Re: bind-users Digest, Vol 2011, Issue 1
I forgot to mention, this is actually the case The proxy has a different IP on each network. 2015-01-04 13:00 GMT+01:00 bind-users-requ...@lists.isc.org: Send bind-users mailing list submissions to bind-users@lists.isc.org To subscribe or unsubscribe via the World Wide Web, visit https://lists.isc.org/mailman/listinfo/bind-users or, via email, send a message with subject or body 'help' to bind-users-requ...@lists.isc.org You can reach the person managing the list at bind-users-ow...@lists.isc.org When replying, please edit your Subject line so it is more specific than Re: Contents of bind-users digest... Today's Topics: 1. Re: BIND9 Return different IP address based on subnet (Christian Kette) 2. Re: BIND9 Return different IP address based on subnet (Matus UHLAR - fantomas) 3. RE: can't-resolve (Mohammed Ejaz) -- Message: 1 Date: Sat, 3 Jan 2015 19:24:47 +0100 From: Christian Kette chriswaeldc...@outlook.de To: Jeremy C. Reed jr...@isc.org, bind-users@lists.isc.org Subject: Re: BIND9 Return different IP address based on subnet Message-ID: blu437-smtp59e4422d3e2444eac7b263a4...@phx.gbl Content-Type: text/plain; charset=utf-8 I have found a workaround. I defined a different zone for every network My config files are now /tec/bind/named.conf include /etc/bind/named.conf.options; include /etc/bind/named.conf.local; /etc/bind/named.conf.local view local { match-clients { localhost; }; zone home.lan IN { type master; file /etc/bind/db.home.lan; }; }; view ext { match-clients { 192.168.2.0/24;}; zone home2.lan IN { type master; file /etc/bind/db.rev.2.168.192.in-addr.arpa; }; }; view wlan0 { match-clients { 192.168.3.0/24;}; zone home3.lan IN { type master; file /etc/bind/db.rev.3.168.192.in-addr.arpa; }; }; view wlan00 { match-clients {192.168.4.0/24;}; zone home4.lan IN { type master; file /etc/bind/db.rev.4.168.192.in-addr.arpa; }; }; view wlan01 { match-clients {192.168.5.0/24;}; zone home5.lan IN { type master; file /etc/bind/db.rev.5.168.192.in-addr.arpa; }; }; view int { match-clients {192.168.10.0/24;}; zone home10.lan IN { type master; file /etc/bind/db.rev.10.168.192.in-addr.arpa; }; }; /etc/bind/db.rev.10.168.192.in-addr.arpa ; IP Address-to-Host DNS Pointers for the 192.168.10 subnet home10.lan. IN SOA DEV.home10.lan. hostmaster.home10.lan. ( 2013120101 ; serial 8H ; refresh 4H ; retry 4W ; expire 1D ; minimum ) ; define the authoritative name server home10.lan. IN NS DEV.home10.lan. home10.lan. IN MX 10 DEV.home10.lan. localhost IN A 127.0.0.1 DEV IN A 192.168.10.1 router IN A 192.168.10.1 proxy IN CNAME DEV.home10.lan. wpad IN A 192.168.10.1 2014-12-28 19:59 GMT+01:00 chriswaeldc...@outlook.de: Thank you for the helpful answer. I changed the file /etc/bind/named.conf.local to view local { match-clients { 127.0.0.1; }; zone home.lan IN { type master; file /etc/bind/db.home.lan; }; }; view ext { match-clients { 192.168.2.0/24;}; zone 2.168.192.in-addr.arpa { type master; file /etc/bind/db.rev.2.168.192.in-addr.arpa; }; }; view wlan0 { match-clients { 192.168.3.0/24;}; zone 3.168.192.in-addr.arpa { type master; file /etc/bind/db.rev.3.168.192.in-addr.arpa; }; }; view wlan00 { match-clients {192.168.4.0/24;}; zone 4.168.192.in-addr.arpa { type master; file /etc/bind/db.rev.4.168.192.in-addr.arpa; }; }; view wlan01 { match-clients {192.168.5.0/24;}; zone 5.168.192.in-addr.arpa { type master; file /etc/bind/db.rev.5.168.192.in-addr.arpa; }; }; view int { match-clients {192.168.10.0/24;}; zone 10.168.192.in-addr.arpa { type master; file /etc/bind/db.rev.10.168.192.in-addr.arpa; }; }; But now I get Non-existent domain error (on the raspberry machine) for - nslookup localhost - nslookup DEV.home.lan I don't understand why it can't find neither the localhost nor the DEV.home.lan entry in /etc/bind/db.home.lan 2014-12-27 22:57 GMT+01:00 Jeremy C. Reed jr...@isc.org: On Sat, 27 Dec 2014, Christian Kette wrote: I have some questions. Q1: Why do I get the IP address 192.168.2.100 for DEV.home.lan from both the 192.168.2.0/24 and the 192.168.10.0/24 network? The view that matches first is used. #include /etc/bind/named.conf.default-zones; ... Q2: What exactly are these zones in the file for? Do I need them? You didn't include the file in the email. But I
