Re: configure syslog prefix
On 07/02/2013 06:34 AM, Sam Wilson wrote: In article , Tony Finch wrote: Klaus Darilion wrote: Some software allows to configure the syslog prefix, but I couldn't find that for bind. Rename the named executable. Assuming a Unix-like OS would having multiple links (hard or soft) have the correct effect? Yeah, hard links work of course, but symlinks are slightly preferable here because they make upgrades transparent. hth, Doug ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND + LDAP Backend
On Tue, Jul 02, 2013 at 05:22:15PM -1000, Stephan Fabel wrote: > All, > > sorry if this is a repeating theme here... we are interested in utilizing > LDAP as a backend to BIND. Google gives conflicting information on whether > this is possible/recommended/etc. and I couldn't find anything in the > release notes, which doesn't bode well I suppose... > > But anyhow: can someone point me in the right direction? Also, are there > binary packages that contain the LDAP backend, or is the best way building > it yourself? > > Thanks for your help, > > Stephan Yes it's possible. Use "configure --with-dlz-ldap". There's a sample configuration at http://bind-dlz.sourceforge.net/ldap_driver.html. There will also be an improved, dynamically-loadable LDAP DLZ module included in BIND 9.10. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND + LDAP Backend
All, sorry if this is a repeating theme here... we are interested in utilizing LDAP as a backend to BIND. Google gives conflicting information on whether this is possible/recommended/etc. and I couldn't find anything in the release notes, which doesn't bode well I suppose... But anyhow: can someone point me in the right direction? Also, are there binary packages that contain the LDAP backend, or is the best way building it yourself? Thanks for your help, Stephan ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND Service Hung
Hi, I’m running BIND on CentOS 5.3 on 12 Cache only DNS Servers (recursive), its BIND 9.3 its bit outdated yes, planning to upgrade to latest bind on Ubuntu server along with the hardware. These DNS Server sometime is serving around 17Mbps of DNS queries on peak hour, 16 Cores, only around 12% utilization on each cores, 16GB RAM. Now the problem is sometimes (not quite often, just seldomly) Named on one of this server is just plain not responding, the process is still there but just not responding to any queries, when this happened the only way to revive it is to kill the PID and restart the named service, plain service named restart not working. and nothing on logs. What seems to be the problem, is it because the bind version is too outdated? PS: sometimes this happens when our upstream is down, many unanswered DNS request sometimes trigger named not responding. Best Regards, Arie Lendra Putra 陈维文 Description: Calligraphy -- Together is a beautiful word, Coming together is the Beginning, Keeping together is Progress Thinking together is Unity, Working together is Success <>___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On 7/2/13 12:46 PM, John Horne wrote: On Tue, 2013-07-02 at 12:02 -0700, Eduardo Bonsi wrote: On 7/2/13 9:35 AM, John Horne wrote: We were alerted to the problem because we got long delays (around 20 seconds) when accessing a site doing a reverse lookup. That service then, no doubt the same as with SMTP, then proceeded but without the reverse lookup answer. I do occasionally have a very short delay between the main "www.mydomain" and "mydomain" but the same delay never happened with the other domains/websites I am running under the same ip address. I guess I could reverse my main domain to my one and only static ip address and my question would be: - Does that would affect the other websites I am serving using the same ip address? Thanks everyone for this wealth discussion! If you are referring to my comment above about a 20 second delay, then I should point out that the delay was caused because the reverse zone name servers were inaccessible - access to them is blocked by our firewall. So the client name server would try each listed name server and have to wait for a timeout. On average this gave a 20 second delay. It was not caused because there were no reverse zone entries to lookup. You're right John! It has nothing to do with the reverse zone. In my case, my server short delay is caused by the way my ISP router is configured from the firmware through the DHCP when it switch from the main server to the backup server. Thanks for pointing that out! John. -- Eduardo Bonsi System - Network Admin beart...@pacbell.