query-source to all
Is it possible to set query-source to all? I'm using AMAZON EC2 and I want to setup a DNS Server. I just notice it was bind to private ip address. Since the public ip address was not on the OS ( probably a NAT define by AMAZON), I cannot connect to it even just a telnet. When I do netstat: tcp0 0 10.252.178.180:53 0.0.0.0:* LISTEN 28428/named tcp0 0 127.0.0.1:530.0.0.0:* LISTEN 28428/named tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN 28428/named udp0 0 10.252.178.180:53 0.0.0.0:* 28428/named udp0 0 127.0.0.1:530.0.0.0:* 28428/named However, when I do nmap to the public ip, port 53 was not open. I already open port 53 TCP and UDP but still to no avail. I did query-source all port *; on named.conf but still keep on listening to 10.252.178.180. My suspect is it keeps on listening to 10.252.178.180 that's why I cannot connect to it. I'm using bind-9.5.0-P2. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: nsupdate and an external database
From the lack of response, I take it that there is no good way to have BIND trigger an external database update (or other action) when it receives a DDNS update. At least not without significantly customizing BIND, similar to what Quadritec / Lucent / Alcatel-Lucent did with QIP. Enhancing ProBIND to support BIND-SDB master servers while keeping traditional configuration files for the slaves looks feasible. Would there be interest in the BIND community for a version of ProBIND with SDB support, or am I re-inventing the wheel? There are a lot of dead and outdated links for BIND-SDB. Is it viable for long-term use? Thanks, John From: Simpson, John R Sent: Tuesday, July 28, 2009 4:11 PM To: 'bind-users@lists.isc.org' Subject: nsupdate and an external database Greetings all, We have a number of BIND 9.3.4 servers that are managed by ProBIND. We would like to be able to use nsupdate to generate dynamic DNS updates, but, of course, any DDNS updates would be lost the next time the zone was pushed since they aren't reflected in ProBIND's MySQL database. Is there any standard way to have BIND notify an external function or program that an update has occurred? For example, registering a callback function that would then make the appropriate update to the ProBIND database? That's not a perfect solution, since there's still a chance for the zone and the external database to be out of sync if the external database update doesn't exactly match the DNS update, or if the serial numbers are mishandled. But it seems like that would be a better solution than trying to monitor zone/journal files for changes, or parsing log files. I've looked at SDB, which would be attractive if ProBIND or an alternative management system used SDB instead of their own schema, and I'm investigating bind-dlz and NetReg. Is there a preferred way to handle this? Thank you for your time, John John Simpson Senior Software Engineer, I. T. Engineering and Operations ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Internal whois server
Hi all, This is probably somewhat of an un-legit way of using whois but I'm curious as to whether it would be possible to install an internal whois server that responds with the appropriate prefix-data upon request for internal ip-numbers/domains while forwarding unknown requests to external whois servers. Has anyone done a similar implementation or know what kind of software that could be used to obtain this? Thanks /Jonathan ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarders question
We are having 2 sites at different locations now with a DNS resolver on each site. Internet speed between those two different ISPs is very fast, and the hosts to resolve will be about the same because of similar services. My idea is to use forward X; on site Y and forward Y; on site X, but, as I couldn't find it in the documents, I believe this could lead to a resolver loop between X and Y and therefore even slower resolution. Or is BIND clever enough to only ask the other server once? My tests seem to indicate it's working well, but maybe someone knows of any issues? There are 2 reasons for this: 1) performance. Having the caches hot on both sides and with a high chance one caches knows entries the other can use, it should be quick. 2) reliability. Asking only internal servers which I can control is more secure than using any ISPs DNS. They start to do the DNS mangling here in Austria also (instead NXDOMAIN they deliver their web sites A record to point to their search engine). mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4 signature.asc Description: This is a digitally signed message part. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: A very basic question...
E Johnson wrote: From what I have read so far, I can see that this might be a very flame-worthy question, so please don't hurt me, I'm just a beginner... I have read every howto that I can find on setting up a DNS server for a very small, 12 seats, network. The DNS server just needs to be authoritative for the internal network and then it should forward external requests to the outside world. Here is the question... Most of the howtos say that I should setup a Root Zone so that I can access the Internet. Then a small few of the howtos say that I should use the forwarder option to be able to access the Internet and they say that the Root Zone should not be used because the Root DNS servers aren't meant for that. So, which is the best/proper way to do this? I'm assuming that all your clients have a need to resolve Internet names. (Note that this is not a *given*. If clients access the Internet through application-level proxies or gateways, then maybe only the proxies/gateways need to resolve Internet names, and normal internal clients do not.) So, the big question is: does your nameserver have direct access to the Internet DNS? If not, then you don't really have the option of setting up a root zone. You have to forward, and given that you're doing that, your nameserver would resolve anything it needs in the root zone via forwarding. Hence, no need for an explicit root-zone definition. If you do have direct access to the Internet DNS, then you have other alternatives and maybe you should re-examine your assumption that ... it should forward external requests to the outside world. Maybe you don't need to forward at all. You could explicitly configure a hints file, or use the one which is already compiled into the named binary. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: query-source to all
Problem solved. It was misconfigured on the AMAZON EC2. I have no access to it so I have to wait for the manager. Nelson Cathy Almond wrote: Nelson Serafica wrote: Is it possible to set query-source to all? I'm using AMAZON EC2 and I want to setup a DNS Server. I just notice it was bind to private ip address. Since the public ip address was not on the OS ( probably a NAT define by AMAZON), I cannot connect to it even just a telnet. When I do ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
