Re: Hijacked or Wrong Configuration?

[Mark Andrews]

In message , 
bill.li...@kp.org writes:
> 
> I host a re-direct for the local soccer organization
> 
> The "real" owner (non-technical) let the domain lapse, and I recommended 
> the registrar I use (that automatically provides secondary DNS services) - 
> but they didn't use them.
> 
> Now they can NOT get to the site - am I configured wrong?   -- or -- did 
> the domain get hijacked in the interm?
> 
> 
> Site:  hysl.org
> 
> DNS:  dns1.light-family.com
> 
> IP:  66.124.156.123
> 
> And of course - they are still trying to sign people up as I type...  I 
> have made the IP's default to be the hysl.org re-direct and temporarily 
> "destroyed" my own domains...Any suggestions?

hysl.org is NOT published in the org zone.  Given the dates in whois
I would contact the registrar and ask them to fix this.

Mark

; <<>> DiG 9.3.6-P1 <<>> hysl.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 56300
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;hysl.org.  IN  A

;; AUTHORITY SECTION:
org.765 IN  SOA a0.org.afilias-nst.info. 
noc.afilias-nst.info. 2009253046 1800 900 604800 86400

;; Query time: 8 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Aug  4 11:43:27 2010
;; MSG SIZE  rcvd: 89


NOTICE: Access to .ORG WHOIS information is provided to assist persons in
determining the contents of a domain name registration record in the Public 
Interest Registry
registry database. The data in this record is provided by Public Interest 
Registry
for informational purposes only, and Public Interest Registry does not 
guarantee its
accuracy.  This service is intended only for query-based access.  You agree
that you will use this data only for lawful purposes and that, under no
circumstances will you use this data to: (a) allow, enable, or otherwise
support the transmission by e-mail, telephone, or facsimile of mass
unsolicited, commercial advertising or solicitations to entities other than
the data recipient's own existing customers; or (b) enable high volume,
automated, electronic processes that send queries or data to the systems of
Registry Operator or any ICANN-Accredited Registrar, except as reasonably
necessary to register domain names or modify existing registrations.  All
rights reserved. Public Interest Registry reserves the right to modify these 
terms at any
time. By submitting this query, you agree to abide by this policy.

Domain ID:D1703600-LROR
Domain Name:HYSL.ORG
Created On:16-Jul-1998 04:00:00 UTC
Last Updated On:16-Jul-2010 02:20:09 UTC
Expiration Date:15-Jul-2011 04:00:00 UTC
Sponsoring Registrar:Gandi SAS (R42-LROR)
Status:CLIENT HOLD
Status:CLIENT TRANSFER PROHIBITED
Status:AUTORENEWPERIOD
Registrant ID:0-614251-Gandi
Registrant Name:Hayward Youth Soccer League
Registrant Organization:Hayward Youth Soccer League
Registrant Street1:740 City Walk Place #2
Registrant Street2:
Registrant Street3:
Registrant City:Hayward
Registrant State/Province:CA
Registrant Postal Code:94541
Registrant Country:US
Registrant Phone:+1.5105896858
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:b289396c6e286fe994be7135beadb0e7-420...@contact.gandi.net
Admin ID:MS1270-GANDI
Admin Name:Michael Silverman
Admin Street1:27150 Greenhaven Road
Admin Street2:
Admin Street3:
Admin City:Hayward
Admin State/Province:6
Admin Postal Code:94542
Admin Country:US
Admin Phone:+1.5105827229
Admin Phone Ext.:
Admin FAX:+1.5105827229
Admin FAX Ext.:
Admin Email:msil...@inow.com
Tech ID:MS1270-GANDI
Tech Name:Michael Silverman
Tech Street1:27150 Greenhaven Road
Tech Street2:
Tech Street3:
Tech City:Hayward
Tech State/Province:6
Tech Postal Code:94542
Tech Country:US
Tech Phone:+1.5105827229
Tech Phone Ext.:
Tech FAX:+1.5105827229
Tech FAX Ext.:
Tech Email:msil...@inow.com
Name Server:DNS1.LIGHT-FAMILY.COM
Name Server:NS1.POCKETTECH.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
DNSSEC:Unsigned


-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Hijacked or Wrong Configuration?

[Bill . Light]

I host a re-direct for the local soccer organization

The "real" owner (non-technical) let the domain lapse, and I recommended 
the registrar I use (that automatically provides secondary DNS services) - 
but they didn't use them.

Now they can NOT get to the site - am I configured wrong?   -- or -- did 
the domain get hijacked in the interm?


Site:  hysl.org

DNS:  dns1.light-family.com

IP:  66.124.156.123

And of course - they are still trying to sign people up as I type...  I 
have made the IP's default to be the hysl.org re-direct and temporarily 
"destroyed" my own domains...Any suggestions?

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Odd query issue

[Mark Andrews]

In message <4c58668d.2010...@chrysler.com>, Kevin Darcy writes:
> On 8/3/2010 7:50 AM, Atkins, Brian (GD/VA-NSOC) wrote:
> > Kevin,
> >
> > Thanks for the good ideas. Here is what I am seeing based on your
> > recommendations:
> >
> > 1. Zone has expired (to confirm: check logs)
> > No errors or notices regarding the zone being expired.
> >
> > 2. Corrupted/truncated journal file (to confirm: check logs, or, shut
> > down gracefully, delete journal and start up again)
> > I've shut down BIND, removed all files under the slave directory, and
> > restarted BIND - no help. Other zones that are delegated from the same
> > server are populated.
> >
> > 3. www.blah.com is a delegation in your slave copy of the zone, and the
> > delegated nameservers are all returning SERVFAIL, are lame, give bogus
> > answers, some combination of the above, etc. (to confirm: do the lookup
> > non-recursively, or a zone transfer of blah.com; if www.blah.com shows
> > as a delegation, query the delegated nameservers directly and see what
> > they return)
> >
> So, just to be clear: is www.blah.com delegated to another nameserver or 
> set of nameservers? Or is it contained within the blah.com zone itself? 
> My option #3 above referred to a relatively-unlikely scenario where a 
> www.blah.com delegation was (temporarily) present in your slave copy, 
> even though you indicated that on the master server, www.blah.com was 
> contained in the blah.com zone.
> > I am able to query the master directly, without issue as well as perform
> > a zone transfer (though I get an error, ";; communications error to
> > 10.x.x.x#53: connection reset"). I'm assuming that this is due to the
> > fact that the response is greater than 512 bytes perhaps.
> >
> 
> The 512-byte restriction only applies to UDP.
> 
> Sounds like you may have a problem with performing TCP transactions with 
> the master, most likely because of naively-implemented firewall rules. 
> You can confirm or deny this via the "+vc" (virtual circuit = TCP) 
> option to "dig".
> 
> If TCP between you and the master is completely broken, your zone 
> transfers aren't going to work and the zone will expire, if it hasn't 
> already.  I'd double-check whether the zone is expired, maybe by 
> restarting named with a high debug level.
> 
> It's a little troubling that other slave zones -- I assume that's what 
> you meant when you said "that are delegated" -- from the same master are 
> working. But, are all the EXPIRE settings the same? Maybe this is just 
> the _first_ zone that expired.

Or that the other zones are smaller and this one is big enough that PMTUD
kicks in.
 
> Again, the logs should help here. Are zone transfers succeeding or 
> failing for blah.com and for other zones. If there are failures, what 
> are the error messages in the logs?
>  
>  - Kevin
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: unexpected RCODE (REFUSED) resolving

[Mark Andrews]

In message <20100803142625.gc27...@tamay-dogan.net>, Michelle Konzack writes:
> This is a MIME-formatted message.  If you see this text it means that your
> E-mail software does not support MIME-formatted messages.
> 
> Hello,
> 
> since today morning (~06:30 CEST) I get several 1.000 errors like:
> 
> [ '/var/log/named.log' ]
> Aug  3 10:12:39 dns1 named[26425]: 03-Aug-2010 10:12:39.951 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com/A/IN': =
> 68.156.138.136#53

Basically you need to complain to the administators for xensource.com
to get the delegation cleaned up or the server configured.

xensource.com is delegated to 68.156.138.136 but that server is refusing
to answer queries for the xensource.com.  Additionally according to
ns1.xensource.com both ns0.xensource.com and ns2.xensource.com no longer
exist.  The administrators for xensource.com need to clean up the
delegation by contacting their registrar and removing ns0.xensource.com
from delegation.  They also need to clean up the delegation for
colo.xensource.com as that has ns0 and ns2 listed which don't exist.

