Re: Reverse DNS record for my webhost

[Grant Taylor via bind-users]

On 08/06/2018 08:29 PM, A wrote:
I have a VPS and requested my webhost to fix reverse DNS for my domain & 
IP.  They responded by telling me to provide them with the records I want.


I found the following response to someone's question on the *Net*:

Many ISPs will put in CNAME records with values that have a
subdomain you DO control.
so they have 4.3.2.1.in-addr.arpa. (one of "your" addresses) as
"IN CNAME 4-3-2-1.yourdomain.com".
Then you go into "your domain.com" and add
4-3-2-1 IN PTR foohost.example.com
So you can change your PTRs, and the world finds them via your
ISP's CNAMEs.

And I thought that seemed a good way to go.  But I don't want to play 
guessing games with my webhost as to the right record(s) and want to 
confirm my guesses (and the above statement) with you experts before 
casting it in concrete (or worse, having to repeatedly redo it to get it 
right).  In particular, he states:


That sounds like Classless IN-ADDR.ARPA delegation.  Check out RFC 2317.

Link - Classless IN-ADDR.ARPA delegation
 - https://tools.ietf.org/html/rfc2317

They would really set up the 4.3.2.1.in-addr.arpa. as a CNAME to 
..


Then you set up a PTR record for . that 
resolves to the name that you want reverse DNS for 1.2.3.4 to resolve to.


Just to be clear I have multiple subdomains/CNAMEs, but just one IP 
address.  I plan to run multiple apache vhosts on my VSP and single IP.


That may be problematic.  Either you're going to end up publishing 
multiple records for . -or- the IP address 
will reverse resolve to one FQDN.


I prefer the second route, and make all the vanity domain names be 
CNAMEs to the single name that the IP reverse resolves to.



Thanks in advance!


:-)



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse DNS record for my webhost

[A]

I have a VPS and requested my webhost to fix reverse DNS for my domain & 
IP.  They responded by telling me to provide them with the records I want.


I found the following response to someone's question on the *Net*:

   Many ISPs will put in CNAME records with values that have a
   subdomain you DO control.
   so they have 4.3.2.1.in-addr.arpa. (one of "your" addresses) as
   "IN CNAME 4-3-2-1.yourdomain.com".
   Then you go into "your domain.com" and add
   4-3-2-1 IN PTR foohost.example.com
   So you can change your PTRs, and the world finds them via your
   ISP's CNAMEs.

And I thought that seemed a good way to go.  But I don't want to play 
guessing games with my webhost as to the right record(s) and want to 
confirm my guesses (and the above statement) with you experts before 
casting it in concrete (or worse, having to repeatedly redo it to get it 
right).  In particular, he states:


   so they have 4.3.2.1.in-addr.arpa. (one of "your" addresses) as "IN
   CNAME 4-3-2-1.*yourdomain.com*".


I think he typoed, or I really don't understand what he's saying. Did he 
really mean to type:


"IN CNAME 4-3-2-1.*in-addr.arpa*"?

And so, the record I would provide to my webhost is "IN CNAME 
4-3-2-1.in-addr.arpa"???


Or maybe he meant
*
* IN CNAME *1-2-3-4*.yourdomain.com  ??


Just to be clear I have multiple subdomains/CNAMEs, but just one IP 
address.  I plan to run multiple apache vhosts on my VSP and single IP.


Thanks in advance!


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named tcp dos?

[Greg Rivers]

On Thursday, August 02, 2018 18:13:21 Randy Bush wrote:
> > We run about 300 TLD's on our DNS platform and get roughly 5-10% TCP
> > queries.
> 
> that is quite a variance
> 
> > In comparison, we get about 25-30% IPv6 queries.
> 
> wonder how that compares to others
> 
On the secondaries for a Fortune 50 company with a sizeable ecommerce presence, 
we see ~17% of queries come in over IPv6, and ~2.5% are TCP queries. With 
respect to the Internet, the v6 percentage is probably low, as the servers I 
checked answer quite a lot of queries from internal IPv4 networks.

