>>> something a only a bit more accurate?
>>>
>>> Current pool.ntp.org adresses are unsigned now, so that would work
>>> anyway. If I want spoof protection, what should I do?
>>
>> Do two passes. First: Use DNS without DNSSEC validation to obtain a
>> list of NTP servers, and thereby determine the current time. Second:
>> Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and
>> verify the time.
>>
>> The second pass might detect the list of IPs has changed and bypass
>> the second NTP pass as we now know the previous IPs were valid, but
>> you must be prepared for DNS to return different IPs from a pool and
>> to therefore re-verify the time -- We don't care if the IP list has
>> changed, only that the time is valid.
>>
>> The only real challenge is to avoid letting anything else trust the
>> time received in phase 1 until it has been validated by phase 2.
>>
>
> This proposal is involved, but doesn't seem to robustly solve the problem.
True but look at it this way, first get a guess on the time from "an"
NTP server, then try using that time to get DNSSEC replies, if they
work, the time was good enough, if the time was bad, DNSSEC will not
work and you know you have a bad time,and will have to try again or die.
>
>   * Pass 1 obtains "current time".  But you don't trust that the IP
> addresses of the NTP servers were correctly resolved.  So you
> don't trust this time.  However, you need a reasonably trustworthy
> time to bootstrap DNSSEC.  (On the order of minutes).  Else DNSSEC
> validation can fail.
>   * If you're using the pools (and they resolve correctly), you're
> pretty much guaranteed that any two queries will produce a
> different set of servers.  So IP addresses will change.
>   * If you use a reasonable number of NTP servers and NTP (not SNTP)
> protocol, invalid timekeepers will be sorted out.  NTP is quite
> robust, and expects some variance - including some malicious
> actors.  The reasonably recent versions with pool support will
> discard bad timekeepers and keep drawing from the pool until
> consensus is attained.  And again if it's lost (e.g. some go bad
> due to system or network failures.)  To fool NTP, you need to
> provide a number of bad time sources, synchronized closely enough
> for NTP to accept them.  This is non-trivial.  Suppose someone
> puts in that effort and succeeds.  What happens?  DNSSEC is the
> least of your problems.  Other breakage will be more subtle.  Like
> filesystem times being inconsistent and breaking CMS and other
> applications.
>   * To prevent DNSSEC from working, time error has to be quite large. 
> All that's necessary is some approximation that's accurate within
> minutes.
>   * Pass 2 requires "trusted" NTP servers.  If you have that list, why
> not resolve those names without validation in the first place? 
> You could assume that a hostile actor knows which names you
> resolve, and assume that they will substitute bad timekeepers. 
> But if they can do that, they can do the same for the pools' names.
>   * What can bad time do to DNSSEC?  By rolling back, it could allow
> validation of an expired signature - but the attacker would have
> to be able to benefit from that.  Or it could prevent validation
> of a current signature (by making current time be outside the
> validity period).  Or it could prematurely force you to validate a
> published, but not yet active signature.  These amount to (at
> worst) denial of service. 
>
> None of this is news.  See
> https://tools.ietf.org/id/draft-mglt-dnsop-dnssec-validator-requirements-06.html#rfc.section.5
>
>
> The bottom line is that you want accurate time.  And if you have
> accurate time, DNSSEC will follow.  You also need to consider the
> threat profile that you face - including the downside risks and costs
> of a defense.
>
> Bootstrapping requires some reasonably accurate time source.  The
> easiest way to get there is with a locally trusted source.  You can
> add an RTC - again, here's one from Adafruit -
> https://www.adafruit.com/product/3386 about $5 (US).  [Same
> disclaimer.]  The RTCs (I haven't run this one) in general have poor
> accuracy(2) - but if resynchronized with NTP time once in a while,
> easily good enough to bootstrap DNSSEC.  The one I use (1) is good to
> less than 1PPM

Re: DNS-Format-Eroor

2017-12-18 Thread Sten Carlsen

Hi

Don't forget that any traffic may be spam, also the reject messages if
they are directed towards the victim.

I think this is how it works here:

a large number of hosts send requests to your server for some domain.
All these requests have a fake sender: IP 212.76.76.18, this means that
all those reject messages come to that IP even he never asked one
question himself.

What you should do for the poor guy is to stop any reply going to that
address, probably easier to do in a firewall with a temporary rule.


