Re: Question about URL being logged by resolver

[Nick Tait via bind-users]

Hi J.

I'm not sure what the cause of the URLs is, but I can confirm I'm seeing 
the same URLs in my own logs. The queries originate from multiple 
devices on my internal network - all Apple devices I think.


My advice: I wouldn't waste too much effort trying to solve this one, as 
it is almost certainly something that you will have no control over. 
E.g. It could be something bogus on a web page that these devices have 
all accessed?


Nick.


On 4/11/23 11:30, J Doe wrote:

Hello,

On a Bind 9.18.19 server configured as a recursive resolver, I 
sometimes see URL's being noted in the log files.


One such example is:

02-Nov-2023 23:32:19.435 lame-servers: info: success resolving 
'https://app-measurement.com/sdk-exp/A' after disabling qname 
minimization due to 'ncache nxdomain'


This seems unusual to me because Bind usually notes the domain name it 
is attempting to resolve, not an URL.  In this particular case, I 
would expect to see a notation about "app-measurement.com" and not 
"http://etc;.


What is the significance of logging the URL and why does this happen 
in only some cases ?


Thanks,

- J

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Tait via bind-users]

Hi Nick.

Your current set-up sounds like a fairly common configuration. And 
depending on your requirements there are a number of options that you 
might consider.


But let's start with requirements: I've made some assumptions - please 
advise if I've got any of this wrong?:


 * You have two distinct sets of authoritative servers, which don't
   overlap in any way currently. E.g. Servers A (primary/master), B & C
   (secondaries/slaves) are authoritative for internal zone
   ("Bind-internal"); Servers C (primary), D & E (secondaries) are
   authoritative for external zone ("Bind-external").
 * The records in Bind-external are a subset of those in Bind-internal.
   In other words, for every resource record (not including SOA & NS
   records) in Bind-external, there is an identical record in
   Bind-internal.
 * Do you have another set of servers that act as recursive resolvers
   in your network currently, or do A, B and/or C fulfil that role
   currently? (I'm going to assume that A, B & C are used as recursive
   resolvers on your internal network for now. It probably doesn't make
   a huge difference either way but it is just an extra factor that
   needs to be taken into account.)
 * You are not using DNSSEC to sign your zones.
 * Your zone structure is more-or-less flat currently. i.e. You don't
   have any delegations to sub-zones.
 * Your primary reason for having separate authoritative servers is for
   privacy, rather than simply being a workaround for IPv4 Network
   Address Translation.

There are a few options worth considering, and I should point out that 
some of these won't fit your requirements, in which case you can 
immediately rule them out. But I believe it is important that the 
decision to rule them out is a conscious one, so you are fully aware of 
the scope/limitations of the solution you end up choosing.


*Option A: Keep using separate sets of authoritative servers*

What you have currently is not a bad configuration. Sure, there is 
additional overhead of having to maintain two separate versions of the 
zone, but it is easy to understand and troubleshoot. If your zones are 
small and are updated infrequently, then this is probably the best 
solution. However the fact you are looking for a better solution 
suggests this isn't the case...


*Option B: Merge the authoritative zones and use IPv6 exclusively for 
internal hosts

*

I only included this because the idea had been put forward already. But 
even if the logistics of assigning public IPv6 addresses to your 
internal hosts was palatable to you, you'd also want to think about 
whether you are comfortable making that information (i.e. the IPv6 
addresses used for internal servers) publicly available? I think most 
organisations wouldn't want to do that?


*Option C: Merge servers but use views to serve separate (existing) zone 
files*


If your goal was consolidation of servers while keeping the existing 
internal and external zones separate, then this might be worth looking 
at. But you haven't mentioned consolidation as a requirement so I'm 
going to skip over this one. Also it doesn't solve the problem of having 
multiple zones to maintain.


*Option D: Simple delegation*

Depending on whether there is opportunity to do some zone refactoring, 
you might consider something like this...