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On 02/07/13 21:02, Eduardo Bonsi wrote: > I have been reading all your concerns about reverse FQDNS. In my > example, we are a very small firm and I am the IT network admin > responsible for configuring our server. One of the reasons I > configured our server was because we deal with Photography, graphic > design and occasionally presentations of Movies. These are fat files > that are not viable to send thru emails. Our setup is far from being > perfect and does not follow the ISC BIND advised rules of how I would > like to follow to run a proper server. Like two different networks, > one ip address for every ns.mydomain.com and web services and so > forth. Believe me, I would love to do that if I had the budget for it. > Therefore, that is not really my decision but it falls under the way > my ISP charges $$$ for each ip address and reverse setup. Well, that means your setup is ok, lookups will go like this: 1 - your.mail.server -> some IP 2 - some IP -> a name in your ISP's DNS, typically very generic like 2-45-231-6-isp-dynamic-pool.xx 3 - 2-45-231-6-isp-dynamic-pool.xx -> back to "some IP". The fact that numbers 2) and 3) match and could be done more times if needed, is what SMTP is looking for. Hence you are not deemed to be a spammer on that account. > So, I decided to work with what I have and be happy with the > limitations and at the same time try to work around them. I put a lot > of thought in the beginning about the issue of: -Should I reverse my > main NS or Should I just leave it alone since I do not do any transfer > or run any email server from my server. I thought in the beginning; > "Well, no spammer will attempt to relay through my server since this > will be one more reason they will not get things to work properly." > However, this is not really a concern. Like I said, my set up is not > perfect but everything works fine from my end so far with limitations! > …and Yes, I do occasionally have a very short delay between the main > "www.mydomain" and "mydomain" but the same delay never happened with > the other domains/websites I am running under the same ip address. I > guess I could reverse my main domain to my one and only static ip > address and my question would be: - Does that would affect the other > websites I am serving using the same ip address? Thanks everyone for > this wealth discussion! > > Eduardo -- Best regards Sten Carlsen No improvements come from shouting: "MALE BOVINE MANURE!!!" ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On Tue, 2013-07-02 at 12:02 -0700, Eduardo Bonsi wrote: > On 7/2/13 9:35 AM, John Horne wrote: > > > > We were alerted to the problem because we got long delays (around 20 > > seconds) when accessing a site doing a reverse lookup. That service > > then, no doubt the same as with SMTP, then proceeded but without the > > reverse lookup answer. > > > > > I do occasionally have a very short delay between > the main "www.mydomain" and "mydomain" but the same delay never happened > with the other domains/websites I am running under the same ip address. > I guess I could reverse my main domain to my one and only static ip > address and my question would be: - Does that would affect the other > websites I am serving using the same ip address? Thanks everyone for > this wealth discussion! > If you are referring to my comment above about a 20 second delay, then I should point out that the delay was caused because the reverse zone name servers were inaccessible - access to them is blocked by our firewall. So the client name server would try each listed name server and have to wait for a timeout. On average this gave a 20 second delay. It was not caused because there were no reverse zone entries to lookup. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On 7/2/13 9:35 AM, John Horne wrote: On Tue, 2013-07-02 at 14:42 +0100, Sam Wilson wrote: Can anyone here give examples of the types of various software that will not operate without a PTR record? Nope, and our entire reverse zone was externally inaccessible for many months! (See previous posts on the bind9-users list from me about the problem.) As far as we could tell no services blocked us because of a failed reverse lookup. In fact it was one of the reasons we didn't immediately spot the problem. We were alerted to the problem because we got long delays (around 20 seconds) when accessing a site doing a reverse lookup. That service then, no doubt the same as with SMTP, then proceeded but without the reverse lookup answer. John. I have been reading all your concerns about reverse FQDNS. In my example, we are a very small firm and I am the IT network admin responsible for configuring our server. One of the reasons I configured our server was because we deal with Photography, graphic design and occasionally presentations of Movies. These are fat files that are not viable to send thru emails. Our setup is far from being perfect and does not follow the ISC BIND advised rules of how I would like to follow to run a proper server. Like two different networks, one ip address for every ns.mydomain.com and web services and so forth. Believe me, I would love to do that if I had the budget for it. Therefore, that is not really my decision but it falls under the way my ISP charges $$$ for each ip address and reverse setup. So, I decided to work with what I have and be happy with the limitations and at the same time try to work around them. I put a lot of thought in the beginning about the issue of: -Should I reverse my main NS or Should I just leave it alone since I do not do any transfer or run any email server from my server. I thought in the