On 18/12/2017 14:54, Mohammed Ejaz wrote:
>
>  
>
> Thank you for the detail explanation really appreciated .
>
>  
>
> We have asked by our National cyber  Security Center  to investigate
>  on this, as they have detected massive malicious requests from our
> DNS servers which are  ( 212.119.64.2 and 212.119.64.3).
>
>  
>
> Malicious domain is *_mumbai-m.site_* which linked to dns-bot
> campaign, this campaign uses DNS  tunneling for exchanging messages
> transferring files, executing commands through dns protocol
>
>  
>
> *_Malicious IPS are _*
>
> 1.2.3.4
>
> 11.24.237.110
>
> 46.105.221.247
>
>  
>
> but when i checked my name server logs request comes from  single IP
> 212.76.76.18 asked for this domain and  my server gets refused their
>  request since this IP doesn't belongs to us as I have ACLs in placed
> in named.conf.
>
>  
>
> Now I am bit confused since the query gets  rejected, how come our
> national cyber security center can claim that there were malicious
> massive traffic from our DNS server to the internet world.
>
>  
>
> Any explanations would be highly appreciated.  Thanks in advance.
>
>  
>
> Ejaz
>
>  
>
>  
>
> -Original Message-
> From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf
> Of Mark Elkins
> Sent: Monday, December 18, 2017 1:58 PM
> To: bind-users@lists.isc.org
> Subject: Re: DNS-Format-Eroor
>
>  
>
> $ dig mumbai-m.site ns
>
>  
>
> ; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY:
> 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
>
>  
>
> ;; QUESTION SECTION:
>
> ;mumbai-m.site.            IN    NS
>
>  
>
> ;; ANSWER SECTION:
>
> MUMBAI-M.site.        3380    IN    NS    win-1ikkrphg9jj.
>
>  
>
> I seemed to have cached only one nameserver - which does not make
> operational sense - neither does the name I've cached.
>
>  
>
> $ dig mumbai-m.site 
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
>
>  
>
> ;; QUESTION SECTION:
>
> ;mumbai-m.site.            IN    
>
>  
>
> ;; AUTHORITY SECTION:
>
> MUMBAI-M.SITE.        3473    IN    SOA    win-1ikkrphg9jj. hostmaster.
>
> 4 900 600 86400 3600
>
>  
>
> The Zone looks like its not set up properly.. the admin has added dots
> where they should not have...
>
>  
>
> The "win" and Serial No. of "4" suggests to me that this is a windows
> machine, and as both nameservers are on the same IP, the adminstrator
> is in need of some DNS training..
>
>  
>
> As for your errors, I'd guess you may run IPv6 but this person doesn't
> appear to as asking for the Quad-A record returns the SOA (you got to
> the right place but there is no answer to your question)
>
>  
>
> In summary - the administrator of MUMBAI-M.SITE has a broken zone
> configuration.
>
>  
>
> Doing a "whois MUMBAI-M.SITE", seems they are hiding behind
> "whoisguard.com" to remain anonymous - which suggests they have
> something to hide. I don't get the vibe that this domain is owned by a
> child or someone who needs protection from the evilness of the Internet...
>
>  
>
>  
>
> On 18/12/2017 11:26, Reindl Harald wrote:
>
> > 
>
> > 
>
> > Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz:
>
> >> Hello,
>
> >> 
>
> >> I have several entries as below  in my  name server logs. Would any
>
> >> one please assist me to knowing the exact reason of this,
>
> >> 
>
> >> Also this IP 46.105.221.247 not in my trusted list.
>
> > 
>
> > no, but it's the auth-nameserver of that domain operatd by another
>
> > fool which thinks the requirement for 2 nameservers is just for fun
>
> > 
>
> > i guess you have a inbound mailserver using your nameserver which logs
>
> > the warning...
>
> > 
>
> > [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE
>
> > Server: 127.0.0.1
>
> > Address:    127.0.0.1#53
>
> > 
>
> > Non-authoritative answer:
>
> > Name:   MUMBAI-M.SITE
>
> > Address: 46.105.221.247
>
> > 
>
> > [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE
>
> > Server: 127.0.0.1
>
> > Address:    127.0.0.1#53
>
> > 
>
> > Non-authoritative answer:
>
> > Name:   NS1.MUMBAI-M.site
>
> > Address: 46.105.221.247
>
> > 
>
> > [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE
>
> > Server: 127.0.0.1
>
> > Address:    127.0.0.1#53
>
> > 
>
> > Non-authoritative answer:
>
> > Name:   NS2.MUMBAI-M.SITE
>
> > Address: 46.105.221.247
>
> > 
>
> >> Dec 17 05:35:39 ns20 named[1530]: DNS format error from
>
> >> 46.105.221.247#53

Re: Max slaves limit?

