Re: Shared libraries loaded after chroot

On Mon, May 16, 2016 at 12:23:30PM +0100, Tony Finch wrote: > Marc Haber wrote: > > in Debian, the bind9 packages have recently started to trouble me in > > chrooted environments since some cryptographic libraries are loaded > > after bind has chrooted itself, which

Re: Shared libraries loaded after chroot

On Mon, May 16, 2016 at 08:09:05AM -0400, Matthew Pounsett wrote: > On 16 May 2016 at 04:38, Marc Haber wrote: > > I have filed Debian Bug #820974 (http://bugs.debian.org/820974) > > accordingly. The Debian bind people suggest that I copy the respective > > libraries

Re: Shared libraries loaded after chroot

On Mon, May 16, 2016 at 08:51:41PM -0400, Paul Kosinski wrote: > I have avoided the problem chroot causes in a fairly general fashion by > using "mount --bind". For example: > > /bin/mount --bind /lib /chroot/dns/lib > > will make the entire /lib directory available to the chrooted BIND, >

Re: New type of DDoS? Anyone saw it?

Hello, I was thinking to block only client who do attacks something like this: /sbin/iptables --insert INPUT -s IP-ADDRESS-CLIENT-WHO-ATTACK -p udp --dport 53 -m string --from 40 --to 80 --algo bm --hex-string '|somethinghere|' -j DROP -m comment --comment "DROP DNS DDoS" Anyone know how

Re: Shared libraries loaded after chroot

I have avoided the problem chroot causes in a fairly general fashion by using "mount --bind". For example: /bin/mount --bind /lib /chroot/dns/lib will make the entire /lib directory available to the chrooted BIND, assuming the path /chroot/dns is created beforehand to serve as the chroot base

Re: Forward zone not working

In message , Alan Clegg writes: > On 5/16/16, 6:30 PM, "Mark Andrews" wrote: > > >Ideally every machine should be registering its own PTR record in > >the DNS and addresses without machines shouldn't have PTR records. > >The only reason ISP did this

Re: Logging question about message 'update-security: error: client update denied'

On 16 May 2016 at 19:03, Josh Nielsen wrote: > Thank you for the response Mark. I'm still a little confused at what this > might mean though. Clearly the originating address is my slave DNS server > (every single one of the messages say "error: client 10.20.0.101"). > >

Re: Logging question about message 'update-security: error: client update denied'

Could it maybe be dhcp related? On Mon, May 16, 2016 at 6:03 PM, Josh Nielsen wrote: > Thank you for the response Mark. I'm still a little confused at what this > might mean though. Clearly the originating address is my slave DNS server > (every single one of the

Re: Logging question about message 'update-security: error: client update denied'

Thank you for the response Mark. I'm still a little confused at what this might mean though. Clearly the originating address is my slave DNS server (every single one of the messages say "error: client 10.20.0.101"). Are you saying that some process other than named on the same server

Re: Forward zone not working

On 5/16/16, 6:30 PM, "Mark Andrews" wrote: >Ideally every machine should be registering its own PTR record in >the DNS and addresses without machines shouldn't have PTR records. >The only reason ISP did this is that they were too lazy to manage >PTR records for their customers.

Re: Forward zone not working

In message , MegaBrutal writes: > 2016-05-16 19:45 GMT+02:00 Alan Clegg : > > On 5/16/16, 1:30 PM, "MegaBrutal" > behalf of megabru...@gmail.com> wrote: > > > >>I want to

Re: Forward zone not working

On 5/16/16, 5:35 PM, "MegaBrutal" wrote: >2016-05-16 19:45 GMT+02:00 Alan Clegg : >> On 5/16/16, 1:30 PM, "MegaBrutal" > behalf of megabru...@gmail.com> wrote: >> >>>I want to have valid reverse & forward hostnames set

Re: Forward zone not working

2016-05-16 19:45 GMT+02:00 Alan Clegg : > On 5/16/16, 1:30 PM, "MegaBrutal" behalf of megabru...@gmail.com> wrote: > >>I want to have valid reverse & forward hostnames set up >>for this /64 subnet. > > This is silly. Don't do this. Why?

Re: Logging question about message 'update-security: error: client update denied'

In message , Josh Nielsen writes: > Hello, > > I have a message that has been showing up in my master DNS server's log > over the past few weeks and I am wondering if I can find more verbose > specifics from debugging messages

Re: Forward zone not working

Temporarily I enabled recursion on the server and then the forward zone worked well. Now, if I could enable recursion for a specific zone only, then I won. Do you have an idea how to do this? I only see options to restrict recursion for clients. Now I want to control recursion by query (which

Re: New type of DDoS? Anyone saw it?