beginning; "Well, no spammer will attempt to relay through my server since this will be one more reason they will not get things to work properly." However, this is not really a concern. Like I said, my set up is not perfect but everything works fine from my end so far with limitations! …and Yes, I do occasionally have a very short delay between the main "www.mydomain" and "mydomain" but the same delay never happened with the other domains/websites I am running under the same ip address. I guess I could reverse my main domain to my one and only static ip address and my question would be: - Does that would affect the other websites I am serving using the same ip address? Thanks everyone for this wealth discussion! Eduardo -- Eduardo B System - Network Admin beart...@pacbell.net ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/02/2013 12:36 PM, John Horne wrote: > On Tue, 2013-07-02 at 14:42 +0100, Sam Wilson wrote: > >> Can anyone here give examples of the types of various software >> that will not operate without a PTR record? >> > Nope, and our entire reverse zone was externally inaccessible for > many months! (See previous posts on the bind9-users list from me > about the problem.) As far as we could tell no services blocked us > because of a failed reverse lookup. In fact it was one of the > reasons we didn't immediately spot the problem. > > We were alerted to the problem because we got long delays (around > 20 seconds) when accessing a site doing a reverse lookup. That > service then, no doubt the same as with SMTP, then proceeded but > without the reverse lookup answer. In general, I wouldn't consider a 20 second delay an acceptable compromise though. - -- *Note: UMDNJ is now Rutgers-Biomedical and Health Sciences* || \\UTGERS |-*O*- ||_// Biomedical | Ryan Novosielski - Sr. Systems Programmer || \\ and Health | novos...@rutgers.edu - 973/972.0922 (2x0922) || \\ Sciences | OIT/EI-Academic Svcs. - ADMC 450, Newark `' -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHTAd8ACgkQmb+gadEcsb4BVwCgnpQz8kGb8rhOHfxhYlETjjVf N2kAoOSXpmcuuJuLCQNswcmMhZV92qUQ =Hq7g -END PGP SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On Tue, 2013-07-02 at 14:42 +0100, Sam Wilson wrote: > Can anyone here give examples of the types of various software that will > not operate without a PTR record? > Nope, and our entire reverse zone was externally inaccessible for many months! (See previous posts on the bind9-users list from me about the problem.) As far as we could tell no services blocked us because of a failed reverse lookup. In fact it was one of the reasons we didn't immediately spot the problem. We were alerted to the problem because we got long delays (around 20 seconds) when accessing a site doing a reverse lookup. That service then, no doubt the same as with SMTP, then proceeded but without the reverse lookup answer. John. -- John Horne, Plymouth University, UK Tel: +44 (0)1752 587287Fax: +44 (0)1752 587001 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
In article , Daniel McDonald wrote: > The other place reverse DNS is routinely queried is SMTP. If you care > enough to send mail, you should care enough to set up your reverse entries > realistically so that spam filters will recognize that you are trying to > actively manage your email server and this isn't mail from a BOT... Reverse DNS is generally necessary, but may not be sufficient. Your IP also has to NOT be on one of the many block lists. These lists are populated with IPs that have spamming history, as well as IPs that ISPs have volunteered as being used for residential services rather than commercial users. I suppose it's obvious, but the other general place where reverse DNS is important is if you make use of hostnames or domain suffixes in filter files like hosts.allow and hosts.deny. If your hosts.allow file contains something like: sshd: *.yourdomain.com then the server will do a reverse lookup and forward validity check before testing whether the hostname ends in .yourdomain.com. -- Barry Margolin Arlington, MA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On 7/2/13 8:42 AM, "Sam Wilson" wrote: > There may be a subtle language thing going on here. I read the original > post above as saying, literally, "you need PTR records because various > software tries to match A and PTR records". It doesn't say "you need > PTR records because some systems require PTR records (and if you have > them they will also need to match the A records)". PTR records are nice > but they aren't a general requirement. > > Can anyone here give examples of the types of various software that will > not operate without a PTR record? I've had trouble with OSI-Soft PI historian without reverse entries. If there is no reverse, then the PI software would spend about 30 seconds looking in vain for a DNS answer before sending a SYN-ACK packet. Since the embryonic timer on a Cisco firewall is usually 20 seconds, the sessions would simply not come up. I've seen similar things with openssh. The other place reverse DNS is routinely queried is SMTP. If you care enough to send mail, you should care enough to set up your reverse entries realistically so that spam filters will recognize that you are trying to actively manage your email server and this isn't mail from a BOT... > >> Now that IS a reason to add PTR for IP address, and they must point to >> hostnames that point to the same IP. > > I agree that if PTR records exist then they should match an A record. > My experience (and IIRC correctly the word of several RFCs) is that PTRs > are not required for most things to work. > > Sam -- Daniel J McDonald, CCIE # 2495, CISSP # 78281 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