2017-12-18 Thread Barry Margolin

In article ,
 "Barry S. Finkel"  wrote:

> On Sun, 17 Dec 2017 22:06:58 +0530, vijay bommareddy 
> wrote:
> > Hello folks,
> > 
> > I'm trying to find more information on the practical limitations of adding
> > more slaves.
> > Can someone tell me, how many number of slaves does BIND technically
> > support? Is there a maximum limit per master server?
> > 
> > Thank you
> > Vijay
> 
> A minor point - if there are too many slaves, then the NS list might
> not fit into a UDP packet, causing TCP to be used.  I do not know
> how many NS records would be needed to exceed the UDP packet size;
> it would depend upon the length of the nodenames of the DNS servers.

That assumes all the slaves are named individually in NS records. You 
could be using anycast IPs so the same name refers to numerous different 
servers.

FYI the root zone has 13 NS records. The NS records themselves fit, but 
not all the associated A and  records that go into the Additional 
section.

And if you're using DNSSEC, most responses don't fit in the traditional 
500 byte UDP packet, and EDNS0 buffer size is usually used rather than 
switching to TCP.

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

2017-12-18 Thread Ben Croswell

That is a valid consideration but being a slave doesn't always mean being
in the NS records.

On Dec 18, 2017 9:47 AM, "Barry S. Finkel"  wrote:

> On Sun, 17 Dec 2017 22:06:58 +0530, vijay bommareddy 
> wrote:
>
>> Hello folks,
>>
>> I'm trying to find more information on the practical limitations of adding
>> more slaves.
>> Can someone tell me, how many number of slaves does BIND technically
>> support? Is there a maximum limit per master server?
>>
>> Thank you
>> Vijay
>>
>
> A minor point - if there are too many slaves, then the NS list might
> not fit into a UDP packet, causing TCP to be used.  I do not know
> how many NS records would be needed to exceed the UDP packet size;
> it would depend upon the length of the nodenames of the DNS servers.
>
> --Barry Finkel
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

2017-12-18 Thread Barry S. Finkel


On Sun, 17 Dec 2017 22:06:58 +0530, vijay bommareddy 
wrote:

Hello folks,

I'm trying to find more information on the practical limitations of adding
more slaves.
Can someone tell me, how many number of slaves does BIND technically
support? Is there a maximum limit per master server?

Thank you
Vijay


A minor point - if there are too many slaves, then the NS list might
not fit into a UDP packet, causing TCP to be used.  I do not know
how many NS records would be needed to exceed the UDP packet size;
it would depend upon the length of the nodenames of the DNS servers.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS-Format-Eroor

2017-12-18 Thread Mohammed Ejaz

Thank you for the detail explanation really appreciated . 

We have asked by our National cyber  Security Center  to investigate  on this, 
as they have detected massive malicious requests from our DNS servers which are 
 ( 212.119.64.2 and 212.119.64.3). 

Malicious domain is mumbai-m.site which linked to dns-bot campaign, this 
campaign uses DNS  tunneling for exchanging messages transferring files, 
executing commands through dns protocol 

Malicious IPS are 

1.2.3.4 

11.24.237.110

46.105.221.247

but when i checked my name server logs request comes from  single IP 
212.76.76.18 asked for this domain and  my server gets refused their  request 
since this IP doesn't belongs to us as I have ACLs in placed in named.conf. 

Now I am bit confused since the query gets  rejected, how come our national 
cyber security center can claim that there were malicious massive traffic from 
our DNS server to the internet world. 

Any explanations would be highly appreciated.  Thanks in advance. 

Ejaz 

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark 
Elkins
Sent: Monday, December 18, 2017 1:58 PM
To: bind-users@lists.isc.org
Subject: Re: DNS-Format-Eroor

$ dig mumbai-m.site ns

; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns ;; flags: qr rd ra; QUERY: 1, 
ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:

;mumbai-m.site.INNS

;; ANSWER SECTION:

MUMBAI-M.site.3380INNSwin-1ikkrphg9jj.

I seemed to have cached only one nameserver - which does not make operational 
sense - neither does the name I've cached.