 * In Bind-external, create a new zone: internal.example.com
 * Use permissions (e.g. allow-query) to limit access to
   internal.example.com to only internal clients
 * For each zone record in Bind-internal that doesn't exist in
   Bind-external, create a CNAME record in Bind-external that points to
   the same name in internal.example.com zone.
 * You can then get rid of Bind-internal zone. (The servers could still
   be used as recursive resolvers though.)

Then, if x.example.com was a name that was previously defined only in 
Bind-internal:


 * Internally if you attempt to resolve x.example.com, the result will
   be a CNAME that points to x.internal.example.com, which resolves to
   the 10.x.x.x IP address.
 * Externally if you attempt to resolve x.example.com, the result will
   be a CNAME that points to x.internal.example.com, which will result
   in some sort of access denied error.

One possible concern with this idea is that even though an external 
client can't retrieve the IP address of an internal server, the CNAME + 
access denied error tells them that the name does still exist.


*Option E: Split views and delegation *

If you liked the general idea of option D, but didn't like the bit where 
externally attempting to resolve internal host names resulted in an 
access denied error, then you could look at doing something with views. 
However this pretty much has the same problem that you started with, 
where you end up maintaining two versions of the example.com zone, so 
I'm not going to bother going deeper into this one.


*Option F: Response Policy Zones*

I saved this one until last because I think this is the most 

Question about URL being logged by resolver

[J Doe]

Hello,

On a Bind 9.18.19 server configured as a recursive resolver, I sometimes 
see URL's being noted in the log files.


One such example is:

02-Nov-2023 23:32:19.435 lame-servers: info: success resolving 
'https://app-measurement.com/sdk-exp/A' after disabling qname 
minimization due to 'ncache nxdomain'


This seems unusual to me because Bind usually notes the domain name it 
is attempting to resolve, not an URL.  In this particular case, I would 
expect to see a notation about "app-measurement.com" and not "http://etc;.


What is the significance of logging the URL and why does this happen in 
only some cases ?


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question about Google domain with recursive resolver

[J Doe]

Hello,

I have a basic recursive resolver configuration with Bind 9.18.19 that 
acts as the resolver for some VPN roadwarrior clients (a mix of Apple 
iOS and macOS clients).


Periodically I will see the following in my logs:

02-Nov-2023 15:06:27.658 resolver: info: loop detected resolving 
'ns1.zdns.google/A'


As this is logged at "info" level, I presume it doesn't do any harm, but 
has anyone run into this with this particular Google domain ?  I have 
seen it over a number of weeks.


Thanks,

- J
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 20:12:59 Uhr schrieb Nick Howitt via bind-users:

> I have those lines, but if I remove them, then presumably I cannot
> have internal overrides anywhere, like a hosts file would or like
> dnsmasq would?

BIND doesn't care about /etc/hosts.
If you make it authoritative for a zone, it will look up what is
exactly in that zone file.
If it isn't authoritative, it will ask another DNS server (forwarders
or hierarchy from root servers) and won't check files on your system.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

On 03/11/2023 20:07, Marco M. wrote:

Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt:


How do you mean remove the zone information?

In your /etc/bind are configuration files.
Look for named.conf* and find those that include zones:

zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" {
type master;
file "/etc/bind/db.f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa";
};

Those lines make it authoritative for that zone. If it isn't
authoritative for that zone, it will ask the forwarder (if
configured) or looks it up from the root servers and goes down the
hierarchy to the authoritative server (your external).


Which bits do I change and does this then leave me able to serve out
internal IPs for the FQDN's that require them?

No, if you need to server different information than your "external"
server, you need a source for that information.

That is why I advocate against using split DNS and migration to IPv6 to
only have one address for that server.
I have those lines, but if I remove them, then presumably I cannot have 
internal overrides anywhere, like a hosts file would or like dnsmasq would?-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 19:54:32 Uhr schrieb Nick Howitt:

> How do you mean remove the zone information?

In your /etc/bind are configuration files.
Look for named.conf* and find those that include zones:

zone "f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa" {
type master;
file "/etc/bind/db.f.8.1.1.0.7.1.0.1.0.a.2.ip6.arpa";
};

Those lines make it authoritative for that zone. If it isn't
authoritative for that zone, it will ask the forwarder (if
configured) or looks it up from the root servers and goes down the
hierarchy to the authoritative server (your external).