; <<>> DiG 9.3.6-P1 <<>> xensource.com @a.gtld-servers.net
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4442
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;xensource.com. IN  A

;; AUTHORITY SECTION:
xensource.com.  172800  IN  NS  ns0.xensource.com.
xensource.com.  172800  IN  NS  ns1.xensource.com.

;; ADDITIONAL SECTION:
ns0.xensource.com.  172800  IN  A   68.156.138.136
ns1.xensource.com.  172800  IN  A   70.42.241.99

;; Query time: 181 msec
;; SERVER: 2001:503:a83e::2:30#53(2001:503:a83e::2:30)
;; WHEN: Wed Aug  4 08:25:08 2010
;; MSG SIZE  rcvd: 99

> Aug  3 10:12:40 dns1 named[26425]: 03-Aug-2010 10:12:40.298 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN=
> ': 66.165.176.24#53
> Aug  3 10:12:40 dns1 named[26425]: 03-Aug-2010 10:12:40.439 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN=
> ': 68.156.138.136#53
> Aug  3 11:11:07 dns1 named[26425]: 03-Aug-2010 11:11:07.670 lame-servers: i=
> nfo: FORMERR resolving 'ns.xinnet.cn//IN': 61.155.152.86#53
> Aug  3 11:12:07 dns1 named[26425]: 03-Aug-2010 11:12:07.259 lame-servers: i=
> nfo: unexpected RCODE (SERVFAIL) resolving 'kernelnewbies.org/NS/IN': 85.11=
> 8.1.10#53
> Aug  3 11:12:07 dns1 named[26425]: 03-Aug-2010 11:12:07.380 lame-servers: i=
> nfo: unexpected RCODE (SERVFAIL) resolving 'nl.linux.org/A/IN': 131.211.29.=
> 16#53
> Aug  3 11:12:07 dns1 named[26425]: 03-Aug-2010 11:12:07.381 lame-servers: i=
> nfo: unexpected RCODE (SERVFAIL) resolving 'nl.linux.org/MX/IN': 131.211.29=
> =2E16#53
> Aug  3 11:39:22 dns1 named[26425]: 03-Aug-2010 11:39:22.848 lame-servers: i=
> nfo: FORMERR resolving 'tehrooz.com/NS/IN': 79.175.164.23#53
> Aug  3 11:41:23 dns1 named[26425]: 03-Aug-2010 11:41:23.649 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com/A/IN': =
> 68.156.138.136#53
> Aug  3 11:41:23 dns1 named[26425]: 03-Aug-2010 11:41:23.975 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN=
> ': 68.156.138.136#53
> Aug  3 11:41:24 dns1 named[26425]: 03-Aug-2010 11:41:24.135 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN=
> ': 66.165.176.24#53
> Aug  3 11:51:06 dns1 named[26425]: 03-Aug-2010 11:51:06.272 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'tallyho.bc.nu/A/IN': 209.132.176=
> =2E100#53
> Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.505 lame-servers: i=
> nfo: unexpected RCODE (SERVFAIL) resolving 'ns2.telkom.co.za/A/IN': 196.7.1=
> 42.133#53
> Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.513 lame-servers: i=
> nfo: unexpected RCODE (SERVFAIL) resolving 'ns3.telkom.co.za/A/IN': 196.7.1=
> 42.133#53
> Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.515 lame-servers: i=
> nfo: unexpected RCODE (SERVFAIL) resolving 'ns2.telkom.co.za//IN': 196.=
> 7.142.133#53
> Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.522 lame-servers: i=
> nfo: unexpected RCODE (SERVFAIL) resolving 'ns3.telkom.co.za//IN': 196.=
> 7.142.133#53
> Aug  3 12:41:42 dns1 named[26425]: 03-Aug-2010 12:41:42.753 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com/A/IN': =
> 68.156.138.136#53
> Aug  3 12:41:43 dns1 named[26425]: 03-Aug-2010 12:41:43.101 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN=
> ': 66.165.176.24#53
> Aug  3 12:41:43 dns1 named[26425]: 03-Aug-2010 12:41:43.240 lame-servers: i=
> nfo: unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN=
> ': 68.156.138.136#53
> Aug 

RE: Script-kiddie / client query (cache) '/MX/IN' denied

[Lightner, Jeff]

2 rules aren't needed if you don't specify protocol and port in the first one.  
It simply drops ALL traffic from that IP.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Lyle 
Giese
Sent: Tuesday, August 03, 2010 4:18 PM
To: bind-users@lists.isc.org
Subject: Re: Script-kiddie / client  query (cache) '/MX/IN' denied

Kevin Darcy wrote:
> On 8/3/2010 3:03 PM, Denis BUCHER wrote:
>> Dear Lyle,
>>
>> Le 03.08.2010 18:17, Lyle Giese a écrit :
 I would like to know if I can block hosts doing that at the level of
 /etc/hosts.allow or should I do it at the level of Bind itself ?
>>> Use IPTables or add rules to your firewall. I don't believe that BIND
>>> pays any attention to /etc/hosts.allow
>>
>> Yes I tried iptables, it is working perfectly, and /etc/hosts.allow 
>> does not look to be working. This was pefect :
>>
>> iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP
>>
> I'm no iptables experts, but doesn't that only apply to TCP packets?
>
> 
> - 
> Kevin
>
Good catch, Kevin!

You are right, he should add two rules, one for tcp and one for udp.

Lyle Giese
LCR Computer Services, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script-kiddie / client query (cache) '/MX/IN' denied

[Lyle Giese]

Kevin Darcy wrote:

On 8/3/2010 3:03 PM, Denis BUCHER wrote:

Dear Lyle,

Le 03.08.2010 18:17, Lyle Giese a écrit :

I would like to know if I can block hosts doing that at the level of
/etc/hosts.allow or should I do it at the level of Bind itself ?

Use IPTables or add rules to your firewall. I don't believe that BIND
pays any attention to /etc/hosts.allow


Yes I tried iptables, it is working perfectly, and /etc/hosts.allow 
does not look to be working. This was pefect :


iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP


I'm no iptables experts, but doesn't that only apply to TCP packets?


- 
Kevin



Good catch, Kevin!

You are right, he should add two rules, one for tcp and one for udp.

Lyle Giese
LCR Computer Services, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Creating a training environment

[Anand_Inala]

I'm trying to put together a training environment with a "fake" internet.  The 
idea is that a computer running windows xp will be attached to the WAN side of 
a router to be the "internet".  Any (http, possibly other protocols) requests 
going out from the router should be caught by the box attached and redirect 
them to the apache web server and serve up that web page to the system behind 
the router.  Thus, google, yahoo, msn, etc.  all get served up some kind of "It 
works!" apache page.  I'm working with a system running Windows XP with Apache 
and BIND installed.

It seems to me it would be trivial, but I don't have any experience with BIND.  
Any suggestions as to where I would start?


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Clarification on ANY query

[Kevin Darcy]

It might be worth pointing out
a) that you're trying to recursively query a non-recursive nameserver
b) that the MX record is technically superfluous, since its target is 
the same as the owner name, and all mail clients will fail over to doing 
an A query of the same name if no MX record is present. I understand, 
however, that if your negative-caching parameter for the zone needs to 
be low for some reason (relative to your positive-caching 1-day TTL), 
then the presence of the MX record might save you a certain amount of 
query traffic, and therefore serve a practical purpose even if "redundant".