$ dig mumbai-m.site 

;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:

;mumbai-m.site.IN

;; AUTHORITY SECTION:

MUMBAI-M.SITE.3473INSOAwin-1ikkrphg9jj. hostmaster.

4 900 600 86400 3600

The Zone looks like its not set up properly.. the admin has added dots where 
they should not have...

The "win" and Serial No. of "4" suggests to me that this is a windows machine, 
and as both nameservers are on the same IP, the adminstrator is in need of some 
DNS training..

As for your errors, I'd guess you may run IPv6 but this person doesn't appear 
to as asking for the Quad-A record returns the SOA (you got to the right place 
but there is no answer to your question)

In summary - the administrator of MUMBAI-M.SITE has a broken zone configuration.

Doing a "whois MUMBAI-M.SITE", seems they are hiding behind "whoisguard.com" to 
remain anonymous - which suggests they have something to hide. I don't get the 
vibe that this domain is owned by a child or someone who needs protection from 
the evilness of the Internet...

On 18/12/2017 11:26, Reindl Harald wrote:

> 

> 

> Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz:

>> Hello,

>> 

>> I have several entries as below  in my  name server logs. Would any 

>> one please assist me to knowing the exact reason of this,

>> 

>> Also this IP 46.105.221.247 not in my trusted list.

> 

> no, but it's the auth-nameserver of that domain operatd by another 

> fool which thinks the requirement for 2 nameservers is just for fun

> 

> i guess you have a inbound mailserver using your nameserver which logs 

> the warning...

> 

> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE

> Server: 127.0.0.1

> Address:127.0.0.1#53

> 

> Non-authoritative answer:

> Name:   MUMBAI-M.SITE

> Address: 46.105.221.247

> 

> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE

> Server: 127.0.0.1

> Address:127.0.0.1#53

> 

> Non-authoritative answer:

> Name:   NS1.MUMBAI-M.site

> Address: 46.105.221.247

> 

> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE

> Server: 127.0.0.1

> Address:127.0.0.1#53

> 

> Non-authoritative answer:

> Name:   NS2.MUMBAI-M.SITE

> Address: 46.105.221.247

> 

>> Dec 17 05:35:39 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/: reply has no 

>> answer

>> 

>> Dec 17 05:35:40 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv

>>   ing ns2.mumbai-m.site/:

>> reply has no answer

>> 

>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/: reply has no 

>> answer

>> 

>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/: reply has no 

>> answer

>> 

>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns1.mumbai-m.site/: reply has no 

>> answer

>> 

>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from

>> 46.105.221.247#53 resolv ing ns2.mumbai-m.site/: reply has no 

>> answer

>> 

>> Dec 17 09:48:41 ns20 named[1530]: DNS

Re: Re: DNSSEC validation without current time

2017-12-18 Thread Timothe Litt

On 18-Dec-17 01:07, Dave Warren wrote:
> On 2017-12-15 06:23, Petr Menšík wrote:
>>
>> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
>>> Hi there,
>>>
>>> On Fri, 15 Dec 2017, Petr Men??k wrote:
>>>
 ... current time is not available or can be inaccurate.
>>>
>>> ntpdate?
>>>
>> Sure, of course. What would be default host after installation, that can
>> be used in default installation image without manual configuration? And
>> how does it resolve that name, when date of the system is 1970-1-1 or
>> something a only a bit more accurate?
>>
>> Current pool.ntp.org adresses are unsigned now, so that would work
>> anyway. If I want spoof protection, what should I do?
>
> Do two passes. First: Use DNS without DNSSEC validation to obtain a
> list of NTP servers, and thereby determine the current time. Second:
> Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and
> verify the time.
>
> The second pass might detect the list of IPs has changed and bypass
> the second NTP pass as we now know the previous IPs were valid, but
> you must be prepared for DNS to return different IPs from a pool and
> to therefore re-verify the time -- We don't care if the IP list has
> changed, only that the time is valid.
>
> The only real challenge is to avoid letting anything else trust the
> time received in phase 1 until it has been validated by phase 2.
>

This proposal is involved, but doesn't seem to robustly solve the problem.