For grins, I turned on query logging on one server (BIND 9.11.4) for a short 
time and produced a histogram of the unique query attribute combinations:

$ awk '"query:"==$10 {print $(NF-1)}' /var/log/daemon.2 | sort | uniq -c | sort 
-rn | tee >(awk '{s+=$1}END{print s}')
38111265 -E(0)DC
4963452 -E(0)D
4784394 -
3268810 -E(0)
896136 +E(0)DC
551934 -E(0)TDC
406856 -E(0)DCV
318068 -E(0)DV
282536 -E(0)DCK
173078 -T
149780 -E(0)TD
132303 -E(0)DK
107240 -C
105752 -E(0)T
32748 -E(0)TDV
24677 +
21722 -E(0)TDCV
10958 -E(0)C
10907 +T
 337 -E(0)TDCK
 174 +E(0)
 135 -TC
 131 -E(0)TDK
  98 +E(0)TDC
  19 +E(0)D
  18 +E(0)K
   8 -E(0)TC
   3 +E(0)T
54353539

FWIW, this indicates that most TCP queries come from clients that claim to 
support EDNS0.

-- 
Greg Rivers
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding different responses that I am getting for a lookup.

[Lee]

On 8/6/18, Bhangui, Sandeep - BLS CTR  wrote:
> Hello
>
> Not sure why I am getting different responses when I perform a dig on
> sso.dol.gov.
>
> Dig is performed from a server which is capable of querying the root
> servers….what could be the issue.

Probably because the bls.gov server gets a different answer than a
server outside the bls.gov (or .gov?) domain.

> sso.gslb.dol.gov.   15  IN  A   10.49.1.80
you can't get there from here if >>here<< is on the internet

Regards,
Lee



>   Both dig commands below are run from the
> same server which acts as DNS server capable of performing DNS queries on
> the internet.
>
> The dig +trace +all output is the same when I query my local server as well
> as when I query the VZ NS.
>
> Any guidance/pointers would be appreciated.
>
> Running Bind 9.11.3 on RHEL 6.x is that is of any relevance.
>
> I have a feeling that the external DNS entry presented  for sso.dol.gov is
> messed up…
>
> Thanks
> Sandeep
>
>
>
> sh-4.1# dig sso.dol.gov
>
> ; <<>> DiG 9.11.3 <<>> sso.dol.gov
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12647
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4096
> ; COOKIE: 191369419bc6df077b8f30ce5b688c9e77211f348bb29b35 (good)
> ;; QUESTION SECTION:
> ;sso.dol.gov.   IN  A
>
> ;; ANSWER SECTION:
> sso.dol.gov.77266   IN  CNAME   sso.gslb.dol.gov.
> sso.gslb.dol.gov.   15  IN  A   10.49.1.80
>
> ;; AUTHORITY SECTION:
> gslb.dol.gov.   77266   IN  NS  silprodgslb.dol.gov.
> gslb.dol.gov.   77266   IN  NS  stldrpgslb.dol.gov.
>
> ;; Query time: 27 msec
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
> ;; WHEN: Mon Aug 06 13:59:58 EDT 2018
> ;; MSG SIZE  rcvd: 158
>
>
> sh-4.1# dig @198.6.1.1 sso.dol.gov
>
> ; <<>> DiG 9.11.3 <<>> @198.6.1.1 sso.dol.gov
> ; (1 server found)
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25189
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
> ;; OPT PSEUDOSECTION:
> ; EDNS: version: 0, flags:; udp: 4000
> ;; QUESTION SECTION:
> ;sso.dol.gov.   IN  A
>
> ;; ANSWER SECTION:
> sso.dol.gov.86378   IN  CNAME   sso.gslb.dol.gov.
> sso.gslb.dol.gov.   15  IN  A   152.180.20.21
>
> ;; Query time: 93 msec
> ;; SERVER: 198.6.1.1#53(198.6.1.1)
> ;; WHEN: Mon Aug 06 14:01:42 EDT 2018
> ;; MSG SIZE  rcvd: 79
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question regarding different responses that I am getting for a lookup.