Re: can't-resolve
On Sunday, January 4, 2015, Mohammed Ejaz me...@cyberia.net.sa wrote: Hello, all. now everything is fine once the port 1024 opened from the network firewall. Ah! You mean on the firewall that everyone kept saying existed? And that folk kept providing evidence of? Who would have thought... so it means not only 53 port requires to be open. Yes. Which is why everyone was saying there was a firewall that you needed to adjust. I think it would have been much more polite / appropriate to have posted that you'd found the firewall and acknowledged that you'd been mistaken... W -Original Message- From: bind-users-boun...@lists.isc.org javascript:; [mailto:bind-users-boun...@lists.isc.org javascript:;] On Behalf Of Ejaz Sent: Sunday, December 28, 2014 11:10 AM To: 'Warren Kumari'; 'Barry Margolin' Cc: comp-protocols-dns-b...@isc.org javascript:; Subject: RE: can't-resolve Thanks for the suggestion I am sure No firewall at all. Also See I now I have reassigned the my previous IP which is 212.119.64.12, after that everything is fine. It wouldn't have worked with this IP if there is firewall on the box?? Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 -Original Message- From: bind-users-boun...@lists.isc.org javascript:; [mailto:bind-users-boun...@lists.isc.org javascript:;] On Behalf Of Warren Kumari Sent: Saturday, December 27, 2014 2:27 AM To: Barry Margolin Cc: comp-protocols-dns-b...@isc.org javascript:; Subject: Re: can't-resolve Also, from querying from the outside (with TCP): ~# dig +tcp www.auth-servers.net @212.119.64.228 ; DiG 9.10.1-P1 +tcp www.auth-servers.net @212.119.64.228 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 20716 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.auth-servers.net. IN A ;; Query time: 8260 msec ;; SERVER: 212.119.64.228#53(212.119.64.228) ;; WHEN: Fri Dec 26 18:18:30 EST 2014 ;; MSG SIZE rcvd: 49 Then trying the same query a few seconds later: dig +tcp www.auth-servers.net @212.119.64.228 ; DiG 9.10.1-P1 +tcp www.auth-servers.net @212.119.64.228 ;; global options: +cmd ;; connection timed out; no servers could be reached This really looks like a firewall -- perhaps there is some firewall software on the box itself? W On Fri, Dec 26, 2014 at 6:17 PM, Warren Kumari war...@kumari.net javascript:; wrote: What OS is this machine running? Interestingly enough, it is unpingable, and a quick nmap fingerprints it as: Running: Sun Solaris 8 OS CPE: cpe:/o:sun:sunos:5.8 OS details: Sun Solaris 8 (SPARC) nmap could only find one open port (TCP 53 :-)) and so its fingerprinting is unreliable, but it *does* look like you are behind a firewall type devices. It is unusual for machines themselves to not respond to pings. fpdns says: fingerprint (212.119.64.228, 212.119.64.228): ISC BIND 9.2.3rc1 -- 9.6.1-P1 [recursion enabled] On Fri, Dec 26, 2014 at 5:55 PM, Barry Margolin bar...@alum.mit.edu javascript:; wrote: In article mailman.1330.1419633581.26362.bind-us...@lists.isc.org javascript:;, Ejaz me...@cyberia.net.sa javascript:; wrote: I am sure sir there is no firewall on in the server you can make sure by telnet to the port 53 of this IP 212.119.64.228 That doesn't mean anything. The firewall may be blocking OUTGOING packets to port 53, or they're blocking the returning replies (which go to an ephemeral port). Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 -Original Message- From: bind-users-boun...@lists.isc.org javascript:; [mailto:bind-users-boun...@lists.isc.org javascript:;] On Behalf Of Matus UHLAR - fantomas Sent: Friday, December 26, 2014 7:35 PM To: bind-users@lists.isc.org javascript:; Subject: Re: can't-resolve On 26.12.14 19:21, Ejaz wrote: When run dig a yahoo.com @212.119.64.228 below is the ouput. yahoo.com. (38) 17:39:41.363532 IP 212.119.64.228.37891 212.119.64.228.domain: 34168+ [1au] A? yahoo.com. (38) 17:39:42.246993 IP 212.119.64.228.53702 192.5.5.241.domain: 58238 [1au] A? yah oo.com. (38) 17:39:42.247012 IP 212.119.64.228.45701 192.5.5.241.domain: 13223 [1au] NS? . (28) 17:39:43.047148 IP 212.119.64.228.43795 128.63.2.53.domain: 1539 A? yahoo.com. (27) 17:39:43.047154 IP 212.119.64.228.55178 128.63.2.53.domain: 56002 NS? . (17) 17:39:43.847447 IP 212.119.64.228.61664 192.58.128.30.domain: 165 A? yahoo.com . (27) 17:39:43.847542 IP