  * Pass 1 obtains "current time".  But you don't trust that the IP
addresses of the NTP servers were correctly resolved.  So you don't
trust this time.  However, you need a reasonably trustworthy time to
bootstrap DNSSEC.  (On the order of minutes).  Else DNSSEC
validation can fail.
  * If you're using the pools (and they resolve correctly), you're
pretty much guaranteed that any two queries will produce a different
set of servers.  So IP addresses will change.
  * If you use a reasonable number of NTP servers and NTP (not SNTP)
protocol, invalid timekeepers will be sorted out.  NTP is quite
robust, and expects some variance - including some malicious
actors.  The reasonably recent versions with pool support will
discard bad timekeepers and keep drawing from the pool until
consensus is attained.  And again if it's lost (e.g. some go bad due
to system or network failures.)  To fool NTP, you need to provide a
number of bad time sources, synchronized closely enough for NTP to
accept them.  This is non-trivial.  Suppose someone puts in that
effort and succeeds.  What happens?  DNSSEC is the least of your
problems.  Other breakage will be more subtle.  Like filesystem
times being inconsistent and breaking CMS and other applications.
  * To prevent DNSSEC from working, time error has to be quite large. 
All that's necessary is some approximation that's accurate within
minutes.
  * Pass 2 requires "trusted" NTP servers.  If you have that list, why
not resolve those names without validation in the first place?  You
could assume that a hostile actor knows which names you resolve, and
assume that they will substitute bad timekeepers.  But if they can
do that, they can do the same for the pools' names.
  * What can bad time do to DNSSEC?  By rolling back, it could allow
validation of an expired signature - but the attacker would have to
be able to benefit from that.  Or it could prevent validation of a
current signature (by making current time be outside the validity
period).  Or it could prematurely force you to validate a published,
but not yet active signature.  These amount to (at worst) denial of
service. 

None of this is news.  See
https://tools.ietf.org/id/draft-mglt-dnsop-dnssec-validator-requirements-06.html#rfc.section.5

The bottom line is that you want accurate time.  And if you have
accurate time, DNSSEC will follow.  You also need to consider the threat
profile that you face - including the downside risks and costs of a defense.

Bootstrapping requires some reasonably accurate time source.  The
easiest way to get there is with a locally trusted source.  You can add
an RTC - again, here's one from Adafruit -
https://www.adafruit.com/product/3386 about $5 (US).  [Same
disclaimer.]  The RTCs (I haven't run this one) in general have poor
accuracy(2) - but if resynchronized with NTP time once in a while,
easily good enough to bootstrap DNSSEC.  The one I use (1) is good to
less than 1PPM with the help of some drift compensation that I put into
the utility that manages the clock.  [It's a replacement for 'hwclock'
that drives this RTC.]  (This reduces the jump when NTP starts, and
helps keep logs straight.  If you don't care about that, just update the
RTC from NTP time every week or two - that's more than sufficient for
DNSSEC & NTP bootstrap.)

Alternatively, as previously discussed, if you need the best (non PTP)
time, add a GPS receiver, with pool

Re: Daisy chaining slaves

2017-12-18 Thread Tony Finch

vijay bommareddy  wrote:
>
> I generally do multiple slaves to a set of masters. But I'm just wondering
> if daisy chaining slaves i.e slave to a slave to a slave to a master, a
> good practice in general? What are the pros and cons of it?

In my setup there are a couple of reasons for daisy-chaining secondaries.

I have a hidden primary master (well, firewalled rather than strictly
hidden, since it appears in my SOA MNAME field) that only allows xfers to
other servers I deirectly control.

I have a number of secondaries which xfer from my public authoritative
servers, so they have a two-stage daisy chain. Here, daisy chaining allows
me to implement a security boundary.

I also have a third-party anycast secondary service, which has a hidden
xfer distribution server, the the actual anycast nodes are at the end of a
three-stage daisy chain. Here, daisy chaining allows the details of an
anycast cloud to be hidden from the primary servers.

On a high traffic system you'll probably want to separate xfers from
normal authoritative service, to reduce the risk of performance gotchas.
This may lead you to a daisy-chained xfer topology similar to the anycast
case.

The consequence of daisy-chaining is that it inflates the SOA expire
interval. Zone expiry is a timer local to each secondary since its most
recent successful refresh, so (in my setup) if xfers start failing my
anycast secondary might not expire the zones for three weeks (3x my SOA
expire time).

