Re: no more recursive clients: quota reached
On Wed, Mar 24, 2010 at 05:08:01PM +, Chris Thompson c...@cam.ac.uk wrote a message of 46 lines which said: It is the length of the queue of all outstanding recursive queries. This depends not just on the RATE of queries coming in, but also the time it takes to resolve them. (If the queue fills up, BIND gives up on the ones that have been outstanding longest.) Yes, and it is the Baofeng attack https://www.dns-oarc.net/files/workshop-200911/Ziqian_Liu.pdf ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Advertizing a new domain on my existing Authoritative DNS server
I'm running 9.6.1-P3 on RHEL4. Advertising example.com and now have been asked to advertise a new domain newexample.com (not a subdomain). What is the best way to go about this? Thanks, k ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Advertizing a new domain on my existing Authoritative DNS server
Lear, Karen (Evolver) wrote: I’m running 9.6.1-P3 on RHEL4. Advertising example.com and now have been asked to advertise a new domain newexample.com (not a subdomain). What is the best way to go about this? create new zone file add zone entry to named.conf rndc reconfig (I assume that the new zone has already been delegated to your server). AlanC signature.asc Description: OpenPGP digital signature ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: no more recursive clients: quota reached
Typically you can increase the default without harm, e.g., double or x 10 if you have a recent-vintage server with typical memory and speed, but something might be causing the behavior that is impervious to such a change or that needs some other kind of attention. Such a problem might solely stem from sheer load, but quite often stems from queries that are not receiving answers and are just sitting there until they time out. One of your clients might be making up names and trying them: many would receive negative responses but a percent would receive no response and sit. Or it could be that some specific locally- popular domain's nameservers are down or unreachable. Or it could be intermittent network problems. Or some kind of long-term routing/connectivity issue, e.g. the consequences of firewalling. If there are short episodes with tons of these log entries, that hints at short problems with your Internet connection, or a specific app that is causing the issue when it runs. If your Internet connectivity goes away in such manner that packets disappear, then the number of outstanding recursive queries typically steadily rises until the quota is reached. If you look at the number of clients at random times and it is always substantial and/or close to the quota, it may be that increasing the quota is the right solution. rndc lets you view the outstanding queries and see how long they've been waiting, which provides a lot of insight into what is happening. John Wobus Cornell IT ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Comprehension question to DDNS
Hi All, since about 1 year i got my DNS and DHCP to work but not DDNS. So i can only work with static IP's. Does my DHCP-Server request and DDNS-Update automatically, when a client gets an IP from the DHCP-Server. Or: Does the client ask the DHCP-Server for an IP and after he got one he request a DDNS-Update by himself? If the second case is right, then how do i have to configure my Linux client? The DNS Server-System does not record any DDNS-Update request, so i think he will not be asked??? Help!!! :-) Regards Markus ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Comprehension question to DDNS
I have a Debian lenny Server and Client in a small local Network :-) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Comprehension question to DDNS
Her some of my config-files of my server: /etc/dhcp3/dhcpd.conf http://nopaste.debianforum.de/34450 /etc/bind/named.conf http://nopaste.debianforum.de/34451 /etc/bind/named.conf.local http://nopaste.debianforum.de/34452 /etc/bind/named.conf.options http://nopaste.debianforum.de/34453 /etc/bind/db.feldland.lan http://nopaste.debianforum.de/34454 /etc/bind/db.192.168.0 http://nopaste.debianforum.de/34455 /var/lib/dhcp3/dhcp.leases http://nopaste.debianforum.de/34456 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Comprehension question to DDNS
In message hois3p$lc...@dough.gmane.org, Markus Feldmann writes: Hi All, since about 1 year i got my DNS and DHCP to work but not DDNS. So i can only work with static IP's. Does my DHCP-Server request and DDNS-Update automatically, when a client gets an IP from the DHCP-Server. Or: Does the client ask the DHCP-Server for an IP and after he got one he request a DDNS-Update by himself? You can do it either way or a mix. Which way you do it depends on if you are assigning names or not. If you want all the client machines to live in forward domains you choose then I would have the DHCP server update both the forward and reverse zones. If you let the client machines choose their own name then they should be updating their own forward zones and the DHCP server updates the reverse zone. On the bind side you generate a TSIG key which you share with the DHCP server. You then add allow-update clauses to the appropriate zones to say that if named receives a update signed with that key that it should accept it. e.g. key dhcp-server-key { algorithm hmac-sha256; secret ; }; zone 1.168.192.in-addr.arpa { type master; ... allow-update { key dhcp-server-key; }; }; If the clients are updating the forward zone themselves then you can distribute TSIG keys or use SIG(0) to allow them to update their own records. For this I would use the finer grain controls in update-policy. e.g. key foo.example.com { algorithm hmac-sha256; secret ; }; zone example.com { type master; ... allow-policy { grant *.example.com self . A ; }; }; For the DHCP side see dhcp-us...@isc.org for how to configure dhcpd and dhclient to fit the various senarios. If the second case is right, then how do i have to configure my Linux client? The DNS Server-System does not record any DDNS-Update request, so i think he will not be asked??? Help!!! :-) Regards Markus ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Old record audit/cleanup
Other than enabling query logging and parsing the results, is there a way to find out which records are not being 'used'? This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: what is a SPF (type 99) record and who do I implement?