does allow-transfer have cache
Currently I have primary (ns1) and secondary (ns2) dns on the same network. I'm now doing redundancy and planning to put secondary to another isp. I have now setup the new secondary dns on the another network. I change the allow-transfer { 1.2.3.4; localhost; }; to allow-transfer { 5.6.7.8; localhost; }; on the named.conf of the ns1 assuming 1.2.3.4 is ns2 old ip and 5.6.7.8 is ns2 new ip on the another network. However, ns1 still keeps on transferring to 1.2.3.4 but I can see it was denied since I have already change it to 5.6.7.8. I do rndc reload and /etc/init.d/named restart. My question is does allow-transfer has a cache that's why named keeps on transferring the request to 1.2.3.4 and not on 5.6.7.8 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarders question
In message 4a808228.2080...@dougbarton.us, Doug Barton writes: Michael Monnerie wrote: We are having 2 sites at different locations now with a DNS resolver on each site. Internet speed between those two different ISPs is very fast, and the hosts to resolve will be about the same because of similar services. My idea is to use forward X; on site Y and forward Y; on site X, but, as I couldn't find it in the documents, I believe this could lead to a resolver loop between X and Y and therefore even slower resolution. Or is BIND clever enough to only ask the other server once? If you're getting a response for a name that neither server is authoritative for, you have your answer. tcpdump could give you more information if you want to pursue it further. There are 2 reasons for this: 1) performance. Having the caches hot on both sides and with a high chance one caches knows entries the other can use, it should be quick. Unless you are turning off your name servers when everyone goes home at night I would like to suggest that you're not really gaining anything by doing this. There are two possible scenarios: 1. Usage patterns are different at your 2 sites. In that case you gain nothing by doing what you're doing. 2. Usage patterns are similar at your 2 sites. In that case IF the link between your 2 sites is dramatically faster than the link between your name servers and the outside world then you will gain a small amount of performance after the name servers are first booted. After a few hours of normal use (in other words, the cache is built up on both sides) it is likely that you are not gaining anything. In the even that the link between sites suffers some sort of performance problem you are definitely going to be pessimizing your DNS with this configuration. In short, there are a lot of scenarios when you are going to be doing worse, and a very few scenarios when you are doing better, and then only for a short period of time. I would therefore suggest that the configuration you are suggesting is a lot of added complexity for no measurable benefit. 2) reliability. Asking only internal servers which I can control is more secure than using any ISPs DNS. They start to do the DNS mangling here in Austria also (instead NXDOMAIN they deliver their web sites A record to point to their search engine). While I agree that local resolvers are a good idea, this has nothing to do with your forwarder configuration. hope this helps, Doug ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Agreed. The forwarding concept was developed when 48k external links were *FAST* links and having everyone on a campus use one or two machine as a super cache provided some real benefit. It still provides some benefit if you are dialing up over the PSTN. However if you are using Cable/DSL or similar technologies there is little benefit and huge negative consequences in the case of the forwarder being down. Cross connecting caches is not part of the design strategy and will not work well. It would take code changes to make it work well. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
cache poisoning
Last year, there was a global threat about cache poisoning so I updated immediately my bind. I update it to BIND 9.5.0-P1 and did nothing to its named.conf Now, I'm setting up a secondary dns (in my previous emails) and I used BIND 9.6.1-P1. But when I do dig +short @NS2 IP porttest.dns-oarc.net txt, it is poor but when I do it on my ns1, it is great. ns2 is running the latest bind. I believe the fix for this is just update named to its new version. How come I'm still having poor when I'm running the new version of bind. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning
In message 4a80e783.4090...@gmail.com, Nelson Serafica writes: Last year, there was a global threat about cache poisoning so I updated immed iately my bind. I update it to BIND 9.5.0-P1 and did nothing to its named.conf You should have at least checked the query-source clauses to ensure that there wasn't a port specified. query-source * port 53; // bad query-source 10.53.0.1; // ok query-source *; // ok (default) query-source-v6 * port 53; // bad query-source-v6 10.53.0.1; // ok query-source-v6 *; // ok (default) Now, I'm setting up a secondary dns (in my previous emails) and I used BIND 9 .6.1-P1. But when I do dig +short @NS2 IP porttest.dns-oarc.net txt, it is poor but when I do it on my ns1, it is great . ns2 is running the latest bind. I believe the fix for this is just update named to its new version. How come I'm still having poor when I'm running the new version of bind. If the query-source is ok then NAT's and firewalls can change the port as seen on the outside. Mark ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning
Thanks Mark! it works. I change my query source to one of the entry below and it works. Mark Andrews wrote: query-source * port 53; // bad query-source 10.53.0.1; // ok query-source *; // ok (default) query-source-v6 * port 53; // bad query-source-v6 10.53.0.1; // ok query-source-v6 *; // ok (default) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning
On Aug 10, 2009, at 10:06 PM, Nelson Serafica wrote: Thanks Mark! it works. I change my query source to one of the entry below and it works. Maybe a strange question. Why did you have a query source statement in your configuration in the first place? Bill Larson Mark Andrews wrote: query-source * port 53; // bad query-source 10.53.0.1; // ok query-source *; // ok (default) query-source-v6 * port 53; // bad query-source-v6 10.53.0.1; // ok query-source-v6 *; // ok (default) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: cache poisoning
I need to set bind to listen to all address. I'm using AMAZON EC2 Maybe a strange question. Why did you have a query source statement in your configuration in the first place? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users