> Which bits do I change and does this then leave me able to serve out
> internal IPs for the FQDN's that require them?

No, if you need to server different information than your "external"
server, you need a source for that information.

That is why I advocate against using split DNS and migration to IPv6 to
only have one address for that server.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

On 03/11/2023 19:30, Marco M. wrote:

Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users:


Can the bind-internal not be made to caching only and not
authoritative? If so, how?

Of course it can, simply remove the zone configuration, but it will
then cache the records from the authoritative server (your
"external-bind").
How do you mean remove the zone information? Which bits do I change and 
does this then leave me able to serve out internal IPs for the FQDN's 
that require them?-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 19:18:49 Uhr schrieb Nick Howitt via bind-users:

> Can the bind-internal not be made to caching only and not 
> authoritative? If so, how?

Of course it can, simply remove the zone configuration, but it will
then cache the records from the authoritative server (your
"external-bind").
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 19:15:45 Uhr schrieb Nick Howitt via bind-users:

> You are preaching to the converted, but we have a huge mix of SLES
> 11, Ubuntu 16, 18, 20 and 22 machines + Windows Server 2016. Getting
> them all current is a long term project and it has to go through all
> sorts of customer authorisations. I am after a quick win with the
> Bind configs

Be aware that running EoL systems without security updates is a huge
security risk. Do you or your customers REALLY want that?

Second: Those operating systems support IPv6, so you can deploy it to
remove the necessity of internal and extern IPv4 split addressing.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

Unfortunately they are not separate subdomains. They are all part of the 
same domain. Can the bind-internal not be made to caching only and not 
authoritative? If so, how?


On 03/11/2023 19:01, Andrew Pavlin wrote:
Have you considered making your internal DNS servers unpublished 
secondaries for the external domain data? Just because the external 
primary DNS server is configured to allow an internal server to do 
domain transfers does not mean that internal server's identity has to be 
published in external domain NS records.


That way, only the external primary server authoritatively defines the 
external records, but the internal servers can authoritatively deliver 
those records as secondaries.


Of course, this only works if the internal and external data records are 
clearly separated in different subdomains or zones.


Andrew Pavlin

Powered by Cricket Wireless
Get Outlook for Android 

*From:* bind-users  on behalf of Nick 
Howitt via bind-users 

*Sent:* Friday, November 3, 2023 1:58:51 PM
*To:* bind-users@lists.isc.org 
*Subject:* Re: How should I configure internal and external DNS servers
On 03/11/2023 17:54, Marco M. wrote:

Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:


My problem is the use of external IP's duplicated between the
internal and external masters for some IPs/FQDNs which I want to get
rid of.

Implement IPv6 and get rid of the old IPv4 technology for internal
communication.

It is a big task, but after it is being done, many nasty stuff is gone
like NAT hairpinning or split-DNS.
Not remotely on the cards with 200+ servers and so on, I'm afraid. Some 
of the servers are too old, I think for IPv6 - SLES 11.


Really I am looking to see if it is possible to turn the internal DNS 
server, bind-internal, into a caching server and help with how to do it. 
Or not to do it if it is a bad idea.

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

On 03/11/2023 18:06, Marco M. wrote:

Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users:


On 03/11/2023 17:54, Marco M. wrote:

Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
  

My problem is the use of external IP's duplicated between the
internal and external masters for some IPs/FQDNs which I want to
get rid of.

Implement IPv6 and get rid of the old IPv4 technology for internal
communication.

It is a big task, but after it is being done, many nasty stuff is
gone like NAT hairpinning or split-DNS.

Not remotely on the cards with 200+ servers and so on, I'm afraid.

You have to start at some time, rest is a matter of time.


Some of the servers are too old, I think for IPv6 - SLES 11.