[Peter DeVries]

They are probably using a load balancer of some sort that is choosing
between multiple systems and directing you to the one closest or no under
load at the moment.   The low TTL is usually a sign of this as well.



On Mon, Aug 6, 2018 at 2:12 PM, Bhangui, Sandeep - BLS CTR <
bhangui.sand...@bls.gov> wrote:

> Hello
>
>
>
> Not sure why I am getting different responses when I perform a dig on
> sso.dol.gov.
>
>
>
> Dig is performed from a server which is capable of querying the root
> servers….what could be the issue.   Both dig commands below are run from
> the same server which acts as DNS server capable of performing DNS queries
> on the internet.
>
>
>
> The dig +trace +all output is the same when I query my local server as
> well as when I query the VZ NS.
>
>
>
> Any guidance/pointers would be appreciated.
>
>
>
> Running Bind 9.11.3 on RHEL 6.x is that is of any relevance.
>
>
>
> I have a feeling that the external DNS entry presented  for sso.dol.gov
> is messed up…
>
>
>
> Thanks
>
> Sandeep
>
>
>
>
>
>
>
> sh-4.1# dig *sso.dol.gov *
>
>
>
> ; <<>> DiG 9.11.3 <<>> sso.dol.gov
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12647
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4096
>
> ; COOKIE: 191369419bc6df077b8f30ce5b688c9e77211f348bb29b35 (good)
>
> ;; QUESTION SECTION:
>
> ;sso.dol.gov.   IN  A
>
>
>
> ;; ANSWER SECTION:
>
> sso.dol.gov.77266   IN  CNAME   sso.gslb.dol.gov.
>
> sso.gslb.dol.gov.   15  IN  A   *10.49.1.80*
>
>
>
> ;; AUTHORITY SECTION:
>
> gslb.dol.gov.   77266   IN  NS  silprodgslb.dol.gov.
>
> gslb.dol.gov.   77266   IN  NS  stldrpgslb.dol.gov.
>
>
>
> ;; Query time: 27 msec
>
> ;; SERVER: 127.0.0.1#53(127.0.0.1)
>
> ;; WHEN: Mon Aug 06 13:59:58 EDT 2018
>
> ;; MSG SIZE  rcvd: 158
>
>
>
>
>
> sh-4.1# dig *@198.6.1.1 * *sso.dol.gov
> *
>
>
>
> ; <<>> DiG 9.11.3 <<>> @198.6.1.1 sso.dol.gov
>
> ; (1 server found)
>
> ;; global options: +cmd
>
> ;; Got answer:
>
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25189
>
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
>
>
>
> ;; OPT PSEUDOSECTION:
>
> ; EDNS: version: 0, flags:; udp: 4000
>
> ;; QUESTION SECTION:
>
> ;sso.dol.gov.   IN  A
>
>
>
> ;; ANSWER SECTION:
>
> sso.dol.gov.86378   IN  CNAME   sso.gslb.dol.gov.
>
> sso.gslb.dol.gov.   15  IN  A   *152.180.20.21*
>
>
>
> ;; Query time: 93 msec
>
> ;; SERVER: 198.6.1.1#53(198.6.1.1)
>
> ;; WHEN: Mon Aug 06 14:01:42 EDT 2018
>
> ;; MSG SIZE  rcvd: 79
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Question regarding different responses that I am getting for a lookup.

[Bhangui, Sandeep - BLS CTR]

Hello

Not sure why I am getting different responses when I perform a dig on 
sso.dol.gov.

Dig is performed from a server which is capable of querying the root 
servers….what could be the issue.   Both dig commands below are run from the 
same server which acts as DNS server capable of performing DNS queries on the 
internet.