Re: can't-resolve
On 04.01.15 08:43, Mohammed Ejaz wrote: now everything is fine once the port 1024 opened from the network firewall. so it means not only 53 port requires to be open. BIND (and other DNS servers) uses random port for outgoing requests. som you really had firewall on the path... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind-users Digest, Vol 2011, Issue 1
On 04.01.15 14:20, Christian Kette wrote: I forgot to mention, this is actually the case The proxy has a different IP on each network. if (and only if) the clients need to use the same name for proxy... I would keep one view for each network with different IP of the same proxy, containing only the differing zone(s), and one view to contain all other zones. Other views would use the default view as forwarder (and share the cache for effectivity) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: can't-resolve
yes, true the problem is from the firewall. Thanks everyone for the tremendous support. Ejaz From: Warren Kumari [mailto:war...@kumari.net] Sent: Sunday, January 4, 2015 5:09 PM To: Mohammed Ejaz Cc: Barry Margolin; comp-protocols-dns-b...@isc.org Subject: Re: can't-resolve On Sunday, January 4, 2015, Mohammed Ejaz me...@cyberia.net.sa mailto:me...@cyberia.net.sa wrote: Hello, all. now everything is fine once the port 1024 opened from the network firewall. Ah! You mean on the firewall that everyone kept saying existed? And that folk kept providing evidence of? Who would have thought... so it means not only 53 port requires to be open. Yes. Which is why everyone was saying there was a firewall that you needed to adjust. I think it would have been much more polite / appropriate to have posted that you'd found the firewall and acknowledged that you'd been mistaken... W -Original Message- From: bind-users-boun...@lists.isc.org javascript:; [mailto:bind-users-boun...@lists.isc.org javascript:; ] On Behalf Of Ejaz Sent: Sunday, December 28, 2014 11:10 AM To: 'Warren Kumari'; 'Barry Margolin' Cc: comp-protocols-dns-b...@isc.org javascript:; Subject: RE: can't-resolve Thanks for the suggestion I am sure No firewall at all. Also See I now I have reassigned the my previous IP which is 212.119.64.12, after that everything is fine. It wouldn't have worked with this IP if there is firewall on the box?? Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 -Original Message- From: bind-users-boun...@lists.isc.org javascript:; [mailto:bind-users-boun...@lists.isc.org javascript:; ] On Behalf Of Warren Kumari Sent: Saturday, December 27, 2014 2:27 AM To: Barry Margolin Cc: comp-protocols-dns-b...@isc.org javascript:; Subject: Re: can't-resolve Also, from querying from the outside (with TCP): ~# dig +tcp www.auth-servers.net http://www.auth-servers.net @212.119.64.228 http://212.119.64.228 ; DiG 9.10.1-P1 +tcp www.auth-servers.net http://www.auth-servers.net @212.119.64.228 http://212.119.64.228 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 20716 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.auth-servers.net http://www.auth-servers.net . IN A ;; Query time: 8260 msec ;; SERVER: 212.119.64.228#53(212.119.64.228) ;; WHEN: Fri Dec 26 18:18:30 EST 2014 ;; MSG SIZE rcvd: 49 Then trying the same query a few seconds later: dig +tcp www.auth-servers.net http://www.auth-servers.net@212.119.64.228 http://212.119.64.228 ; DiG 9.10.1-P1 +tcp www.auth-servers.net http://www.auth-servers.net @212.119.64.228 http://212.119.64.228 ;; global options: +cmd ;; connection timed out; no servers could be reached This really looks like a firewall -- perhaps there is some firewall software on the box itself? W On Fri, Dec 26, 2014 at 6:17 PM, Warren Kumari war...