- Kevin


On 8/3/2010 12:08 AM, rams wrote:

Hi ,
I have data as follows
a.rameshops5446.com . 86400 IN A 1.2.3.1
a.rameshops5446.com . 86400 IN MX 10 
a.rameshops5446.com .
I queried domain "a.rameshops5446.com " 
with type ANY against bind9.6 .

Actual Result:
Bind is returning above two records in answer section and also 
returning A record in additional section as follows.

# dig @localhost a.rameshops5446.com . any
; <<>> DiG 9.6.1-P3 <<>> @localhost a.rameshops5446.com 
. any

; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33411
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;a.rameshops5446.com .   IN  ANY
;; ANSWER SECTION:
a.rameshops5446.com .86400   IN  
MX  10 a.rameshops5446.com .
a.rameshops5446.com .86400   IN  
A   1.2.3.1

;; AUTHORITY SECTION:
rameshops5446.com .  86400   IN  NS 
udns2.ultradns.net .
rameshops5446.com .  86400   IN  NS 
udns1.ultradns.net .

;; ADDITIONAL SECTION:
a.rameshops5446.com .86400   IN  
A   1.2.3.1

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Aug  3 04:06:45 2010
;; MSG SIZE  rcvd: 137
Here my doubt is A record already returned in answer section why the 
same A record is returning in additional section. I know if MX pointed 
record have any A/ records will return in additional section. but 
in above case already the same A record returned in answer section. Is 
bind result correct? could you please clarify me.

Thanks & Regards,
Ramesh


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question on query-source, transfer-source, notify-source

[Barry Finkel]

On 7/28/10,  I wrote:
>> I have a BIND config question.  First some history.
>>
>> My initial two DNS servers (A and B) had three NICs and three IP
>> addresses.  Then I installed two additional servers (C and D),
>> each with one NIC; each server has one base address and one DNS address.
>> All four servers run Solaris.  When I installed C and D, I placed in
>> the config file
>>
>>  query-source address ;
>>  transfer-source ;
>>  notify-source ;
>>
>> Then we changed servers A and B to new hardware, and we have in
>> addition to the three NICs each, a base, non-DNS address for each.
>> We made no config file changes, and no users have reported problems.
>> These "new" servers A and B have been running for a few years.
>>
>> Now, I am converting all four servers to an Ubuntu platform, and I am
>> revisiting the config file.  In looking through various firewall and
>> DNS query logs, I see that machines A and B are using the non-DNS
>> and queries to the hidden BIND master via the non-DNS addresses.
>> The Internet queries are being blocked at the firewall because we do
>> not allow non-registered DNS addresses to send DNS queries to the
>> Internet, and the non-DNS addresses have no firewall conduits.
>> I can add three options directives above, as I have done on servers
>> C and D, but the ARM seems to imply that I can list only one address
>> in each directive, and I have three DNS addresses for each server.
>>
>> The BIND is 9.7.x on all machines.  Does anyone have suggestions?
>> Thanks.


and Chris Buxton  replied:
>Why do you need 3 DNS interfaces on one box? Why do you need the extra
>interface?
>
>Perhaps you could simplify, or split the three addresses across
>multiple hosts, or even run multiple instances of named on each box.

Historical.  The DNS servers serve three Class-B subnets, and it was
decided when the servers were placed in production many years ago
that they should have an address on each of the Class-B subnets.
One of the subnets had a /22 that was used for buildings on campus that
did not have IP connectivity; they got their IP via the phone
system copper and a device plugged in to the phone jack.  We had to
have a DNS server on that /22.

We have decided that since we can only place one address in the

  query-source address ;
  transfer-source ;
  notify-source ;

statements, we will choose one of the three addresses on each server
and use it.  I believe that it makes no difference if we use the same
address in each of the three statements, or if we use a different
address in each.
--
Barry S. Finkel
Computing and Information Systems Division
Argonne National Laboratory  Phone:+1 (630) 252-7277
9700 South Cass Avenue   Facsimile:+1 (630) 252-4601
Building 240, Room 5.B.8 Internet: bsfin...@anl.gov
Argonne, IL   60439-4828 IBMMAIL:  I1004994

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Script-kiddie / client query (cache) '/MX/IN' denied

[Lightner, Jeff]

Yes - I had already written him off list in reply to an email he sent me and 
pointed it out.   It also only blocks port 53 so if he had other ports open the 
script kiddie would still be able to see those other ports. 

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Kevin Darcy
Sent: Tuesday, August 03, 2010 3:26 PM
To: bind-users@lists.isc.org
Subject: Re: Script-kiddie / client  query (cache) '/MX/IN' denied

On 8/3/2010 3:03 PM, Denis BUCHER wrote:
> Dear Lyle,
>
> Le 03.08.2010 18:17, Lyle Giese a écrit :
>>> I would like to know if I can block hosts doing that at the level of
>>> /etc/hosts.allow or should I do it at the level of Bind itself ?
>> Use IPTables or add rules to your firewall. I don't believe that BIND
>> pays any attention to /etc/hosts.allow
>
> Yes I tried iptables, it is working perfectly, and /etc/hosts.allow 
> does not look to be working. This was pefect :
>
> iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP
>
I'm no iptables experts, but doesn't that only apply to TCP packets?

 
 - Kevin

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script-kiddie / client query (cache) '/MX/IN' denied

[Kevin Darcy]

On 8/3/2010 3:03 PM, Denis BUCHER wrote:

Dear Lyle,

Le 03.08.2010 18:17, Lyle Giese a écrit :

I would like to know if I can block hosts doing that at the level of
/etc/hosts.allow or should I do it at the level of Bind itself ?

Use IPTables or add rules to your firewall. I don't believe that BIND
pays any attention to /etc/hosts.allow


Yes I tried iptables, it is working perfectly, and /etc/hosts.allow 
does not look to be working. This was pefect :


iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP


I'm no iptables experts, but doesn't that only apply to TCP packets?


- Kevin


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Script-kiddie / client query (cache) '/MX/IN' denied

[Lightner, Jeff]

Blackhole isn't better IMHO because I found in the past that they still try 
your server ad nauseum even though they're blocked - blocking at iptables is 
doing it at kernel level before BIND.   However it does work and is certainly 
one way to do it especially on systems that don't have their own firewall.  
Also blackhole only affects DNS traffic - iptables will let you drop all 
packets from the source site if you want.

-Original Message-
From: bind-users-bounces+jlightner=water@lists.isc.org 
[mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of 
Denis BUCHER
Sent: Tuesday, August 03, 2010 3:10 PM
To: wllarso
Cc: bind-us...@isc.org
Subject: Re: Script-kiddie / client  query (cache) '/MX/IN' denied

Le 03.08.2010 18:28, wllarso a écrit :
>> This seems to be due to a script-kiddie.
>> I would like to know if I can block hosts doing that at the level of
>> /etc/hosts.allow or should I do it at the level of Bind itself ?
>> And sorry if this is not 100% on topic, I know it's at the border
>> between BIND and OS...
>
> On topic question.  Don't worry.
>
> You could always use the "blackhole" directive in the BIND configuration
> to avoid responding to this address.

Do you think it is better or equal to the firewall solution ?

 > This will prevent your server from
> responding to queries from this address.  See the BIND ARM for more info
> about how to use this.  The problem is that this solution would prevent a
> DNS server at this address from querying your server for legitimate
> purposes.  (Quickly, this address doesn't appear to be running a DNS server
> at the moment.)

Yes ;-)

> Then again, if you are running a firewall on your server (or in front of
> it), you could always block traffic from this address as an alternative
> too.  This way your DNS server would never even see these queries to have
> to block.

Yes, that's what I did for the moment...

> But as a more complete solution, is this an authoritative server for some
> zone(s) that you are responsible for, or is this a recursive server for
> your customers?

It is a authoritative server for some domains, yes...

> If it is an authoritative server, then you should have it
> configured to not answer recursive queries for everyone in the world.

