On Oct 26, 2011, at 6:04 PM, Chris Thompson wrote:
On Oct 26 2011, Benzi Mizrahi wrote:
Hi,
I've recently upgraded our nameservers from version 9.6.2.-p3 to 9.7.4 ,
and the following messages started to appear on all nameservers logs:
22-Oct-2011 16:58:41.548 dispatch: dispatch
Rather a late response I think.
When I setup the rules I spoke about RPZ was just a gleam in someone's eyes.
My post discussed the relative merit of iptables vs. blackholes and didn't
mention RPZ. RPZ may be a better solution but it requires one to stop and
upgrade BIND to get it.
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/17/2011 02:19 PM, Phil Mayers wrote:
On 10/17/2011 06:38 PM, babu dheen wrote:
YOu are obsolutely correct Chris.. I want to block/redirect all malware
domain request intiated by clients by setting up DNS SINKHOLE in Redhat
BIND server.
In
Hello,
Recently I set up a group of nameservers using a hidden master,
visible slaves configuration.
ns0 - hidden master
ns1, ns2, ns3 - visible slave servers
So I set the SOA and NS records like this
zone.example IN SOA ns1.zone.example. hostmaster.example.com (
1; serial
On 10/27/2011 11:02 AM, Jonathan Stewart wrote:
Also, is this normal/expected behaviour? How can i get ns0 (and the
others) to NOTIFY ns1 when the serial is incremented? Must i use an
explicit {also-notify} ?
Yes, this is expected. Since NS1 is the master server (since it is in
the SOA),
On Oct 27 2011, Kevin Darcy wrote:
On 10/27/2011 11:02 AM, Jonathan Stewart wrote:
Hello,
Recently I set up a group of nameservers using a hidden master,
visible slaves configuration.
ns0 - hidden master
ns1, ns2, ns3 - visible slave servers
So I set the SOA and NS records like this
Hello G.W. Haywood,
Am 2011-10-27 16:56:44, hacktest Du folgendes herunter:
On Thu, 27 Oct 2011 Michelle Konzack wrote:
...and you get the hell on you ass if you have several 1000 of them!
In this case, bind9 with RPZ is cheaper.
Maybe look at ipsets. Currently we firewall almost 76,000
Ah ha!
Now this was the option I was looking for. Tell bind to also notify
the SOA MNAME server, since it's not the true master feeing the zones.
Looks like this first appeared in BIND 9.5, and OpenBSD 4.9 still
ships 9.4.2. :(
Thanks for the tip, Chris, I didn't know such an option existed.
On Thu, 27 Oct 2011 07:04:42 +0200, Emanuele Balla (aka Skull) wrote:
TCP is needed only when replies do not fit 512 bytes (let's ignore
EDNS0
and such). For any DNSBL, this limit is not a problem at all.
its was edns0 defaults that maked most problems, from my logs it seem
more stable now,
On 10/27/2011 08:43, Hayward, Bruce wrote:
I compiled both 9.7.4, and 9.8.0-P4 yesterday (w/IPV6 and 64)(using the
BIND Vulnerability Matrix at
http://www.isc.org/software/bind/security/matrix - picking on clean ones)
You're always better off picking the latest version in a branch (e.g.,
10 matches
Mail list logo