@kumari.net javascript:; wrote: What OS is this machine running? Interestingly enough, it is unpingable, and a quick nmap fingerprints it as: Running: Sun Solaris 8 OS CPE: cpe:/o:sun:sunos:5.8 OS details: Sun Solaris 8 (SPARC) nmap could only find one open port (TCP 53 :-)) and so its fingerprinting is unreliable, but it *does* look like you are behind a firewall type devices. It is unusual for machines themselves to not respond to pings. fpdns says: fingerprint (212.119.64.228, 212.119.64.228): ISC BIND 9.2.3rc1 -- 9.6.1-P1 [recursion enabled] On Fri, Dec 26, 2014 at 5:55 PM, Barry Margolin bar...@alum.mit.edu javascript:; wrote: In article mailman.1330.1419633581.26362.bind-us...@lists.isc.org javascript:; , Ejaz me...@cyberia.net.sa javascript:; wrote: I am sure sir there is no firewall on in the server you can make sure by telnet to the port 53 of this IP 212.119.64.228 That doesn't mean anything. The firewall may be blocking OUTGOING packets to port 53, or they're blocking the returning replies (which go to an ephemeral port). Regards, Mohammed Ejaz CYBERIAR SAUDI ARABIA P.O.Box 301079, Riyadh 11372, Saudi Arabia Tel: +966 11 464 7114 Ext. 140 Fax: +966 11 465 4735 -Original Message- From: bind-users-boun...@lists.isc.org javascript:; [mailto:bind-users-boun...@lists.isc.org javascript:; ] On Behalf Of Matus UHLAR - fantomas Sent: Friday, December 26, 2014 7:35 PM To: bind-users@lists.isc.org javascript:; Subject: Re: can't-resolve On 26.12.14 19:21, Ejaz wrote: When run dig a yahoo.com http://yahoo.com @212.119.64.228 http://212.119.64.228 below is the ouput. yahoo.com http://yahoo.com . (38) 17:39:41.363532 IP 212.119.64.228.37891 212.119.64.228.domain: 34168+ [1au] A? yahoo.com http://yahoo.com . (38)
Re: BIND DNSSEC Guide draft
On 31-Dec-14 21:00, Jeremy C. Reed wrote: ISC is seeking feedback and review for our first public draft of the BIND DNSSEC Guide. It was written in collaboration with DeepDive Networking. I haven't had a chance to look in detail, but a quick scan resulted in several observations that I hope are useful. Also, I posted your note to dnssec-deployment, where there should be enthusiasm for the topic :-) The private network section 6.5.4 doesn't talk about how to configure views/stub zones so that authoritative (internal) zones on a shared resolver/authoritative server get validated. (point 1 in the section dismisses the possibility.) This can be done. Further, it's useful. People are much more likely to experiment on internal zones. More important, consider a typical scenario: my web server on the internal view has a different address from the external view. (Besides efficiency, some commercial routers don't do NAT on a stick - e.g. allow an internal client to NAT to an external address served by that router, which is NATed to an internal server.) So we want to train users to look for DNSSEC authentication. Unless one makes this work, a notebook on the road will authenticate, but the same notebook in the office will not. Don't bother trying to explain this to users; they'll simply ignore the distinction. Which is sort of a long way of saying: if the goal is to encourage people to adopt DNSSEC, your guide should make Private Networks and the corresponding recipes first class citizens, not a 'don't bother with this' afterthought. Both for admins to feel freer to experiment, and for users to have a consistent experience. On key rollover - this is still a major hassle. And while the recipes look pretty, the process is ugly. Key rollover really needs to be automated. There are too many steps that require too much indirection. And too many 'you could do this or you could do that' choices - that don't really matter, especially for getting started. I don't see why a person should have to change parameters, dates, manually generate keys, etc. You can work on the recipes, but I don't think they'll make the problem approachable - or safe. Computers are good at this stuff - and