Already out of support. Such machines must not be connected to the
internet anymore because they are a security risk. Replace them with a
current operating system.
You are preaching to the converted, but we have a huge mix of SLES 11, 
Ubuntu 16, 18, 20 and 22 machines + Windows Server 2016. Getting them 
all current is a long term project and it has to go through all sorts of 
customer authorisations. I am after a quick win with the Bind configs

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Andrew Pavlin]

Have you considered making your internal DNS servers unpublished secondaries 
for the external domain data? Just because the external primary DNS server is 
configured to allow an internal server to do domain transfers does not mean 
that internal server's identity has to be published in external domain NS 
records.

That way, only the external primary server authoritatively defines the external 
records, but the internal servers can authoritatively deliver those records as 
secondaries.

Of course, this only works if the internal and external data records are 
clearly separated in different subdomains or zones.

Andrew Pavlin

Powered by Cricket Wireless
Get Outlook for Android

From: bind-users  on behalf of Nick Howitt 
via bind-users 
Sent: Friday, November 3, 2023 1:58:51 PM
To: bind-users@lists.isc.org 
Subject: Re: How should I configure internal and external DNS servers

On 03/11/2023 17:54, Marco M. wrote:


Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:



My problem is the use of external IP's duplicated between the
internal and external masters for some IPs/FQDNs which I want to get
rid of.



Implement IPv6 and get rid of the old IPv4 technology for internal
communication.

It is a big task, but after it is being done, many nasty stuff is gone
like NAT hairpinning or split-DNS.


Not remotely on the cards with 200+ servers and so on, I'm afraid. Some of the 
servers are too old, I think for IPv6 - SLES 11.

Really I am looking to see if it is possible to turn the internal DNS server, 
bind-internal, into a caching server and help with how to do it. Or not to do 
it if it is a bad idea.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 17:58:51 Uhr schrieb Nick Howitt via bind-users:

> On 03/11/2023 17:54, Marco M. wrote:
> > Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:
> >  
> >> My problem is the use of external IP's duplicated between the
> >> internal and external masters for some IPs/FQDNs which I want to
> >> get rid of.  
> > Implement IPv6 and get rid of the old IPv4 technology for internal
> > communication.
> >
> > It is a big task, but after it is being done, many nasty stuff is
> > gone like NAT hairpinning or split-DNS.  
> Not remotely on the cards with 200+ servers and so on, I'm afraid.

You have to start at some time, rest is a matter of time.

> Some of the servers are too old, I think for IPv6 - SLES 11.

Already out of support. Such machines must not be connected to the
internet anymore because they are a security risk. Replace them with a
current operating system.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

On 03/11/2023 17:54, Marco M. wrote:

Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:


My problem is the use of external IP's duplicated between the
internal and external masters for some IPs/FQDNs which I want to get
rid of.

Implement IPv6 and get rid of the old IPv4 technology for internal
communication.

It is a big task, but after it is being done, many nasty stuff is gone
like NAT hairpinning or split-DNS.
Not remotely on the cards with 200+ servers and so on, I'm afraid. Some 
of the servers are too old, I think for IPv6 - SLES 11.


Really I am looking to see if it is possible to turn the internal DNS 
server, bind-internal, into a caching server and help with how to do it. 
Or not to do it if it is a bad idea.-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help about DNS documentation

[Fred Morris]

On Fri, 3 Nov 2023, Amaury Van Pevenaeyge wrote:


 *   Would you have some articles and researches or others about DNS
   protocol, DNS protocol security or good research practices for DNS
   amplification attacks?


The "go to" book on my bookshelf for IP generally is Comer's 
_Internetworking with TCP/IP, Volume 1_.


--

Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 17:48:32 Uhr schrieb Nick Howitt via bind-users:

> My problem is the use of external IP's duplicated between the
> internal and external masters for some IPs/FQDNs which I want to get
> rid of.

Implement IPv6 and get rid of the old IPv4 technology for internal
communication.

It is a big task, but after it is being done, many nasty stuff is gone
like NAT hairpinning or split-DNS.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

On 03/11/2023 17:17, Marco M. wrote:

Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users:


As this site is externally accessible as well, we also have to put an
identical entry in bind-external so we end up having many identical
entries in bind-internal and bind-external.

It seems they people who set that up didn't understand the idea of a
master and slave server.
You have one master where changes are being made and optionally many
slaves that get their zone information from that one master.
Err, no. We have two masters, one for the internal machines to use and 
one for external machines to use. The internal master has at least three 
slaves and the external master has at least 2 slaves. They are all 
authoritative.