The dig +trace +all output is the same when I query my local server as well as 
when I query the VZ NS.

Any guidance/pointers would be appreciated.

Running Bind 9.11.3 on RHEL 6.x is that is of any relevance.

I have a feeling that the external DNS entry presented  for sso.dol.gov is 
messed up…

Thanks
Sandeep



sh-4.1# dig sso.dol.gov

; <<>> DiG 9.11.3 <<>> sso.dol.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12647
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 191369419bc6df077b8f30ce5b688c9e77211f348bb29b35 (good)
;; QUESTION SECTION:
;sso.dol.gov.   IN  A

;; ANSWER SECTION:
sso.dol.gov.77266   IN  CNAME   sso.gslb.dol.gov.
sso.gslb.dol.gov.   15  IN  A   10.49.1.80

;; AUTHORITY SECTION:
gslb.dol.gov.   77266   IN  NS  silprodgslb.dol.gov.
gslb.dol.gov.   77266   IN  NS  stldrpgslb.dol.gov.

;; Query time: 27 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 06 13:59:58 EDT 2018
;; MSG SIZE  rcvd: 158


sh-4.1# dig @198.6.1.1 sso.dol.gov

; <<>> DiG 9.11.3 <<>> @198.6.1.1 sso.dol.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25189
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;sso.dol.gov.   IN  A

;; ANSWER SECTION:
sso.dol.gov.86378   IN  CNAME   sso.gslb.dol.gov.
sso.gslb.dol.gov.   15  IN  A   152.180.20.21

;; Query time: 93 msec
;; SERVER: 198.6.1.1#53(198.6.1.1)
;; WHEN: Mon Aug 06 14:01:42 EDT 2018
;; MSG SIZE  rcvd: 79

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need to move an NS server out of service

[Alberto Colosi]

sorry for missing letters but my keyboard ia broken


so to say, usually DNS admin low TTL on NS and/or A records that will have a 
change

look bind docs to apply it


without specific record TTL , SOA ttl is used





From: bind-users  on behalf of King, Harold 
Clyde (Hal) 
Sent: Monday, August 6, 2018 7:37 PM
To: Bind Users
Subject: Need to move an NS server out of service

I have ns2.example.com one of my DNS servers. The building, and the reason for 
the NS server, is ending. Should I remove the host from our domain name 
provider then my actual NS record in DNS, or NS record then provider?

I'd appreciate any help I could get.


--
Hal King


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives.. Using bind-users: To post a message to all the list members, send 
email to bind-users@lists.isc.org.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need to move an NS server out of service

[Alberto Colosi]

No , you have to NOT REMOVE untile epire of SOA TTL the DNS A record and don't 
stop DNS engine

if you don't want loss of name resolution on your domain


Remove NS record from your zone and restart engine so slaves and internet can 
be updated


after epire of SOA TTL you can remove A record and stop engine


https://en.wikipedia.org/wiki/SOA_record



Alberto Colosi






From: bind-users  on behalf of King, Harold 
Clyde (Hal) 
Sent: Monday, August 6, 2018 7:37 PM
To: Bind Users
Subject: Need to move an NS server out of service

I have ns2.example.com one of my DNS servers. The building, and the reason for 
the NS server, is ending. Should I remove the host from our domain name 
provider then my actual NS record in DNS, or NS record then provider?

I'd appreciate any help I could get.


--
Hal King


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list
bind-users Info Page - lists.isc.org Mailing 
Lists
lists.isc.org
To see the collection of prior postings to the list, visit the bind-users 
Archives.. Using bind-users: To post a message to all the list members, send 
email to bind-users@lists.isc.org.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Need to move an NS server out of service

[King, Harold Clyde (Hal)]

I have ns2.example.com one of my DNS servers. The building, and the reason for 
the NS server, is ending. Should I remove the host from our domain name 
provider then my actual NS record in DNS, or NS record then provider?

