Re: issue of Amplification attack
Am 12.07.20 um 06:23 schrieb ShubhamGoyal:
> Dear sir,
> Thank you for give me answer for my previous
> question, Sir now we are suffer from amplification attack so is there
> any method in bind to stop DNS Amplification attack.
> I am thinking to stop or drop ANY type queries from our DNS Recursive
> resolver , so please tell me how can we drop or stop ANY type queries
> from bind.
there where a recent discussion you missed in the past few days, our
config for years:
options {
...
minimal-responses yes;
minimal-anyyes;
rate-limit
{
responses-per-second 10;
window 5;
};
}
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?
Am 09.07.20 um 17:20 schrieb Michael De Roover: > On 7/9/20 5:03 PM, Reindl Harald wrote: >> but it still has nothing to do with your domain by definition, the PTR >> could be anything > Of course it can be, they're completely separate name spaces. However > would it make any sense in practice to point it somewhere else entirely? > You'd probably be better off not setting it at all then. I'd argue that > they're meant to match each other. >> but how does that change anything in the simple fact that "Would the >> lack of A records affect pointer records? Seems like it would" given >> that the PTR zone is a dns zone like anything else >> while it's smart (at least when you want to send mails) that your IP has >> a sane PTR and that the name maps back to the IP the dns system couldn't >> care less > My thoughts exactly. They can technically be different and the DNS > itself indeed couldn't care less (but applications checking for that > might).. but would it make sense to? I mean yeah I suppose that they can > exist without the other. Not uncommon for A records to be without PTR > records, and I guess that a PTR record without an A record could work > too..? But again, aside from the theoretical possibility, why would you > want to set your PTR records to not match at least one of your A records? they question was "Would the lack of A records affect pointer records?" an dthe answer is clearly *no* my first response was "while it's smart (at least when you want to send mails) that your IP has a sane PTR and that the name maps back" so it's not a matter of "would it make any sense in practice" and "why would you want to" because nobody want's and that was not the question case closed, period ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND software integration with HSM
Dear all, I am implementing DNSSEC using BIND 9.11 with integrated HSM Utimaco equipment. I configured to use Native PKCS # 11 and connected to the HSM device to create KSK, ZSK keys. But when I ran the program, the error "initializing DST: PKCS # 11 initialization failed" resulted in the service not starting up. Everyone who has encountered an error like mine gives me little experience. Best regards, Chinhlk ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Dynamic update rejected within a view
On 14.07.2020 18:11, Zhiyong Cheng wrote:
在 2020年7月14日 +0800 PM9:06,Per Weisteen ,写道:
Hi
I've a BIND setup with my ISP with two views, one external and one
internal. At the same time I also need to be able to do a dynamic
update from some addresses within the internal range. This worked ok
before I had to define my two views.
I'd be very grateful if someone could suggest what I'm doing wrong.
My ISP is running BIND 9.11.4.
Due to the ISPs need to have control over the BIND setup I'm just
allowed to add my config via include files.
Zones.mydomains.config file contains:
include "keys/mydomains-keys.conf";
include "keys/zone1-keys.conf";
include "keys/zone2-keys.conf";
acl external { 10.222.33.0/18; 10.222.44.0/18; };
acl internal { 10.11.0.0/16; 10.12.0.0/16; };
//
// zone1 and zone2 keys used to ensure correct zone transfer from slave
//
view "external-sites" {
match-clients { !key zone2.key; key zone1.key; external; };
zone "aa.example.net" {
type master;
file "zones.master/aa-view1.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone1.key; };
update-policy {
grant "ext-update.key." name web.aa.example.net. CNAME;
};
};
include "zones.common.config.view1";
}; // End view "external-sites"
view "internal-sites" {
match-clients { !key zone1.key; key zone2.key; internal; localhost; };
zone "aa.example.net" {
type master;
file "zones.master/aa-view2.example.net";
notify explicit;
also-notify { 10.12.143.56 key zone2.key; };
update-policy {
grant "int-update.key." name web.aa.example.net. CNAME;
};
};
include "zones.common.config.view2";
}; // End view "grus-zone2"
view "default" {
match-clients { any; };
include "zones.common.config.view2";
}; // End view "default"
mydomains-keys.conf file contains :
key ext-update.key. {
algorithm HMAC-SHA512;
secret "secret2";
};
key int-update.key. {
algorithm HMAC-SHA512;
secret "secret3";
};
Error message in /var/log/named/named.log is :
10-Jul-2020 13:27:14.695 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
10-Jul-2020 13:28:13.883 update: info: client @0x7f0a200a9b30
10.124.15.148#64606/key arc-zone2.key: view grus-zone2: updating zone
'pacs.telenor.net/IN': update failed: rejected by secure update (REFUSED)
It seems that you have used a key named arc-zone2.key for updating but
only
allow int-update.key for updating in configuration?
--
Best regards,
Per Weisteen
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/ for more
information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Zhiyong Cheng
Hi
I've managed to paste wrong error messages. The correct was :
10-Jul-2020 13:21:24.571 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites: updating zone
'aa.example.net/IN': update failed: rejected by secure update (REFUSED)
10-Jul-2020 13:21:24.759 update: info: client @0x7f09500f432c
10.11.131.23#5175/key int-update.key: view internal-sites: updating zone
'aa.example.net/IN': update failed: rejected by secure update (REFUSED)
I'll try Mark's suggestion.
Per W.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