On 2 July 2013 14:42, Sam Wilson wrote: > Can anyone here give examples of the types of various software that will > not operate without a PTR record? There have already been numerous listings of software that require reverse lookups. SMTP being the main one. Other services like IRC and some databases (Oracle/MySQL) can also be configured to require properly working reverse lookups. > I agree that if PTR records exist then they should match an A record. > My experience (and IIRC correctly the word of several RFCs) is that PTRs > are not required for most things to work. RFC1912 [http://tools.ietf.org/html/rfc1912] section 2.1... Every Internet-reachable host should have a name... Make sure your PTR and A records match. For every IP address, there should be a matching PTR record in the in-addr.arpa domain. If a host is multi-homed, (more than one IP address) make sure that all IP addresses have a corresponding PTR record (not just the first one). Failure to have matching PTR and A records can cause loss of Internet services similar to not being registered in the DNS at all. Also, PTR records must point back to a valid A record, not a alias defined by a CNAME. Steve ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configure syslog prefix
Sam Wilson wrote: > Tony Finch wrote: > > Klaus Darilion wrote: > > > > > > Some software allows to configure the syslog prefix, but I couldn't > > > find that for bind. > > > > Rename the named executable. > > Assuming a Unix-like OS would having multiple links (hard or soft) have > the correct effect? Yes. The syslog tag comes from named's idea of its progname, which it gets from argv[0], which is the name you used to invoke it. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configure syslog prefix
On 02.07.2013 14:59, Tony Finch wrote: Klaus Darilion wrote: Some software allows to configure the syslog prefix, but I couldn't find that for bind. Rename the named executable. I would prefer a configuration options, but I guess I have to use this workaround. Tested with symlinks, it works. Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse address entries
In article , Matus UHLAR - fantomas wrote: > >> >In article , > >> > Charles Swiger wrote: > >> >> Certainly. Various software performs what's called a double-reverse > >> >> lookup > >> >> to confirm that the A and PTR records match. > > >In article , > > Matus UHLAR - fantomas wrote: > >> He apparently meant exactly the same. Also calles FcRDNS - "forward > >> confirmed" or "full circle" reverse DNS. > > On 01.07.13 14:11, Sam Wilson wrote: > >OK. So what Mr. Swiger refers to is not relevant - it's no reason to > >add PTR records. > > Yes, it is. > > "Various software performs what's called a double-reverse lookup to confirm > that the A and PTR records match." > > It means that various software checks your PTR and then A (or maybe > ) records, and can fail if eny of them is not found ot rhe latter result > doesn't match the original IP address. There may be a subtle language thing going on here. I read the original post above as saying, literally, "you need PTR records because various software tries to match A and PTR records". It doesn't say "you need PTR records because some systems require PTR records (and if you have them they will also need to match the A records)". PTR records are nice but they aren't a general requirement. Can anyone here give examples of the types of various software that will not operate without a PTR record? > Now that IS a reason to add PTR for IP address, and they must point to > hostnames that point to the same IP. I agree that if PTR records exist then they should match an A record. My experience (and IIRC correctly the word of several RFCs) is that PTRs are not required for most things to work. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configure syslog prefix
In article , Tony Finch wrote: > Klaus Darilion wrote: > > > > Some software allows to configure the syslog prefix, but I couldn't find > > that > > for bind. > > Rename the named executable. Assuming a Unix-like OS would having multiple links (hard or soft) have the correct effect? Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: configure syslog prefix
Klaus Darilion wrote: > > Some software allows to configure the syslog prefix, but I couldn't find that > for bind. Rename the named executable. Tony. -- f.anthony.n.finchhttp://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 1560, Issue 1