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Northwest Fitzroy, West Sole: Westerly backing southerly 4 or 5, occasionally
6 in west. Moderate or rough. Occasional drizzle, fog patches. Moderate or
good, occasionally very poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

2017-12-18 Thread Tony Finch

Barry Margolin  wrote:
> vijay bommareddy  wrote:
> >
> > Can someone tell me, how many number of slaves does BIND technically
> > support? Is there a maximum limit per master server?
>
> Why would there be any limit? The master doesn't need to keep track of
> slaves, it just responds to queries from them.
>
> The zone transfer queries they make have a little more overhead than
> "normal" queries, but they don't happen very often (only when the zone
> changes). To avoid all slaves hammering the master at the same time,
> NOTIFY messages are staggered after a change is loaded.

Right.

If you think your server is having problems, look for xfer-out and
'sending notifies' in your logs. The options you can configure to control
xfer traffic include:

* `notify-rate`, `startup-notify-rate` (to limit how fast your server
solicits xfers)

* `transfers-out`, `transfers-per-ns` (to limit the number of TCP
clients that can be tied up with zone transfers)

* `tcp-clients` (overall budget, covering xfers, updates, and large
responses)

* `max-transfer-time-out`, `max-transfer-idle-out`, `tcp-initial-timeout`
(to limit problems with broken secondaries)

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire, South Utsire: Northwesterly, backing southerly, 5 or 6.
Moderate or rough. Occasional rain. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS-Format-Eroor

2017-12-18 Thread Mark Elkins

$ dig mumbai-m.site ns

; <<>> DiG 9.11.1-P3 <<>> mumbai-m.site ns
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mumbai-m.site.            IN    NS

;; ANSWER SECTION:
MUMBAI-M.site.        3380    IN    NS    win-1ikkrphg9jj.

I seemed to have cached only one nameserver - which does not make
operational sense - neither does the name I've cached.

$ dig mumbai-m.site 
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mumbai-m.site.            IN    

;; AUTHORITY SECTION:
MUMBAI-M.SITE.        3473    IN    SOA    win-1ikkrphg9jj. hostmaster.
4 900 600 86400 3600

The Zone looks like its not set up properly.. the admin has added dots
where they should not have...

The "win" and Serial No. of "4" suggests to me that this is a windows
machine, and as both nameservers are on the same IP, the adminstrator is
in need of some DNS training..

As for your errors, I'd guess you may run IPv6 but this person doesn't
appear to as asking for the Quad-A record returns the SOA (you got to
the right place but there is no answer to your question)

In summary - the administrator of MUMBAI-M.SITE has a broken zone
configuration.

Doing a "whois MUMBAI-M.SITE", seems they are hiding behind
"whoisguard.com" to remain anonymous - which suggests they have
something to hide. I don't get the vibe that this domain is owned by a
child or someone who needs protection from the evilness of the Internet...


On 18/12/2017 11:26, Reindl Harald wrote:
>
>
> Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz:
>> Hello,
>>
>> I have several entries as below  in my  name server logs. Would any
>> one please assist me to knowing the exact reason of this,
>>
>> Also this IP 46.105.221.247 not in my trusted list.
>
> no, but it's the auth-nameserver of that domain operatd by another
> fool which thinks the requirement for 2 nameservers is just for fun
>
> i guess you have a inbound mailserver using your nameserver which logs
> the warning...
>
> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE
> Server: 127.0.0.1
> Address:    127.0.0.1#53
>
> Non-authoritative answer:
> Name:   MUMBAI-M.SITE
> Address: 46.105.221.247
>
> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE
> Server: 127.0.0.1
> Address:    127.0.0.1#53
>
> Non-authoritative answer:
> Name:   NS1.MUMBAI-M.site
> Address: 46.105.221.247
>
> [harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE
> Server: 127.0.0.1
> Address:    127.0.0.1#53
>
> Non-authoritative answer:
> Name:   NS2.MUMBAI-M.SITE
> Address: 46.105.221.247
>
>> Dec 17 05:35:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 05:35:40 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv  
>>   ing ns2.mumbai-m.site/:
>> reply has no answer
>>
>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:43:46 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:47:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:48:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:52:39 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns1.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:55:52 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv
>> ing ns2.mumbai-m.site/: reply has no answer
>>
>> Dec 17 09:58:41 ns20 named[1530]: DNS format error from
>> 46.105.221.247#53 resolv

Re: DNS-Format-Eroor

2017-12-18 Thread Reindl Harald




Am 18.12.2017 um 10:16 schrieb Mohammed Ejaz:

Hello,

I have several entries as below  in my  name server logs. Would any one 
please assist me to knowing the exact reason of this,


Also this IP 46.105.221.247 not in my trusted list.


no, but it's the auth-nameserver of that domain operatd by another fool 
which thinks the requirement for 2 nameservers is just for fun


i guess you have a inbound mailserver using your nameserver which logs 
the warning...