Yes that would be interesting, does it means that only authoritative 
zones would be allowed in queries ? In fact it seems it does not answer 
any query, as in the logs it says "denied". Am I right on this point or 
not ?

> If
> it is a recursive server, then you should be limiting who can query it and
> not respond to non-authorized queries.  You can use the BIND "view" to
> limit who is getting what from your server.
>
> Your logs indicate this this query was denied, so you may already have
> your server configured to not answer these queries from this address, so
> the last paragraph may not apply.

Ok

> But, it is worth looking at your
> configuration just to confirm your server is "reasonably" configured.

Ok I will check for that...

Thanks a lot for your advices, it makes things a little clearer for me 
now :-)

Denis
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
 
Proud partner. Susan G. Komen for the Cure.
 
Please consider our environment before printing this e-mail or attachments.
--
CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you.
--
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Script-kiddie / client query (cache) '/MX/IN' denied

[Dixon, Justin]

>> I would like to know if I can block hosts doing that at the level of
>> /etc/hosts.allow or should I do it at the level of Bind itself ?
> Use IPTables or add rules to your firewall. I don't believe that BIND
> pays any attention to /etc/hosts.allow

BIND has a "blackhole" option that will essentially perform the same
function...BIND will not even respond to IPs that are listed in the
blackhole statement in named.conf.

Check the BIND ARM for details on blackhole.

Thanks...

Justin Dixon

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script-kiddie / client query (cache) '/MX/IN' denied

[Denis BUCHER]

Le 03.08.2010 18:28, wllarso a écrit :

This seems to be due to a script-kiddie.
I would like to know if I can block hosts doing that at the level of
/etc/hosts.allow or should I do it at the level of Bind itself ?
And sorry if this is not 100% on topic, I know it's at the border
between BIND and OS...


On topic question.  Don't worry.

You could always use the "blackhole" directive in the BIND configuration
to avoid responding to this address.


Do you think it is better or equal to the firewall solution ?

> This will prevent your server from

responding to queries from this address.  See the BIND ARM for more info
about how to use this.  The problem is that this solution would prevent a
DNS server at this address from querying your server for legitimate
purposes.  (Quickly, this address doesn't appear to be running a DNS server
at the moment.)


Yes ;-)


Then again, if you are running a firewall on your server (or in front of
it), you could always block traffic from this address as an alternative
too.  This way your DNS server would never even see these queries to have
to block.


Yes, that's what I did for the moment...


But as a more complete solution, is this an authoritative server for some
zone(s) that you are responsible for, or is this a recursive server for
your customers?


It is a authoritative server for some domains, yes...


If it is an authoritative server, then you should have it
configured to not answer recursive queries for everyone in the world.


Yes that would be interesting, does it means that only authoritative 
zones would be allowed in queries ? In fact it seems it does not answer 
any query, as in the logs it says "denied". Am I right on this point or 
not ?



If
it is a recursive server, then you should be limiting who can query it and
not respond to non-authorized queries.  You can use the BIND "view" to
limit who is getting what from your server.

Your logs indicate this this query was denied, so you may already have
your server configured to not answer these queries from this address, so
the last paragraph may not apply.


Ok


But, it is worth looking at your
configuration just to confirm your server is "reasonably" configured.


Ok I will check for that...

Thanks a lot for your advices, it makes things a little clearer for me 
now :-)


Denis
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script-kiddie / client query (cache) '/MX/IN' denied

[Denis BUCHER]

Dear Lyle,

Le 03.08.2010 18:17, Lyle Giese a écrit :

I would like to know if I can block hosts doing that at the level of
/etc/hosts.allow or should I do it at the level of Bind itself ?

Use IPTables or add rules to your firewall. I don't believe that BIND
pays any attention to /etc/hosts.allow


Yes I tried iptables, it is working perfectly, and /etc/hosts.allow does 
not look to be working. This was pefect :


iptables -I INPUT 3 -p tcp -s 202.152.172.4 --dport 53 -j DROP

Thanks a lot for your help

Denis
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Odd query issue

[Kevin Darcy]

On 8/3/2010 7:50 AM, Atkins, Brian (GD/VA-NSOC) wrote:

Kevin,

Thanks for the good ideas. Here is what I am seeing based on your
recommendations:

1. Zone has expired (to confirm: check logs)
No errors or notices regarding the zone being expired.

2. Corrupted/truncated journal file (to confirm: check logs, or, shut
down gracefully, delete journal and start up again)
I've shut down BIND, removed all files under the slave directory, and
restarted BIND - no help. Other zones that are delegated from the same
server are populated.

3. www.blah.com is a delegation in your slave copy of the zone, and the
delegated nameservers are all returning SERVFAIL, are lame, give bogus
answers, some combination of the above, etc. (to confirm: do the lookup
non-recursively, or a zone transfer of blah.com; if www.blah.com shows
as a delegation, query the delegated nameservers directly and see what
they return)
   
So, just to be clear: is www.blah.com delegated to another nameserver or 
set of nameservers? Or is it contained within the blah.com zone itself? 
My option #3 above referred to a relatively-unlikely scenario where a 
www.blah.com delegation was (temporarily) present in your slave copy, 
even though you indicated that on the master server, www.blah.com was 
contained in the blah.com zone.

I am able to query the master directly, without issue as well as perform
a zone transfer (though I get an error, ";; communications error to
10.x.x.x#53: connection reset"). I'm assuming that this is due to the
fact that the response is greater than 512 bytes perhaps.
   


The 512-byte restriction only applies to UDP.

Sounds like you may have a problem with performing TCP transactions with 
the master, most likely because of naively-implemented firewall rules. 
You can confirm or deny this via the "+vc" (virtual circuit = TCP) 
option to "dig".


If TCP between you and the master is completely broken, your zone 
transfers aren't going to work and the zone will expire, if it hasn't 
already.  I'd double-check whether the zone is expired, maybe by 
restarting named with a high debug level.


It's a little troubling that other slave zones -- I assume that's what 
you meant when you said "that are delegated" -- from the same master are 
working. But, are all the EXPIRE settings the same? Maybe this is just 
the _first_ zone that expired.


Again, the logs should help here. Are zone transfers succeeding or 
failing for blah.com and for other zones. If there are failures, what 
are the error messages in the logs?




- Kevin


___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Script-kiddie : client query (cache) '/MX/IN' denied

[Denis BUCHER]

Dear all,

I have a question, it's not really a big problem, but it's annoying.

In the logs I get plenty of lines like :

client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s)
client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s)
client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)


This seems to be due to a script-kiddie.

I would like to know if I can block hosts doing that at the level of 
/etc/hosts.allow or should I do it at the level of Bind itself ?


Currently it is working for sshd on this server to add lines in 
/etc/hosts.allow, but I would like to know if it would be possible for 
bind :

sshd: 121.14.195.176: DENY

# uname -a
Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 
2009 i686 i686 i386 GNU/Linux

# cat /etc/redhat-release
Fedora release 9 (Sulphur)

Thanks a lot in advance for any help...

And sorry if this is not 100% on topic, I know it's at the border 
between BIND and OS...


Denis
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: list zones

[Mihamina Rakotomandimby]

> p.may...@imperial.ac.uk :
>How about this:

Very good!
Thank you. 

-- 

   Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche & Developpement
+261 34 56 000 19
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: list zones

[JINMEI Tatuya / 神明達哉]

At Tue, 3 Aug 2010 12:39:05 +0300,
Mihamina Rakotomandimby  wrote:

> Manao ahoana, Hello, Bonjour,
> 
> Without grepping the configuration files from the system shell, is it
> possible to lists all the master zones on a running bind9? What tool
> with?

If you enable "zone-statistics" you can see a list of zones for which
the server has authority by "rndc stats".

Or, if you enable XML-based statistics (available >= 9.5) you can see
the same list in it (whether or not you enable zone-statistics).

In either case, however, the list is a mixture of primary ("master")
and secondary ("slave") servers.  So, if you specifically want to see
a list of "master"s (but not "slave"s), these may not be an option
(depending on your configuration).