Give each instance of named a unique name: A-named, b-named, etc - Original Message - From: bind-users-requ...@lists.isc.org [mailto:bind-users-requ...@lists.isc.org] Sent: Tuesday, July 02, 2013 08:00 AM To: bind-users@lists.isc.org Subject: bind-users Digest, Vol 1560, Issue 1 Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than "Re: Contents of bind-users digest..." Today's Topics: 1. Re: Reverse address entries (Sam Wilson) 2. Re: Reverse address entries (Matus UHLAR - fantomas) 3. Re: How to suppress ADDITIONAL SECTION per zone (Matus UHLAR - fantomas) 4. configure syslog prefix (Klaus Darilion) -- Message: 1 Date: Mon, 01 Jul 2013 14:11:00 +0100 From: Sam Wilson To: comp-protocols-dns-b...@isc.org Subject: Re: Reverse address entries Message-ID: In article , Matus UHLAR - fantomas wrote: > >> On Jun 28, 2013, at 10:54 AM, "Ward, Mike S" wrote: > >> > Hello all, is there any reason to setup reverse address entries for a > >> > zone? > > >In article , > > Charles Swiger wrote: > >> Certainly. Various software performs what's called a double-reverse > >> lookup > >> to confirm that the A and PTR records match. > > On 01.07.13 10:48, Sam Wilson wrote: > >Isn't that paranoid reverse lookup? Since reverse lookups can be faked > >(I'll spare the details here) some uses of in-addr.arpa also require a > >subsequent forward lookup. If there is no PTR record then the double > >lookup doesn't happen. I don't know of anything to be gained by > >requiring a reverse lookup after a forward lookup. > > He apparently meant exactly the same. Also calles FcRDNS - "forward > confirmed" or "full circle" reverse DNS. OK. So what Mr. Swiger refers to is not relevant - it's no reason to add PTR records. Sam -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. -- Message: 2 Date: Mon, 1 Jul 2013 15:14:10 +0200 From: Matus UHLAR - fantomas To: bind-users@lists.isc.org Subject: Re: Reverse address entries Message-ID: <20130701131410.ga14...@fantomas.sk> Content-Type: text/plain; charset=us-ascii; format=flowed >> >In article , >> > Charles Swiger wrote: >> >> Certainly. Various software performs what's called a double-reverse >> >> lookup >> >> to confirm that the A and PTR records match. >In article , > Matus UHLAR - fantomas wrote: >> He apparently meant exactly the same. Also calles FcRDNS - "forward >> confirmed" or "full circle" reverse DNS. On 01.07.13 14:11, Sam Wilson wrote: >OK. So what Mr. Swiger refers to is not relevant - it's no reason to >add PTR records. Yes, it is. "Various software performs what's called a double-reverse lookup to confirm that the A and PTR records match." It means that various software checks your PTR and then A (or maybe ) records, and can fail if eny of them is not found ot rhe latter result doesn't match the original IP address. Now that IS a reason to add PTR for IP address, and they must point to hostnames that point to the same IP. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Christian Science Programming: "Let God Debug It!". -- Message: 3 Date: Mon, 1 Jul 2013 16:07:05 +0200 From: Matus UHLAR - fantomas To: bind-users@lists.isc.org Subject: Re: How to suppress ADDITIONAL SECTION per zone Message-ID: <20130701140704.gb14...@fantomas.sk> Content-Type: text/plain; charset=us-ascii; format=flowed On 01.07.13 04:02, blrmaani wrote: >We are noticing that a handful of our domains are being used for > amplification attacks and we would like to reduce outgoing (DNS response) > packet size. > >One solution is to reduce the additional sections in the response for these > handful zones and I would like to know if there is any way to add > something similar to "additional-from-auth no" per zone basis and achieve It would be much better if you presented your problem in the beginning, not just tell us what you want to do. In this case you should set "minimal-responses yes" globally, otherwise all your other domains can get used for such attacks too. Do you have separate servers for resolving and for domains? Resolving servers could send all possible info to your own clients, while authoritative servers would provide as low informations as needed. Other possibility is t
configure syslog prefix
Hi! I have several bind instances running on the same host. All of them use the same logging prefix, e.g: named[11926]: zone mydomain/IN: Transfer started. named[11926]: transfer of 'mydomain/IN' from 2.3.4.5#53: connected using 2.3.4.5#44224 named[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': AXFR-style IXFR started: TSIG mydomain named[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': AXFR-style IXFR ended So I only have the PID to separate the different bind processes. Some software allows to configure the syslog prefix, but I couldn't find that for bind. Is there a workaround to get something like that? named-incoming[11926]: zone mydomain/IN: Transfer started. named-incoming[11926]: transfer of 'mydomain/IN' from 2.3.4.5#53: connected using 2.3.4.5#44224 named-outgoing[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': AXFR-style IXFR started: TSIG mydomain named-outgoing[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': AXFR-style IXFR ended Thanks Klaus ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
