Redirecting subdomain to different resolver
Hi all, I have a domain defined within a zone statement so it resolves hostnames via the intranet, just like this: zone intradomain.com { type forward; forwarders { 10.222.1.21;};}; Now there is this host which does not resolve internally (with an intranet ip) but it does externally (wan ip): www.sub.intradomain.com. And my problem is that I need to, somehow, override de 'zone intradomain.com' statement, so this particular host/subdomain would resolve externally. I hope I explained myself properly, please do ask if it's not clear enough. ¿Is this at all possible?, if so ¿how? Cheers, Fred. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fix for CVE-2006-2073
* Mark Andrews: Access Vector: Network exploitable Access Complexity: Low Authentication: Not required to exploit Impact Type:Allows disruption of service I fail to see how this could ever have been classified as Access Complexity: Low. I believe the CVSS scoring for those old entries was generated semi-automatically. There's also very little public information available about this issue. Looking at the CVE it looks like this bug fix contains the correction. 2013. [bug] Handle unexpected TSIGs on unsigned AXFR/IXFR responses more gracefully. [RT #15941] What was the first BIND version that fixed it? 9.2.7, 9.3.3, 9.4.0. Thanks, this is helpful. I've adjusted Debian's records. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Master/slave issues
Got around to adding a virtual interface on the production box (I never could get this working with keys alone), I had labbed this up previously in reverse of what I needed but transfers were broken on the production box when I reversed the views that contained the master/slave. The following works on the lab box, but when I swap master and zone between views It breaks. What I wanted was: view internal - match-clients { localnets; }; - slave zones view external - match-clients { any; }; - master zones I suppose it makes sense, but none the less, I think I have been staring at this too long. Any have any insight? All the dynamic clients reside on the public side. view internal { match-clients { localhost; }; server 10.0.0.4 { keys { external; }; }; recursion yes; zone foo.local { type master; allow-update { key dhcpd_ddns; }; also-notify { 172.16.0.1; }; allow-query { any; }; file /var/named/foo.local.zone.db; }; }; view external { match-clients { any; }; recursion yes; zone foo.local { type slave; masters { 10.0.0.4; }; allow-update { key external; }; file dynamic/foo.local.slave_zone.db; }; }; key external { algorithm hmac-md5; secret ...; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND master , Windows 2008 stub zone not transferring
Hi We have a Linux server running bind 9.2.4 and dhcpd in a ddns configuration. We also have a number of windows 2008 R2 servers running AD / DNS / dhcp on other sites. These windows servers have stub zones configured, for the zones on the Linux server. All worked fine up until yesterday. Now none of the zones will transfer to the stub zones on the Windows servers. From the windows servers I can use nslookup to do zone transfers with out any issues. But in DNS mangers , on the stub zone , when I click one reload, or Transfer from Master, or Transfer new copy from zone Master then result is the same Zone Not Loaded by DNS server there is nothing in the bind logs that relate to this server or the zone transfer request. As far a I can see there are no firewall issues or connectivity issues. Any suggestions ? G ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Setting Up Permissions
Hi All, In the readme1st.txt files that comes with Bind 9.8.1 for Windows I read With BIND running under an account name it is necessary for all files and directories that BIND uses to have permissions set up for the named account if the files are on an NTFS disk. BIND requires that the account have read and write access to the directory for the pid file, any files that are maintained either for slave zones or for master zones supporting dynamic updates. The account will also need read access to the named.conf and any other file that it needs to read. I have looked for the named account but cannot find it. Can someone explain this in more detail please? Or at least point me to a more informative explanatoon? Yours sincerely Stephen Grant Brown___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: intermittent bad horizontal referral?