---
JINMEI, Tatuya
Internet Systems Consortium, Inc.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script-kiddie / client query (cache) '/MX/IN' denied

[wllarso]

On Tue, 03 Aug 2010 18:01:27 +0200, Denis BUCHER 
wrote:
> Dear all,
> 
> I have a question, it's not really a big problem, but it's annoying.
> 
> In the logs I get plenty of lines like :
>> client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2
>> Time(s)
>> client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied:
>> 1 Time(s)
>> client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2
>> Time(s)
>> client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied:
>> 1 Time(s)
>> client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1
Time(s)
>> client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1
>> Time(s)
>> client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
>> client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)
> 
> This seems to be due to a script-kiddie.
> 
> I would like to know if I can block hosts doing that at the level of 
> /etc/hosts.allow or should I do it at the level of Bind itself ?
> 
> Currently it is working for sshd on this server to add lines in 
> /etc/hosts.allow, but I would like to know if it would be possible for 
> bind :
> sshd: 121.14.195.176: DENY
> 
> # uname -a
> Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 
> 2009 i686 i686 i386 GNU/Linux
> # cat /etc/redhat-release
> Fedora release 9 (Sulphur)
> 
> Thanks a lot in advance for any help...
> 
> And sorry if this is not 100% on topic, I know it's at the border 
> between BIND and OS...

On topic question.  Don't worry.

You could always use the "blackhole" directive in the BIND configuration
to avoid responding to this address.  This will prevent your server from
responding to queries from this address.  See the BIND ARM for more info
about how to use this.  The problem is that this solution would prevent a
DNS server at this address from querying your server for legitimate
purposes.  (Quickly, this address doesn't appear to be running a DNS server
at the moment.)

Then again, if you are running a firewall on your server (or in front of
it), you could always block traffic from this address as an alternative
too.  This way your DNS server would never even see these queries to have
to block.

But as a more complete solution, is this an authoritative server for some
zone(s) that you are responsible for, or is this a recursive server for
your customers?  If it is an authoritative server, then you should have it
configured to not answer recursive queries for everyone in the world.  If
it is a recursive server, then you should be limiting who can query it and
not respond to non-authorized queries.  You can use the BIND "view" to
limit who is getting what from your server.

Your logs indicate this this query was denied, so you may already have
your server configured to not answer these queries from this address, so
the last paragraph may not apply.  But, it is worth looking at your
configuration just to confirm your server is "reasonably" configured.

Bill Larson
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Script-kiddie / client query (cache) '/MX/IN' denied

[Lyle Giese]

Denis BUCHER wrote:

Dear all,

I have a question, it's not really a big problem, but it's annoying.

In the logs I get plenty of lines like :
client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 
Time(s)

client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' 
denied: 1 Time(s)
client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 
2 Time(s)

client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' 
denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 
Time(s)

client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)


This seems to be due to a script-kiddie.

I would like to know if I can block hosts doing that at the level of 
/etc/hosts.allow or should I do it at the level of Bind itself ?


Currently it is working for sshd on this server to add lines in 
/etc/hosts.allow, but I would like to know if it would be possible for 
bind :

sshd: 121.14.195.176: DENY

# uname -a
Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 
2009 i686 i686 i386 GNU/Linux

# cat /etc/redhat-release
Fedora release 9 (Sulphur)

Thanks a lot in advance for any help...

And sorry if this is not 100% on topic, I know it's at the border 
between BIND and OS...


Denis
___


Use IPTables or add rules to your firewall.  I don't believe that BIND 
pays any attention to /etc/hosts.allow


Lyle Giese
LCR Computer Services, Inc.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Script-kiddie / client query (cache) '/MX/IN' denied

[Denis BUCHER]

Dear all,

I have a question, it's not really a big problem, but it's annoying.

In the logs I get plenty of lines like :

client 202.152.172.4 query (cache) 'denkstelle.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'denkstunde.de/MX/IN' denied: 2 Time(s)
client 202.152.172.4 query (cache) 'denktag.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'denkweise-hosting.de/MX/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'denkwerk-berlin.de/MX/IN' denied: 2 Time(s)
client 202.152.172.4 query (cache) 'dj-falk.de/MX/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns01-tld.t-online.de/A/IN' denied: 1 
Time(s)
client 202.152.172.4 query (cache) 'dns1.pro.vider.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns2.luact.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'dns6.pro.vider.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks10.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks18.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks19.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'docks20.rzone.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'f.nic.de/A/IN' denied: 1 Time(s)
client 202.152.172.4 query (cache) 'flashit.de/MX/IN' denied: 5 Time(s)


This seems to be due to a script-kiddie.

I would like to know if I can block hosts doing that at the level of 
/etc/hosts.allow or should I do it at the level of Bind itself ?


Currently it is working for sshd on this server to add lines in 
/etc/hosts.allow, but I would like to know if it would be possible for 
bind :

sshd: 121.14.195.176: DENY

# uname -a
Linux (host) 2.6.27.25-78.2.56.fc9.i686 #1 SMP Thu Jun 18 12:47:50 EDT 
2009 i686 i686 i386 GNU/Linux

# cat /etc/redhat-release
Fedora release 9 (Sulphur)

Thanks a lot in advance for any help...

And sorry if this is not 100% on topic, I know it's at the border 
between BIND and OS...


Denis
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

unexpected RCODE (REFUSED) resolving

[Michelle Konzack]

Hello,

since today morning (~06:30 CEST) I get several 1.000 errors like:

[ '/var/log/named.log' ]
Aug  3 10:12:39 dns1 named[26425]: 03-Aug-2010 10:12:39.951 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com/A/IN': 
68.156.138.136#53
Aug  3 10:12:40 dns1 named[26425]: 03-Aug-2010 10:12:40.298 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN': 
66.165.176.24#53
Aug  3 10:12:40 dns1 named[26425]: 03-Aug-2010 10:12:40.439 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN': 
68.156.138.136#53
Aug  3 11:11:07 dns1 named[26425]: 03-Aug-2010 11:11:07.670 lame-servers: info: 
FORMERR resolving 'ns.xinnet.cn//IN': 61.155.152.86#53
Aug  3 11:12:07 dns1 named[26425]: 03-Aug-2010 11:12:07.259 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving 'kernelnewbies.org/NS/IN': 85.118.1.10#53
Aug  3 11:12:07 dns1 named[26425]: 03-Aug-2010 11:12:07.380 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving 'nl.linux.org/A/IN': 131.211.29.16#53
Aug  3 11:12:07 dns1 named[26425]: 03-Aug-2010 11:12:07.381 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving 'nl.linux.org/MX/IN': 131.211.29.16#53
Aug  3 11:39:22 dns1 named[26425]: 03-Aug-2010 11:39:22.848 lame-servers: info: 
FORMERR resolving 'tehrooz.com/NS/IN': 79.175.164.23#53
Aug  3 11:41:23 dns1 named[26425]: 03-Aug-2010 11:41:23.649 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com/A/IN': 
68.156.138.136#53
Aug  3 11:41:23 dns1 named[26425]: 03-Aug-2010 11:41:23.975 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN': 
68.156.138.136#53
Aug  3 11:41:24 dns1 named[26425]: 03-Aug-2010 11:41:24.135 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN': 
66.165.176.24#53
Aug  3 11:51:06 dns1 named[26425]: 03-Aug-2010 11:51:06.272 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'tallyho.bc.nu/A/IN': 209.132.176.100#53
Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.505 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving 'ns2.telkom.co.za/A/IN': 196.7.142.133#53
Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.513 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving 'ns3.telkom.co.za/A/IN': 196.7.142.133#53
Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.515 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving 'ns2.telkom.co.za//IN': 
196.7.142.133#53
Aug  3 12:12:30 dns1 named[26425]: 03-Aug-2010 12:12:30.522 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving 'ns3.telkom.co.za//IN': 
196.7.142.133#53
Aug  3 12:41:42 dns1 named[26425]: 03-Aug-2010 12:41:42.753 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com/A/IN': 
68.156.138.136#53
Aug  3 12:41:43 dns1 named[26425]: 03-Aug-2010 12:41:43.101 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN': 
66.165.176.24#53
Aug  3 12:41:43 dns1 named[26425]: 03-Aug-2010 12:41:43.240 lame-servers: info: 
unexpected RCODE (REFUSED) resolving 'lists.colo.xensource.com//IN': 
68.156.138.136#53
Aug  3 13:11:24 dns1 named[26425]: 03-Aug-2010 13:11:24.187 lame-servers: info: 
unexpected RCODE (SERVFAIL) resolving '34.46.85.18.in-addr.arpa/PTR/IN': 
18.85.2.171#53
Aug  3 13:16:17 dns1 named[26425]: 03-Aug-2010 13:16:17.355 lame-servers: info: 
unexpected RCODE (REFUSED) resolving '110.241.42.70.in-addr.arpa/PTR/IN': 
68.156.138.136#53


The weird thing is, normaly I see between 40 and 100 per day, but  today
more then 7000.  What can this be?