[harry@srv-rhsoft:/mnt/data/downloads]$ nslookup MUMBAI-M.SITE
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   MUMBAI-M.SITE
Address: 46.105.221.247

[harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS1.MUMBAI-M.SITE
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   NS1.MUMBAI-M.site
Address: 46.105.221.247

[harry@srv-rhsoft:/mnt/data/downloads]$ nslookup NS2.MUMBAI-M.SITE
Server: 127.0.0.1
Address:127.0.0.1#53

Non-authoritative answer:
Name:   NS2.MUMBAI-M.SITE
Address: 46.105.221.247

Dec 17 05:35:39 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns1.mumbai-m.site/: reply has no answer


Dec 17 05:35:40 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv     ing 
ns2.mumbai-m.site/: reply has no answer


Dec 17 09:43:46 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns1.mumbai-m.site/: reply has no answer


Dec 17 09:43:46 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns2.mumbai-m.site/: reply has no answer


Dec 17 09:47:41 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns1.mumbai-m.site/: reply has no answer


Dec 17 09:47:41 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns2.mumbai-m.site/: reply has no answer


Dec 17 09:48:41 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns2.mumbai-m.site/: reply has no answer


Dec 17 09:48:41 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns1.mumbai-m.site/: reply has no answer


Dec 17 09:52:39 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns2.mumbai-m.site/: reply has no answer


Dec 17 09:52:39 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns1.mumbai-m.site/: reply has no answer


Dec 17 09:55:52 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns1.mumbai-m.site/: reply has no answer


Dec 17 09:55:52 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns2.mumbai-m.site/: reply has no answer


Dec 17 09:58:41 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns2.mumbai-m.site/: reply has no answer


Dec 17 09:58:41 ns20 named[1530]: DNS format error from 
46.105.221.247#53 resolv ing 
ns1.mumbai-m.site/: reply has no answer


Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS-Format-Eroor

2017-12-18 Thread Mohammed Ejaz

Hello, 

 

I have several entries as below  in my  name server logs. Would any one
please assist me to knowing the exact reason of this, 

 

Also this IP 46.105.221.247 not in my trusted list. 

 

 

Dec 17 05:35:39 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns1.mumbai-m.site/: reply has no answer

Dec 17 05:35:40 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns2.mumbai-m.site/: reply has no answer

Dec 17 09:43:46 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns1.mumbai-m.site/: reply has no answer

Dec 17 09:43:46 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns2.mumbai-m.site/: reply has no answer

Dec 17 09:47:41 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns1.mumbai-m.site/: reply has no answer

Dec 17 09:47:41 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns2.mumbai-m.site/: reply has no answer

Dec 17 09:48:41 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns2.mumbai-m.site/: reply has no answer

Dec 17 09:48:41 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns1.mumbai-m.site/: reply has no answer

Dec 17 09:52:39 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns2.mumbai-m.site/: reply has no answer

Dec 17 09:52:39 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns1.mumbai-m.site/: reply has no answer

Dec 17 09:55:52 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns1.mumbai-m.site/: reply has no answer

Dec 17 09:55:52 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns2.mumbai-m.site/: reply has no answer

Dec 17 09:58:41 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns2.mumbai-m.site/: reply has no answer

Dec 17 09:58:41 ns20 named[1530]: DNS format error from 46.105.221.247#53
resolv ing
ns1.mumbai-m.site/: reply has no answer

 

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: DNS-Format-Eroor

Re: DNSSEC validation without current time

Re: Daisy chaining slaves

Re: Max slaves limit?

Re: Daisy chaining slaves

Re: Max slaves limit?

Re: Max slaves limit?

Re: DNSSEC validation without current time

Re: DNS-Format-Eroor

Re: Max slaves limit?

Re: Max slaves limit?

Re: Max slaves limit?

RE: DNS-Format-Eroor

Re: Re: DNSSEC validation without current time

Re: Daisy chaining slaves

Re: Max slaves limit?

Re: DNS-Format-Eroor

Re: DNS-Format-Eroor

DNS-Format-Eroor

19 matches

Site Navigation

Mail list logo

Footer information