My problem is the use of external IP's duplicated between the internal 
and external masters for some IPs/FQDNs which I want to get rid of.-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help about DNS documentation

[Ondřej Surý]

> On 3. 11. 2023, at 18:04, Fred Morris  wrote:
> 
> Your interpretation of what is occurring may be interfering with your 
> understanding of it.

This ^^^.

You should start with understanding the wider picture by studying how DNS works.

I would recommend starting here: 
https://labs.ripe.net/author/bert_hubert/introducing-tdns-the-teachable-authoritative-dns-server/

Once you actually grasp how the DNS protocol works, some answers will become 
obvious.

Ondřej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Marco M.]

Am 03.11.2023 um 15:51:32 Uhr schrieb Nick Howitt via bind-users:

> As this site is externally accessible as well, we also have to put an
> identical entry in bind-external so we end up having many identical
> entries in bind-internal and bind-external.

It seems they people who set that up didn't understand the idea of a
master and slave server.
You have one master where changes are being made and optionally many
slaves that get their zone information from that one master.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help about DNS documentation

[Marco M.]

Am 03.11.2023 um 15:20:50 Uhr schrieb Amaury Van Pevenaeyge:

> Hello everyone,
> 
> I'm currently a final year Master's student at the Free University of
> Brussels. As part of my Master's thesis, I have to implement a DNS
> amplification scenario within a Cyber Range. However, before
> achieving this final goal, I first need to make amplification rate
> measurements within a virtual machine system. I therefore have a few
> questions about the DNS protocol and DNS servers.
> 
> 
>   *   Why do some DNS servers respond via TCP to an ANY query made
> under UDP?

As I told you, they simply can't do that. But the client (e.g. dig or
any other DNS client) can use TCP to query ANY. You can use a sniffer
like Wireshark to see what is really transferred.

> I have read in RFC8482 that modern DNS servers try to
> limit responses to ANY queries in order to limit the impact of their
> use in DNS amplification attack but I would like to learn more about
> the security measures/best practices currently in place for this type
> of query and for big TXT responses. Does anyone have any sources or
> other RFCs that might be useful?

The ANY record is, according to the RFC, mostly used for debugging
stuff, but not for productive stuff. Maybe disable replies to it and
check which services refuse to run anymore.

>   *   Would you have any advice/recommendations or sources on the
> legal Framework to be respected for my Master’s thésis, so that I can
> carry out my various measures without being illegal or alerting
> certain entities?

Do the tests on you own network and spoof you own network's IP
addresses.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help about DNS documentation

[Fred Morris]

Hello. Your interpretation of what is occurring may be interfering with 
your understanding of it.


On Fri, 3 Nov 2023, Amaury Van Pevenaeyge wrote:


[...] As part of my Master's thesis, I have to implement a DNS 
amplification scenario within a Cyber Range. However, before achieving 
this final goal, I first need to make amplification rate measurements 
within a virtual machine system. I therefore have a few questions about 
the DNS protocol and DNS servers.


 *   Why do some DNS servers respond via TCP to an ANY query made under
   UDP? I have read in RFC8482 that modern DNS servers try to limit
   responses to ANY queries in order to limit the impact of their use in
   DNS amplification attack but I would like to learn more about the
   security measures/best practices currently in place for this type of
   query and for big TXT responses. Does anyone have any sources or
   other RFCs that might be useful?


It is impossible for a DNS server to respond via TCP to a UDP query at a 
networking level. In general there are two kinds of amplification, number 
of packets (velocity) and size of packets (volume).


It seems you understand that it is only possible to present a source 
address "on behalf of another" with UDP. This is incorrect. While TCP is a 
mitigation for blind trust in the source address of a packet, TCP SYN 
itself results in amplification (velocity) in the form of SYN/ACKs in the 
default tuning of most network stacks.