Thanks, Greetings and nice Day/Evening
Michelle Konzack

-- 
# Debian GNU/Linux Consultant ##
   Development of Intranet and Embedded Systems with Debian GNU/Linux

itsyst...@tdnet France EURL   itsyst...@tdnet UG (limited liability)
Owner Michelle KonzackOwner Michelle Konzack

Apt. 917 (homeoffice)
50, rue de Soultz Kinzigstraße 17
67100 Strasbourg/France   77694 Kehl/Germany
Tel: +33-6-61925193 mobil Tel: +49-177-9351947 mobil
Tel: +33-9-52705884 fix

  
 

Jabber linux4miche...@jabber.ccc.de
ICQ#328449886

Linux-User #280138 with the Linux Counter, http://counter.li.org/


signature.pgp
Description: Digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Bind Clustering

[Gordon A. Lang]

To all,

The term "master" has different meanings in different contexts.  Each zone
is configured with a "type" of master or slave, etc, and in this context
the term "master" refers to a functional paramater of this zone on this
server.  But within the configuration of a zone that is of type "slave,"
there is a "masters list" specifying the servers from which zone transfers
might be obtained for the zone, and in this context the term "master"
refers to the IP address of a server.  Quite often in dialog, the context
is not equally understood amongst the parites hence the communication is
confounded.

I personally think the term master should ONLY refer to the zone attribute,
and the use of the word "master" or "primary master" to refer to the IP
address of a server should be abolished.  Either that or we need to change
the zone configuration to no longer define a zone type as a "master" or a
"slave" and instead have a zone-data-source of "files" or "xfr" or "sql"
or whatever else might be possible.  It is excessively annoying when
ambiguous terminology makes it difficult for smart and knowledgeable
people to communicate efficiently.


To Robert,

Thanks for you response.  I think your idea would be good for some other
need, but my concern is about "dynamic updates," which has different
requirements.  Nevertheless, I have a couple questions:

Is you suggestion to run two instances of BIND (or a single instance of
BIND with two views) on each of the two servers you call Master A and
Master B, and have all the zones in one instance of BIND be configured
as masters and all the zones in the other instance of BIND be configured
as slaves, with both instances sharing the same db files?  If so, how
did you split each server i.e. did you use distinct ports or distinct
ip addresses or both?  If not, then how did you manage to get a slave
zone to accept what you call "updates," which I presume you mean non-
dynamic updates, from any source other than zone transfers?

Thanks.

--
Gordon A. Lang  /  313-819-7978
- Original Message - 
From: mli...@zoominternet.net

To: Chris Buxton ; bind-users@lists.isc.org ; Gordon A. Lang
Sent: Tuesday, August 03, 2010 8:07 AM
Subject: Re: Re: Bind Clustering



One thing you have top remember is the Slave NEVER updates the Master.
The updater is always the Master and the receiver is always the Slave.

I have posted about using 2 masters. You should be able to do a search on he
archive and find the post.

In short all you need to do is setup 2 masters and make them a slave of the
other that way no matter which is updated everyone gets the update.


On Thu 07/29/10 7:25 AM , "Gordon A. Lang" gl...@goalex.com sent:

I know BIND does not currently support multi-master. And I understand that
trying to strap together my own pseudo-multi-master implementation using
BIND, bubble gum, and tape isn't a sustainable solution. But, nevertheless,
I don't really need a true multi-master implementation -- I just need to
keep my backup master relatively up to date without relying on frequent
freeze-copy-thaw operations. I would be happy to have the updates go to one
slave, and then be replicated to both the active master and the backup
master. I would deal with drift via brute force i.e. I would have the
active master copy over to the backup master on a once or twice a day basis,
not once every 5 minutes.

I think it would be great if there were a new config construct added whereby
the update-forward target(s) are explicitly specified. In the case where
the masters are slaves of a hidden master that is directly reachable, it
would allow for the updates to be directly forwarded to the primary master
instead of being forwarded twice. And if multiple update-forward targets
are specified, then all targets always get an update. This could be used to
maintain a duplicate (hidden) master and/or eliminate the failure-delay when
the multiple masters "switch over," take turns being the master. And
possibly the specified update-forward target construct could also have an
optional behavior of "forward-to-all" or "stop-on-first-success." if current
behavior is preferred, but with a different list than then zone-transfer
master list.

Better yet, I would like add update-forwarding for master zones -- perhaps
it could be called update-replication.

I guess what I would really like to see is multiple MNAME targets
accommodated right in the SOA, but I imagine that would have a serious
compatibility challenge.

Or else maybe a new zone type called backup-master that acts like a slave
until an rndc control flips its operation state.

I would like to get see some more comments on this.

And I would really appreciate it if someone could tell me where in the
source code I should look to find where the update-forward targets are
obtained so that I can evaluate what it would take for me to write my own
modifications.

Thanks.

--
Gordon A. Lang

- Original Message - 
From: "Chris Buxton" 

To: "Gordon A. La

Thanks

[dhottinger]

Wow,

Best mailing list Ive ever been on.  You guys were spot on.  I didnt  
increment my serial number right (old eyes dont see so well), so  
things were propagating correctly, and I had an error in my named.conf  
file.  I appreciate all the help.


ddh


--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new webserver ip

[Hauke Lampe]

Dwayne Hottinger wrote:

> I made the entry for the new website's ip (174.143.193.47).   But when   
> I do a dig, it still comes back with 204.111.40.10.

From what I can see here, your ns1 returns SERVFAIL, while your ns2 still 
serves an old zone with SOA serial 2009111201.

I'd suggest you look for errors in the logfiles at ns1 or test your zone file 
with "named-checkzone".

Apparently, your new zone file contained some errors and BIND did not load it. 
The secondary nameserver continues to serve the old zone content until it 
expires 28 days after the last refresh.

Hauke.

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: new webserver ip

[Frank Bulk]

Which DNS server are you digging?  It's possible that (by default) you're
digging against a server that has the old entry still cached.