In message , "John W. Blue" writes: > Apologies. The intent is to drop inbound queries from the internet. Which is just as bad if they are pointing to a delegated server or are replies to queries from your recursive server. You slow up

Re: Forward zone not working

If you want to delegate space to another server DELEGATE it. Add NS records for the other server. Forward "zones" are NOT designed to do this. Doing actual delegations is *not* hard and works with every server in the world. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117,

Re: New type of DDoS? Anyone saw it?

Apologies. The intent is to drop inbound queries from the internet. Sent from Nine From: Mark Andrews Sent: May 16, 2016 3:41 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: New type of DDoS? Anyone saw it? In message

Re: New type of DDoS? Anyone saw it?

In message , "John W. Blue" writes: > > Hello Marek, > > Do you have an IPv6 assignment? If not, there is really no need to even > be resolving records. An overly simplistic description of a > potential solution could be to just drop the

Logging question about message 'update-security: error: client update denied'

Hello, I have a message that has been showing up in my master DNS server's log over the past few weeks and I am wondering if I can find more verbose specifics from debugging messages in BIND somehow. The messsage looks like this: May 16 10:52:16 dns01 named[2591]: 16-May-2016 10:52:16.844

Re: New type of DDoS? Anyone saw it?

On Mon, May 16, 2016 at 09:20:17PM +0200, Marek Królikowski wrote: > Hello > I just call to one of the client who do this DDoS and he confirm, he use UBI > devices > Anyone know how to block all query like this: "query 331.206.372.214 IN > " with random AAA.XXX.YYY.ZZZ address?

RE: New type of DDoS? Anyone saw it?

Hello I just call to one of the client who do this DDoS and he confirm, he use UBI devices Anyone know how to block all query like this: "query 331.206.372.214 IN " with random AAA.XXX.YYY.ZZZ address? Best Regards Marek -Original Message- From: bert hubert

RE: Forward zone not working

> -Original Message- > From: bind-users-boun...@lists.isc.org > [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MegaBrutal > Sent: Monday, May 16, 2016 1:31 PM > To: bind-users@lists.isc.org > Subject: Forward zone not working > > Hi all, > > I have an IPv6 reverse PTR zone for a

Re: Forward zone not working

On 5/16/16, 1:30 PM, "MegaBrutal" wrote: >I want to have valid reverse & forward hostnames set up >for this /64 subnet. This is silly. Don't do this. AlanC ___ Please visit

Re: Forward zone not working

On Mon, May 16, 2016 at 07:30:30PM +0200, MegaBrutal wrote: > zone "y.y.y.y.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa" { > type forward; > forward only; > forwarders { ::; }; // IPv6 address of AllKnowingDNS. > }; > > Where x substitutes digits of my /48, y substitutes digits of my >

Forward zone not working

Hi all, I have an IPv6 reverse PTR zone for a /48 subnet delegated to my BIND server, and one of its /64 subnets are used with SLAAC + Privacy Extensions. I want to have valid reverse & forward hostnames set up for this /64 subnet. Generating 2 ^ 64 reverse & forward records for BIND would be

Re: New type of DDoS? Anyone saw it?

On Mon, May 16, 2016 at 05:03:01PM +0200, Marek Królikowski wrote: > Today i saw my bind eat almost 90% of RAM when i check logs I find > interesting DDoS on my DNS Cluster today: > 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212 > IN + (8X.1X0.Y.Y) This may be

Re: New type of DDoS? Anyone saw it?

Hello Marek, Do you have an IPv6 assignment? If not, there is really no need to even be resolving records. An overly simplistic description of a potential solution could be to just drop the incoming request via its hex value in much the same way rate limiting is done for the "any"

New type of DDoS? Anyone saw it?

Hello, Today i saw my bind eat almost 90% of RAM when i check logs I find interesting DDoS on my DNS Cluster today: 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: query: 323.016.231.212 IN + (8X.1X0.Y.Y) 16-May-2016 16:47:47.467 client 8X.1X0.3Y.40#44968: slip response to 8X.1X0.33.0/24

Re: Shared libraries loaded after chroot

On 16 May 2016 at 04:38, Marc Haber wrote: > I have filed Debian Bug #820974 (http://bugs.debian.org/820974) > accordingly. The Debian bind people suggest that I copy the respective > libraries to the chroot so that bind can find them. > Yeah, this has been the fix

Re: Shared libraries loaded after chroot

Marc Haber wrote: > > in Debian, the bind9 packages have recently started to trouble me in > chrooted environments since some cryptographic libraries are loaded > after bind has chrooted itself, which results - in the case of a > minimal chroot - in a fatal run-time

Shared libraries loaded after chroot

Hi, in Debian, the bind9 packages have recently started to trouble me in chrooted environments since some cryptographic libraries are loaded after bind has chrooted itself, which results - in the case of a minimal chroot - in a fatal run-time error: May 14 21:57:17 fan named[28066]: starting