When a DNS response via UDP is unable to be accommodated within the size 
(volume) constraints dictated by path MTU two things can happen: 1) the 
UDP response can be fragmented, resulting in multiple packets to be 
reassembled; or 2) the server can indicate to the client to retry over TCP 
(TC=1).


TC=1 is also used as an at least partial mitigation for (spoofed) 
amplification traffic, as seen with response rate limiting.


The typical resolver doesn't retry over TCP at all if it doesn't 
receive a (UDP) response with TC=1, for instance if it doesn't receive any 
response at all.


So you have knobs in the zone data, the server, the networking stack 
and all of intermediating routers to twiddle. You can throw "buffer bloat" 
in there too.



It's interesting that Dig automagically tries TCP first with ANY queries, 
since that is not the default behavior with e.g. A queries.


--

Fred Morris, internet plumber

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

Hmm, I'll admit to only skim reading it but is seems quite complicated 
for what I was hoping for. It would be trivial if I could change the 
bind-internal machine to using dnsmasq (ugh!). Then the bind-internal 
machine would serve up anything it explicitly knew about to the internal 
clients, and anything that it didn't know about, it would automatically 
request from the internet, which would include the bind-external 
machine. Then, if I configured external IP's on bind-external only, they 
would still be returned by by bind-internal to the machines using 
bind-internal as their resolver. I was hoping I could set something like 
recursion=true in bind-internal and recursion=false on bind-external, 
only in my configs for BIND 9.9.6-P1, it is not set at all so I am not 
sure how it is configured as authoritative.


Nick

On 2023-11-03 16:01, Andrew Latham wrote:

* That sounds like a sadly normal implementation but yes you can do
better* Views is a good place to look https://kb.isc.org/docs/aa-00851
* Make sure to investigate how the company VPN services handle DNS as
it may surprise you

On Fri, Nov 3, 2023 at 9:52 AM Nick Howitt via bind-users
 wrote:


Hi,

I am fairly new to bind but I am thinking my company's use of it is
sub-optimal. We have two bind masters (and a few slaves), one for
internal use so all our internal servers point to it or its slaves
as
their DNS resolvers. I will call the internal one bind-internal and
the
external one bind-external.

Bind-internal is set up as authoritative for the domain example.com
[1].
Bind-external is also set up as authoritative for example.com [1].

Bind-internal has all sorts of entries resolving in the 10.30, 10.40
and
other private ranges, but it also has entries resolving to our
public
IP's e.g. demo.example.com [2] resolves to 1.2.3.4 (terminated by an
F5),
which is one of our public ips (munged). As this site is externally
accessible as well, we also have to put an identical entry in
bind-external so we end up having many identical entries in
bind-internal and bind-external. We also have some other domains
covered
by bind-internal with external IPs, but externally they are covered
by
the domain host's DNS and they have the same issue where in
bind-internal we have some public IP's which are also in the domain
host's DNS for external access.

I have a feeling this is a sub-optimal setup, having to maintain
external IPs in both bind-internal and bind-external. Does it make
sense
to stop bind-internal from being authoritative and make it a
resolver/caching name server? This way, if it does not find an entry
in
bind-internal it will then go out to either bind-external or the
domain
host's DNS to get the answer from the authoritative servers and then

there is no need to maintain external IPs in bind internal.

TIA,

Nick
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--

- Andrew "lathama" Latham -

Links:
--
[1] http://example.com
[2] http://demo.example.com

--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

How should I configure internal and external DNS servers

[Nick Howitt via bind-users]

Hi,

I am fairly new to bind but I am thinking my company's use of it is 
sub-optimal. We have two bind masters (and a few slaves), one for 
internal use so all our internal servers point to it or its slaves as 
their DNS resolvers. I will call the internal one bind-internal and the 
external one bind-external.


Bind-internal is set up as authoritative for the domain example.com.
Bind-external is also set up as authoritative for example.com.

Bind-internal has all sorts of entries resolving in the 10.30, 10.40 and 
other private ranges, but it also has entries resolving to our public 
IP's e.g. demo.example.com resolves to 1.2.3.4 (terminated by an F5), 
which is one of our public ips (munged). As this site is externally 
accessible as well, we also have to put an identical entry in 
bind-external so we end up having many identical entries in 
bind-internal and bind-external. We also have some other domains covered 
by bind-internal with external IPs, but externally they are covered by 
the domain host's DNS and they have the same issue where in 
bind-internal we have some public IP's which are also in the domain 
host's DNS for external access.