Someone wrote (privately, so I'm not giving a name): There's a bit of problem with the DNS. You might want to jump over to http://dns.squish.net/ and run an NS traversal for biplane.com.au -- pps.com.au's DNS is befuddled. This is true. Two of the four PPS nameservers do not have glue records in .com.au. What I don't understand is how a trace can compete at all, if there is no glue. That is, root should return a set of referrals to .au, one of the .au servers then returns referrals to .com.au, one of those returns referrals to biplane.com.au, one of those can then answer the actual query. If there are no referrals to x.com.au in .com.au, how can a query jump the gap? Because I can see that happening in a trace. Here are two traces for pps.com.au. The first shows referrals in .com.au, the second does not. It looks as if n.au somehow answered directly, but g.au did not. So I'm confused (and possibly befuddled). Firstly as to why n.au would have *any* information about pps.com.au, and secondly why g.au would have different information than n.au :-( Regards, K. kauer@karl:~$ dig +trace pps.com.au ns ; DiG 9.7.1-P2 +trace pps.com.au ns ;; global options: +cmd . 113025 IN NS c.root-servers.net. . 113025 IN NS a.root-servers.net. . 113025 IN NS m.root-servers.net. . 113025 IN NS k.root-servers.net. . 113025 IN NS f.root-servers.net. . 113025 IN NS b.root-servers.net. . 113025 IN NS j.root-servers.net. . 113025 IN NS d.root-servers.net. . 113025 IN NS g.root-servers.net. . 113025 IN NS l.root-servers.net. . 113025 IN NS h.root-servers.net. . 113025 IN NS e.root-servers.net. . 113025 IN NS i.root-servers.net. ;; Received 512 bytes from 139.130.4.4#53(139.130.4.4) in 7 ms au. 172800 IN NS o.au. au. 172800 IN NS n.au. au. 172800 IN NS a.au. au. 172800 IN NS l.au. au. 172800 IN NS m.au. au. 172800 IN NS r.au. au. 172800 IN NS h.au. au. 172800 IN NS p.au. au. 172800 IN NS s.au. au. 172800 IN NS u.au. au. 172800 IN NS v.au. au. 172800 IN NS b.au. ;; Received 496 bytes from 192.112.36.4#53(g.root-servers.net) in 348 ms com.au. 172800 IN NS q.au. com.au. 172800 IN NS j.au. com.au. 172800 IN NS i.au. com.au. 172800 IN NS h.au. com.au. 172800 IN NS o.au. com.au. 172800 IN NS l.au. com.au. 172800 IN NS g.au. com.au. 172800 IN NS n.au. com.au. 172800 IN NS m.au. com.au. 172800 IN NS p.au. com.au. 172800 IN NS k.au. ;; Received 408 bytes from 2607:f140::fffe::e#53(s.au) in 193 ms pps.com.au. 14400 IN NS ppsdns6.pps.com.au. pps.com.au. 14400 IN NS ppsdns4.pps.com.au. pps.com.au. 14400 IN NS ppsdns2.pps.com.au. pps.com.au. 14400 IN NS ppsdns1.pps.com.au. pps.com.au. 14400 IN NS ppsdns3.pps.com.au. ;; Received 214 bytes from 202.65.12.72#53(i.au) in 16 ms pps.com.au. 3600IN NS ppsdns3.pps.com.au. pps.com.au. 3600IN NS ppsdns6.pps.com.au. pps.com.au. 3600IN NS ppsdns2.pps.com.au. pps.com.au. 3600IN NS ppsdns4.pps.com.au. pps.com.au. 3600IN NS ppsdns1.pps.com.au. ;; Received 342 bytes from 2406:a000::5#53(ppsdns6.pps.com.au) in 21 ms kauer@karl:~$ dig +trace pps.com.au ns ; DiG 9.7.1-P2 +trace pps.com.au ns ;; global options: +cmd . 113019 IN NS m.root-servers.net. . 113019 IN NS h.root-servers.net. . 113019 IN NS f.root-servers.net. . 113019 IN NS e.root-servers.net. . 113019 IN NS j.root-servers.net. . 113019 IN NS i.root-servers.net. . 113019 IN NS k.root-servers.net. . 113019 IN NS l.root-servers.net. .