I'd appreciate any help I could get.


-- 
Hal King


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS and keepalived

[Leroy Tennison]

As previously posted, I just added a slave of a master for disaster recovery 
and now need to know how to promote it should the master be offline too long.  
An additional complicating factor is that the master and slave exist on a 
failover pair managed by keepalived.  My web search has found a few references 
to this situation but they have either used slave servers or were veery light 
on the details of bind configuration.  I'm converting and existing situation 
where there was a single server for almost totally non-DHCP clients (servers).  
I would prefer to not roll out a different DNS resolver configuration to all 
those non-DHCP clients - the environment size is sort of "in between" (not 
small or large).

The issues I see are in the SOA, with keepalived I could leave the SOA the same 
on both since the IP address for the DNS server (and other functions) moves.  
The question is "Am I missing something?" which will come back to haunt me 
later?


Join us
at the 2018 Momentum User Conference!
Register
here
Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com
2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com
TThis message has been sent on behalf
of a company that is part of the Harris Operating Group of
Constellation Software Inc. These companies are listed
here
.
If you prefer not to be contacted by Harris
Operating Group
please notify us
.
This message is intended exclusively for the
individual or entity to which it is addressed. This communication
may contain information that is proprietary, privileged or
confidential or otherwise legally exempt from disclosure. If you are
not the named addressee, you are not authorized to read, print,
retain, copy or disseminate this message or any part of it. If you
have received this message in error, please notify the sender
immediately by e-mail and delete all copies of the
message.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Promote slave DNS server

[Leroy Tennison]

If there is already an ISC document I didn't find it, please provide the URL.  
I just added a slave of a master for disaster recovery and now need to know how 
to promote it should the master be offline too long.  What I have found so far 
is:

1. For the zone definitions in /etc/named.conf  (or equivalent):
(a) Change the “type” statements from ”slave” to “master” and remove the 
“masters” statement.
(b) Add “allow-update” and “allow-transfer” statements as appropriate.
(c) Possibly add “also-notify” statements as appropriate.
2. Add key definitions if needed
3. If “masterfile-format text” wasn't used in named.conf.local convert the zone 
files to text using named-compilezone including the -j parameter.
4. If the server's name is different than the former master then the SOA record 
for each (to be ) master zone must be updated.  Since rndc
freeze/thaw doesn't work on slave zones the server probably needs to be 
shut down.
5. Change the MNAME to the new server name

Anything I've missed?  Thanks for your help.  I also have a question about DNS 
and keepalived but I'll make that another post.


Join us
at the 2018 Momentum User Conference!
Register
here
Leroy Tennison
Network Information/Cyber Security Specialist
E: le...@datavoiceint.com
2220 Bush Dr
McKinney, Texas
75070
www.datavoiceint.com
TThis message has been sent on behalf
of a company that is part of the Harris Operating Group of
Constellation Software Inc. These companies are listed
here
.
If you prefer not to be contacted by Harris
Operating Group
please notify us
.
This message is intended exclusively for the
individual or entity to which it is addressed. This communication
may contain information that is proprietary, privileged or
confidential or otherwise legally exempt from disclosure. If you are
not the named addressee, you are not authorized to read, print,
retain, copy or disseminate this message or any part of it. If you
have received this message in error, please notify the sender
immediately by e-mail and delete all copies of the
message.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: named tcp dos?

[Tony Finch]

Randy Bush  wrote:
>
> an aside: folk seem to be in the 20% range for ipv6, while overall
> backbone traffic stats are about half that.  are dns caches more likely
> to be v6 enabled than the average bear?

I get the impression from various discussions that yes, they are. Actual
citation:

http://www.potaroo.net/ispcol/2016-10/dnsipv6.html

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Bailey: Southwest, becoming cyclonic 5 to 7, decreasing 4 at times. Moderate
or rough. Showers. Good, occasionally poor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users