I have a feeling this is a sub-optimal setup, having to maintain 
external IPs in both bind-internal and bind-external. Does it make sense 
to stop bind-internal from being authoritative and make it a 
resolver/caching name server? This way, if it does not find an entry in 
bind-internal it will then go out to either bind-external or the domain 
host's DNS to get the answer from the authoritative servers and then 
there is no need to maintain external IPs in bind internal.


TIA,

Nick
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS NXDOMAIN flood

[Björn Persson]

Mosharaf Hossain wrote:
> Hello Folks
> I have come across a challenge with our BIND nameserver, specifically
> related to a "*DNS NXDOMAIN flood*" problem. Despite upgrading the BIND
> version from 9.10 to 9.18, the issue persists.
> 
> The attack originates from an external network, and it periodically
> saturates our entire internet bandwidth. While we've implemented various
> measures to combat the attack, it continues to be a significant problem,
> rendering our DNS server incapable of resolving queries during these
> onslaughts.
> 
> Current DNS server spec:
> OS Debian 12
> BIND: BIND 9.18.19-1~deb12u1-Debian (Extended Support Version) 
> 
> 
> *DNS NXDOMAIN flood Sample log:*
> Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce7d2c1768
> 47.74.84.139#28827 (bearnote.primebank.com.bd): rate limit drop NXDOMAIN
> response to 47.74.84.0/24 for primebank.c>
> Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce720cdd68
> 192.221.176.14#34882 (2014-06-24.pRiMEBANK.cOM.BD): rate limit drop
> NXDOMAIN response to 192.221.176.0/24 for prim>
> Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce65cb9d68
> 74.125.187.132#53017 (HUbBY.PRimEBaNK.cOm.bD): rate limit drop NXDOMAIN
> response to 74.125.187.0/24 for primebank.>
> Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce90fdb768
> 172.217.47.5#65160 (GEoVIsIOn.PrimeBAnk.COm.bD): rate limit drop NXDOMAIN
> response to 172.217.47.0/24 for primeban>
> Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce99901b68
> 77.59.227.211#61265 (lanyware.primebank.com.bd): rate limit slip NXDOMAIN
> response to 77.59.227.0/24 for primebank>
> Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce7ee5cd68
> 1.20.200.152#37953 (debianmeetingresume200809-kansai.primebank.com.bd):
> rate limit slip NXDOMAIN response to 1.20.>
> Nov 02 09:00:23 ns1.bol-online.com named[2202594]: client @0x7fce69846968
> 162.158.207.78#44948 (stacking.primebank.com.bd): rate limit drop NXDOMAIN
> response to 162.158.207.0/24 for primeb>

This looks like a DDOS attack on primebank.com.bd. It does not look
like a reflection attack on some other victim (and the log messages
indicate that rate limiting is in place to prevent amplification of
reflection attacks, so you seem to be good in that regard).

Of the seven client addresses in that sample, three belong to Google
and Cloudflare, who run well-known public resolvers (and the two
requests from Google have Google's signature mix of uppercase and
lowercase). One is an open resolver at a small company in Switzerland.
One seems to be a cloud datacenter in Australia. Two are assigned to
telecom companies in Thailand and the USA. A reflection attack wouldn't
attack all of those simultaneously.

My educated guess is that a botnet sends lots of requests to various
resolvers around the world, causing all of those resolvers to contact
the authoritative name servers for primebank.com.bd.

The attack seems designed to overload the processing capacity of the
authoritative name servers by requesting lots of nonexistent records.
An attack meant to saturate your bandwidth would usually just send big
packets full of nonsense. Either way the packets would need to be
dropped before they reach Bind, so the Bind configuration isn't the
right place to prevent this attack.

A beefy firewall might be able to detect the large number of NXDOMAIN
responses and drop requests from those source addresses before they
enter the saturated link – but that would also deny service to
legitimate clients using those same resolvers.