On 24.03.10 13:26, Security Admin (NetSec) wrote: Correction. I found many sites which discuss what it is, but none that explicitly tell me how to implement in my hosts file. in hosts? No way. hosts can only be used for translating hostnames to addresses and vice versa. They don't provide any other functionality. If the below implementation is correct, let me know. Mydomain.com 172800 IN TXT v=spf1 mx -all Mydomain.com 172800 IN SPF v=spf1 mx -all Mydomain.com 172800 IN MX 10 Mail.Mydomain.com Mail.Mydomain.com 172800 IN Avvv.xxx.yyy.zzz you apparently need trailing dots, with them it's syntactically correct. If it's what you want/need is not the same... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delegation - what needs to be there?
Delegating a zone to a server that has views. Internal view will allow any query. External view will only allow resolution of the MX record for that zone. The MX points to hosts in another zone (which is also publicly-accessible). When I query from an address that matches the ACL for the external view, I get the MX records back OK, but no A record. Is that right? Would a client just go and try to resolve the name on it's own? Or do I need to provide glue records in the delegated zone ... probably not, but thought I'd better ask. Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 if it matters. Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation - what needs to be there?
That is correct because you are only allowing MX to resolve instead of allowing the A records that MX points too also resolve. On Fri, Mar 26, 2010 at 2:30 PM, Peter Laws pl...@ou.edu wrote: Delegating a zone to a server that has views. Internal view will allow any query. External view will only allow resolution of the MX record for that zone. The MX points to hosts in another zone (which is also publicly-accessible). When I query from an address that matches the ACL for the external view, I get the MX records back OK, but no A record. Is that right? Would a client just go and try to resolve the name on it's own? Or do I need to provide glue records in the delegated zone ... probably not, but thought I'd better ask. Version: 9.3.6-P1-RedHat-9.3.6-4.P1.el5_4.2 if it matters. Peter -- Peter Laws / N5UWY National Weather Center / Network Operations Center University of Oklahoma Information Technology pl...@ou.edu --- Feedback? Contact my director, Craig Cochell, cra...@ou.edu. Thank you! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Old record audit/cleanup
On 3/26/2010 4:05 PM, laura.l.l...@accenture.com wrote: Other than enabling query logging and parsing the results, is there a way to find out which records are not being 'used'? Delete them and see if anyone screams. - Kevin ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegation - what needs to be there?
In article mailman.960.1269635430.21153.bind-us...@lists.isc.org, Peter Laws pl...@ou.edu wrote: Delegating a zone to a server that has views. Internal view will allow any query. External view will only allow resolution of the MX record for that zone. The MX points to hosts in another zone (which is also publicly-accessible). When I query from an address that matches the ACL for the external view, I get the MX records back OK, but no A record. Presumably because you don't allow recursion or query-cache for external clients. Is that right? Would a client just go and try to resolve the name on it's own? Of course. Or do I need to provide glue records in the delegated zone ... probably not, but thought I'd better ask. The only time you're required to provide glue is when a subzone is delegated to a nameserver whose name is in the subzone, to prevent a chicken-and-egg problem. -- Barry Margolin, bar...@alum.mit.edu Arlington, MA *** PLEASE don't copy me on replies, I'll read them in the group *** ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users