Frank

-Original Message-
From: bind-users-bounces+frnkblk=iname@lists.isc.org
[mailto:bind-users-bounces+frnkblk=iname@lists.isc.org] On Behalf Of
dhottin...@harrisonburg.k12.va.us
Sent: Tuesday, August 03, 2010 7:08 AM
To: bind-users@lists.isc.org
Subject: new webserver ip

My employer decided to host our website on another server off-site.   
My problem is getting our dns to point from our old server to the new.  
  Currently we own all the ip's and host our own website.  Here is the  
zone file for harrisonburg.k12.va.us:


$ORIGIN .
$TTL 259200 ; 3 days
harrisonburg.k12.va.us IN SOA ns1.harrisonburg.k12.va.us.  
rlineweaver.harrisonburg.k12.va.us. (
 201080503 ; serial
 28800  ; refresh (8 hours)
 7200   ; retry (2 hours)
 2419200; expire (4 weeks)
 86400  ; minimum (1 day)
 )
 NS  ns1.harrisonburg.k12.va.us.
 NS  ns2.harrisonburg.k12.va.us.
$TTL 144000 ; 40 hours
harrisonburg.k12.va.us. MX  10  plum.harrisonburg.k12.va.us.
mail.harrisonburg.k12.va.us.MX  10  plum.harrisonburg.k12.va.us.
student.harrisonburg.k12.va.us. MX  10  plum.harrisonburg.k12.va.us.
harrisonburg.k12.va.us. IN TXT "v=spf1 ip4:204.111.40.0/24  
a:mail.harrisonburg.k12.va.us a:student.harrisonburg.k12.va.us ~all"
$ORIGIN harrisonburg.k12.va.us.
$TTL 259200; 3 days
harrisonburg.k12.va.us. A   174.143.193.47


I made the entry for the new website's ip (174.143.193.47).  But when  
I do a dig, it still comes back with 204.111.40.10.  What do I need to  
do in order to get this ip to point to the newserver offsite?  Or is  
it even possible for me to do this?

ddh

-- 
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new webserver ip

[Torsten]

Am Tue, 03 Aug 2010 08:07:58 -0400
schrieb dhottin...@harrisonburg.k12.va.us:

> My employer decided to host our website on another server off-site.   
> My problem is getting our dns to point from our old server to the
> new. Currently we own all the ip's and host our own website.  Here is
> the zone file for harrisonburg.k12.va.us:
> 
> 
> $ORIGIN .
> $TTL 259200 ; 3 days
> harrisonburg.k12.va.us IN SOA ns1.harrisonburg.k12.va.us.  
> rlineweaver.harrisonburg.k12.va.us. (
>  201080503 ; serial
>  28800  ; refresh (8 hours)
>  7200   ; retry (2 hours)
>  2419200; expire (4 weeks)
>  86400  ; minimum (1 day)
>  )
>  NS  ns1.harrisonburg.k12.va.us.
>  NS  ns2.harrisonburg.k12.va.us.
> $TTL 144000 ; 40 hours
> harrisonburg.k12.va.us. MX  10
> plum.harrisonburg.k12.va.us. mail.harrisonburg.k12.va.us.MX
> 10  plum.harrisonburg.k12.va.us. student.harrisonburg.k12.va.us.
> MX  10  plum.harrisonburg.k12.va.us. harrisonburg.k12.va.us. IN
> TXT "v=spf1 ip4:204.111.40.0/24 a:mail.harrisonburg.k12.va.us
> a:student.harrisonburg.k12.va.us ~all" $ORIGIN harrisonburg.k12.va.us.
> $TTL 259200; 3 days
> harrisonburg.k12.va.us. A   174.143.193.47
> 
> 
> I made the entry for the new website's ip (174.143.193.47).  But
> when I do a dig, it still comes back with 204.111.40.10.  What do I
> need to do in order to get this ip to point to the newserver
> offsite?  Or is it even possible for me to do this?
> 
> ddh
> 


It's just a wild guess but I think you've 'malformed' your serial. ;)
>From the looks it should propably be 2010080503 and not 201080503 which
is considerably lower than it should be.


Ciao
Torsten
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new webserver ip

[Jukka Pakkanen]

3.8.2010 15:07, dhottin...@harrisonburg.k12.va.us kirjoitti:
My employer decided to host our website on another server off-site.  
My problem is getting our dns to point from our old server to the new. 
 Currently we own all the ip's and host our own website.  Here is the 
zone file for harrisonburg.k12.va.us:



$ORIGIN .
$TTL 259200 ; 3 days
harrisonburg.k12.va.us IN SOA ns1.harrisonburg.k12.va.us. 
rlineweaver.harrisonburg.k12.va.us. (

201080503 ; serial
28800  ; refresh (8 hours)
7200   ; retry (2 hours)
2419200; expire (4 weeks)
86400  ; minimum (1 day)
)
NS  ns1.harrisonburg.k12.va.us.
NS  ns2.harrisonburg.k12.va.us.
$TTL 144000 ; 40 hours
harrisonburg.k12.va.us. MX  10  plum.harrisonburg.k12.va.us.
mail.harrisonburg.k12.va.us.MX  10  plum.harrisonburg.k12.va.us.
student.harrisonburg.k12.va.us. MX  10  plum.harrisonburg.k12.va.us.
harrisonburg.k12.va.us. IN TXT "v=spf1 ip4:204.111.40.0/24 
a:mail.harrisonburg.k12.va.us a:student.harrisonburg.k12.va.us ~all"

$ORIGIN harrisonburg.k12.va.us.
$TTL 259200; 3 days
harrisonburg.k12.va.us. A   174.143.193.47


I made the entry for the new website's ip (174.143.193.47).  But when 
I do a dig, it still comes back with 204.111.40.10.  What do I need to 
do in order to get this ip to point to the newserver offsite?  Or is 
it even possible for me to do this?


ddh



Did you update the serial & reloaded the zone?

ns2 seems to return the old address, ns1 didn't return anything. Except 
just started returning the new address...

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new webserver ip

[Alan Clegg]

On 8/3/2010 8:07 AM, dhottin...@harrisonburg.k12.va.us wrote:

> $TTL 259200; 3 days
> harrisonburg.k12.va.us. A   174.143.193.47
> 
> 
> I made the entry for the new website's ip (174.143.193.47).  But when I
> do a dig, it still comes back with 204.111.40.10.  What do I need to do
> in order to get this ip to point to the newserver offsite?  Or is it
> even possible for me to do this?

If you are doing a query against a caching server, you may have to wait
up to 3 days (see $TTL)

Did you increment the serial number when you made the change?  If not,
you'll be waiting longer.  :)

Note that I did a query against ns1 and ns2 and they don't return the
same answer, so I'm guessing you forgot to increment the serial number.

AlanC



signature.asc
Description: OpenPGP digital signature
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

new webserver ip

[dhottinger]

My employer decided to host our website on another server off-site.   
My problem is getting our dns to point from our old server to the new.  
 Currently we own all the ip's and host our own website.  Here is the  
zone file for harrisonburg.k12.va.us:



$ORIGIN .
$TTL 259200 ; 3 days
harrisonburg.k12.va.us IN SOA ns1.harrisonburg.k12.va.us.  
rlineweaver.harrisonburg.k12.va.us. (

201080503 ; serial
28800  ; refresh (8 hours)
7200   ; retry (2 hours)
2419200; expire (4 weeks)
86400  ; minimum (1 day)
)
NS  ns1.harrisonburg.k12.va.us.
NS  ns2.harrisonburg.k12.va.us.
$TTL 144000 ; 40 hours
harrisonburg.k12.va.us. MX  10  plum.harrisonburg.k12.va.us.
mail.harrisonburg.k12.va.us.MX  10  plum.harrisonburg.k12.va.us.
student.harrisonburg.k12.va.us. MX  10  plum.harrisonburg.k12.va.us.
harrisonburg.k12.va.us. IN TXT "v=spf1 ip4:204.111.40.0/24  
a:mail.harrisonburg.k12.va.us a:student.harrisonburg.k12.va.us ~all"

$ORIGIN harrisonburg.k12.va.us.
$TTL 259200; 3 days
harrisonburg.k12.va.us. A   174.143.193.47


I made the entry for the new website's ip (174.143.193.47).  But when  
I do a dig, it still comes back with 204.111.40.10.  What do I need to  
do in order to get this ip to point to the newserver offsite?  Or is  
it even possible for me to do this?


ddh

--
Dwayne Hottinger
Network Administrator
Harrisonburg City Public Schools

"Everything should be made as simple as possible, but not simpler."
-- Albert Einstein

"The hottest places in Hell are reserved for those who, in times of moral
crisis, preserved their neutrality."
-- Dante

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Bind Clustering

[mlists]