people aren't. It really needs something like a daily cron job with a simple config file that does all the work. Trigger based on dates, or a 'do it now' emergency/manual command. Key generation, date setting, permissions, etc. As for key uploads to external registrars, it can mail the new keys/DS records to the admin with 'please upload these by 'date'', and only proceed with the roll-over when it can 'dig' them. (The e-mail can - via the config file - include a hyperlink to the upload page...) For internal, it can update the trusted keys include file, rndc reconfig, etc. And the config file should come with reasonable default parameters, so it 'just works' oob. E.g. roll the zsks every 6 months and the ksks every 2 years. (Semi-random numbers, let's not fight about them.) Also, RE TLSA - I think it's better to match just the subject public key - there are several cases where this reduces management overhead. I know generating the hash for that with openssl isn't fun. But, https://www.huque.com/bin/gen_tlsa is the easiest way that I've found to generate TLSA records. And it supports SPKI selectors... So you might want to point to it. I'll try to have a closer look later. Timothe Litt ACM Distinguished Engineer -- This communication may not represent the ACM or my employer's views, if any, on the matters discussed. On 31-Dec-14 21:00, Jeremy C. Reed wrote: ISC is seeking feedback and review for our first public draft of the BIND DNSSEC Guide. It was written in collaboration with DeepDive Networking. The document provides introductory information on how DNSSEC works, how to configure BIND to support some common DNSSEC features, as well as some basic troubleshooting tips. It has lots of interesting content, including examples of using ISC's delv tool and using a common provider's web-based interface to manage DS records. This is a beta edition of the guide. We'd appreciate any feedback or suggestions, good or bad. You may email me directly, or to our bind9-bugs@ bug tracker email, or back to this list as appropriate (such as needing further community discussion). Or you may use the GitHub to provide feedback (or fixes). We plan to announce the first edition of this BIND DNSSEC Guide at the end of January. The guide also has a recipes chapter with step-by-step examples of some common configurations. If you have any requests or would like to contribute some content, please let us know. The beta of the guide is available in HTML and PDF formats at http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.html http://users.isc.org/~jreed/dnssec-guide/dnssec-guide.pdf The docbook source for the guide is at GitHub:
DMARC Record issue
I have been given the task of implementing DMARC in our BIND servers due the recommendation of a security audit on our systems. Whenever I create the record in the forward server, and refresh the zone, it comes out in the slave zone with escape characters inserted in the TXT record. This occurs in every version of BIND that I have tried, from 9.7 up to 9.10. Primary test zone record: _dmarc.domain. IN TXT v=DMARC1; p=reject; rua=root@dns-test-1.domain; aspf=s; rf=afrf; sp=reject Slave test zone record: _dmarc TXT v=DMARC1\; p=reject\; rua=root@dns-test-1.domain\; aspf=s\; rf=afrf\; sp=reject Chris Vaughan | Communications Officer, ICT Land and Property Information | Level 5, 1 Prince Albert Road Queens Square NSW 2000 e: chris.vaug...@lpi.nsw.gov.au | t: 02 92286884 | m: 0401 148061 | f: 02 92231271 | http://www.services.nsw.gov.au I http://www.lpi.nsw.gov.au *** This message is intended for the addressee named and may contain confidential information. If you are not the intended recipient, please delete it and notify the sender. Views expressed in this message are those of the individual sender, and are not necessarily the views of the NSW Government. This email message has been swept by MIMEsweeper for the presence of computer viruses. *** Please consider the environment before printing this email. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users