In general there's unfortunately little a victim of a DDOS attack can
do to stop the attack, other than hiding behind a DDOS mitigation
provider whose massive resources can absorb the onslaught. The only
real solution would be if the entire software industry would grow up
and stop shipping garbage that's easily hijacked and enrolled in
botnets.

Björn Persson


pgpT7nHwr3E8B.pgp
Description: OpenPGP digital signatur
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Help about DNS documentation

[Amaury Van Pevenaeyge]

Hello everyone,

I'm currently a final year Master's student at the Free University of Brussels. 
As part of my Master's thesis, I have to implement a DNS amplification scenario 
within a Cyber Range. However, before achieving this final goal, I first need 
to make amplification rate measurements within a virtual machine system. I 
therefore have a few questions about the DNS protocol and DNS servers.


  *   Why do some DNS servers respond via TCP to an ANY query made under UDP? I 
have read in RFC8482 that modern DNS servers try to limit responses to ANY 
queries in order to limit the impact of their use in DNS amplification attack 
but I would like to learn more about the security measures/best practices 
currently in place for this type of query and for big TXT responses. Does 
anyone have any sources or other RFCs that might be useful?



  *   Would you have any advice/recommendations or sources on the legal 
Framework to be respected for my Master’s thésis, so that I can carry out my 
various measures without being illegal or alerting certain entities?



  *   Would you have some articles and researches or others about DNS protocol, 
DNS protocol security or good research practices for DNS amplification attacks?


Thank you in advance for your help. I remain at your disposal should you have 
any questions.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adaptation response ton ANY queries

[avanpevenaeyge]

Your solution works thank you! I didn't know that the default behavior of the 
dig command with an ANY query is to respond with TCP.
 Message d'origine De : Marco  Date : 3/11/23  
12:23  (GMT+01:00) À : avanpevenaeyge , 
bind-users@lists.isc.org Objet : Re: Adaptation response ton ANY queries Am 
03.11.2023 schrieb avanpevenaeyge :> Ok but what 
about the response to ANY queries on ubuntu 22.04? I> tried to do some ANY 
queries from my client but the server always> responds with TCP. Is it a 
security measure to prevent DNS> amplification attack?Please tell us how you do 
the lookup.Try dig example.org +notcp to force a UDP lookup.-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adaptation response ton ANY queries

[Björn Persson]

Marco wrote:
> Try 
> dig example.org +notcp to force a UDP lookup.

I find that I need to also use +ignore to prevent Dig from using TCP.
(That option has a very bad name.)

Björn Persson


pgpdJ4lEIrrnl.pgp
Description: OpenPGP digital signatur
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adaptation response ton ANY queries

[Marco]

Am 03.11.2023 schrieb avanpevenaeyge :

> Ok but what about the response to ANY queries on ubuntu 22.04? I
> tried to do some ANY queries from my client but the server always
> responds with TCP. Is it a security measure to prevent DNS
> amplification attack?

Please tell us how you do the lookup.
Try 
dig example.org +notcp to force a UDP lookup.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Adaptation response ton ANY queries

[Marco]

Am 03.11.2023 schrieb avanpevenaeyge :

> However, I know that BIND is designed to respond to ANY requests via
> TCP for security reasons. So my question is: how can I make my BIND9
> server respond to ANY queries via UDP and not TCP for the purposes of
> my thesis? Thank you in advance for your reply.

BIND replies to ANY in UDP too by default in Debian.
If the foreign client queries in UDP, the server can't reply in TCP.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Adaptation response ton ANY queries

[avanpevenaeyge]

Hello, I'm a student in the Master in Cybersecurity organized by the Free 
University of Brussels. As part of my Master's thesis, I have to implement a 
DNS amplification scenario within a Cyber Range. Before doing so, I need to 
measure the amplification rate for each DNS request. However, I know that BIND 
is designed to respond to ANY requests via TCP for security reasons. So my 
question is: how can I make my BIND9 server respond to ANY queries via UDP and 
not TCP for the purposes of my thesis?
Thank you in advance for your reply.-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users