 
 One thing you have top remember is the Slave NEVER updates the
Master.
 The updater is always the Master and the receiver is always the
Slave.
 I have posted about using 2 masters. You should be able to do a
search on he 
 archive and find the post.
 In short all you need to do is setup 2 masters and make them a slave
of the 
 other that way no matter which is updated everyone gets the update.
 On Thu 07/29/10  7:25 AM , "Gordon A. Lang" gl...@goalex.com sent:
 I know BIND does not currently support multi-master.  And I
understand that 
 trying to strap together my own pseudo-multi-master implementation
using 
 BIND, bubble gum, and tape isn't a sustainable solution.  But,
nevertheless, 
 I don't really need a true multi-master implementation -- I just
need to 
 keep my backup master relatively up to date without relying on
frequent 
 freeze-copy-thaw operations.  I would be happy to have the updates
go to one 
 slave, and then be replicated to both the active master and the
backup 
 master.  I would deal with drift via brute force i.e. I would have
the 
 active master copy over to the backup master on a once or twice a
day basis, 
 not once every 5 minutes.
 I think it would be great if there were a new config construct added
whereby 
 the update-forward target(s) are explicitly specified.  In the case
where 
 the masters are slaves of a hidden master that is directly
reachable, it 
 would allow for the updates to be directly forwarded to the primary
master 
 instead of being forwarded twice.  And if multiple update-forward
targets 
 are specified, then all targets always get an update.  This could be
used to 
 maintain a duplicate (hidden) master and/or eliminate the
failure-delay when 
 the multiple masters "switch over," take turns being the master. 
And 
 possibly the specified update-forward target construct could also
have an 
 optional behavior of "forward-to-all" or "stop-on-first-success." if
current 
 behavior is preferred, but with a different list than then
zone-transfer 
 master list.
 Better yet, I would like add update-forwarding for master zones --
perhaps 
 it could be called update-replication.
 I guess what I would really like to see is multiple MNAME targets 
 accommodated right in the SOA, but I imagine that would have a
serious 
 compatibility challenge.
 Or else maybe a new zone type called backup-master that acts like a
slave 
 until an rndc control flips its operation state.
 I would like to get see some more comments on this.
 And I would really appreciate it if someone could tell me where in
the 
 source code I should look to find where the update-forward targets
are 
 obtained so that I can evaluate what it would take for me to write
my own 
 modifications.
 Thanks.
 --
 Gordon A. Lang
 - Original Message - 
 From: "Chris Buxton" 
 To: "Gordon A. Lang" ; 
 Sent: Wednesday, July 28, 2010 11:22 PM
 Subject: Re: Bind Clustering
 > Updates are always forwarded to the zone masters, as configured in
the
 > zone statement itself. And yes, the update is only forwarded
 > (successfully) once.
 >
 > BIND assumes that each zone has exactly one "primary master".
That's
 > why updates are forwarded only once. If you want a true
multi-master
 > setup, you'll need to look at other options. For example:
 >
 > - BIND with modifications or additional software.
 > - Microsoft DNS and AD-integrated zones.
 >
 > There are other options.
 >
 > Regards,
 > Chris Buxton
 > Bluecat Networks
 >
 > On 7/28/10, Gordon A. Lang  wrote:
 >> This reply is a few months delayed, but this issue is still very 
 >> important
 >> to me, and I'm hoping you can take a few minutes to help out.
 >>
 >> I finally took some time to read through the code, and
unfortunately I 
 >> was
 >> unable to identify where forward target(s) are obtained in the
update
 >> forwarding action.  There's a lot of structure to reverse
engineer -- too
 >> much for a casual effort.  So perhaps you can tell me where I can
find 
 >> the
 >> pertinent code...  ?
 >>
 >> My belief was that somewhere in the code, the SOA record is
obtained, and
 >> the MNAME is used as the forward target -- this belief was based
on trial
 >> and error observations.
 >>
 >> What you suggested is that the update forwarding actually uses
the 
 >> masters
 >> list from the named.conf file for forwarding targets.
 >>
 >> I was unable to find clues one way or another.
 >>
 >> But another thing about your response that leaves me wondering if
I fully
 >> understand your response is that you say it "walks the list of
masters
 >> trying each one in turn," and with the word "trying" in there, it

 >> suggests
 >> that it walks the list only until the first successful update. 
Perhaps I 
 >> am
 >> incorrectly reading into it, but if you could clarify that point,
I would
 >> appreciate it.  ---  I would expect that if the masters list is
used, 
 >> then
 >> ALL masters should always get the updates.
 >>
 >> Thanks in advance.
 >>
 >> --
 >> Gordon A. Lang
 >>
 >> 

RE: Odd query issue

[Atkins, Brian (GD/VA-NSOC)]

Kevin,

Thanks for the good ideas. Here is what I am seeing based on your
recommendations:

1. Zone has expired (to confirm: check logs)
No errors or notices regarding the zone being expired.

2. Corrupted/truncated journal file (to confirm: check logs, or, shut
down gracefully, delete journal and start up again)
I've shut down BIND, removed all files under the slave directory, and
restarted BIND - no help. Other zones that are delegated from the same
server are populated.

3. www.blah.com is a delegation in your slave copy of the zone, and the
delegated nameservers are all returning SERVFAIL, are lame, give bogus
answers, some combination of the above, etc. (to confirm: do the lookup
non-recursively, or a zone transfer of blah.com; if www.blah.com shows
as a delegation, query the delegated nameservers directly and see what
they return)
I am able to query the master directly, without issue as well as perform
a zone transfer (though I get an error, ";; communications error to
10.x.x.x#53: connection reset"). I'm assuming that this is due to the
fact that the response is greater than 512 bytes perhaps.

Brian
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange IPv6 messages [SOLVED]

[Denis BUCHER]

Dear all,

Le 02.08.2010 23:43, Denis BUCHER a écrit :

I have a simple question, when reloading Bind, I get these messages, and
later on in the logs, the transfer seems to work with IPv4.

Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving
'(host)/A/IN': 2001:620::4#53
Aug 2 23:24:13 cirrus named[1581]: network unreachable resolving
'(host)/A/IN': 2001:418:1::39#53

What should I do to avoid these messages, and why are they appearing ?
We have BIND 9.5.1-P2


I got many private and public replies so I will briefly summarize the 
answers and the solution :


At first, the problem comes from the fact that Bind is using IPv6 while 
our system and network don't use IPv6 at all.


Therefore the solution is to remove IPv6 support from Bind.
That's easy, an option "-4" (IPv4 only) had to be added at startup.

I added OPTIONS="-4" to /etc/sysconfig/named and now it doesn't complain 
anymore about IPv6 :-)


Thanks a lot to everyone

Denis
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: list zones

[Phil Mayers]

On 03/08/10 10:39, Mihamina Rakotomandimby wrote:

Manao ahoana, Hello, Bonjour,

Without grepping the configuration files from the system shell, is it
possible to lists all the master zones on a running bind9? What tool
with?


How about this:

# add this to named.conf
statistics-channels {
 inet * port 987 allow { localhost; };
};

# put this in a "zones.xsl" file

http://www.w3.org/1999/XSL/Transform";>



zone 





# get the stats and render to text
wget -O stats.xml http://localhost:987/
xsltproc zones.xsl stats.xml
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

list zones

[Mihamina Rakotomandimby]

Manao ahoana, Hello, Bonjour,

Without grepping the configuration files from the system shell, is it
possible to lists all the master zones on a running bind9? What tool
with?

Misaotra, Thanks, Merci.

-- 

   Architecte Informatique chez Blueline/Gulfsat:
Administration Systeme, Recherche & Developpement
+261 34 56 000 19
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dlz/sdb backends and dnssec

[Matus UHLAR - fantomas]

On 01.08.10 13:02, Rick Dicaire wrote:
> I've seen no mention of this, but is it possible to implement dnssec
> while using one of dlz or sdb backends that contain zone data?

You apparently mean if it's possible to use BIND's autosigning feature(s).

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users