Re: How can I launch a private Internet DNS server?
With regard to using chroot, hasn't named/BIND long had the "-u" (user) and "-t" (directory) options to accomplish the same thing more easily? On Fri, 16 Oct 2020 12:47:35 -0500 Chuck Aurora wrote: > /me catching up on earlier parts of this thread, > > On 2020-10-15 11:42, alcol alcol wrote: > > A DNS server can exist if you follow NIC instractions. > > Mainly have you a leased line ever on? primary DNS can't be down or > > NIC could down your domain. > > Then you have to install and configure it. Better a fedora core , and > > I'm not sure what all that means (language barrier, perhaps), but I > have some gripes with what I do understand. > > First, re: Fedora, no one distro/OS can truly claim to be best. The > best advice to a beginner is to choose one and to learn it very well. > Fedora can be a good choice, as can other GNU/Linux distros, as also > can be various *BSD flavors. The point is: it depends what the user > is comfortable to manage. > > > CHROOT, DNS is one of the services more targeted to enter inside a > > system. > > False. A chroot is a fine idea if you know how to set it up and to > maintain it, but it is certainly not a requirement for a beginner. A > beginner in BIND (as in anything else) will do best by starting simple > and building on what is learned. > > Also, while DNS is indeed a target of abuse, I honestly cannot recall > a single exploit of BIND 9 that would lead to system penetration. It > is true that BIND's named has had more than its share of security > issues and bugs, but TTBOMK all of these have been crashes, causing > only denial of service. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
/me catching up on earlier parts of this thread, On 2020-10-15 11:42, alcol alcol wrote: A DNS server can exist if you follow NIC instractions. Mainly have you a leased line ever on? primary DNS can't be down or NIC could down your domain. Then you have to install and configure it. Better a fedora core , and I'm not sure what all that means (language barrier, perhaps), but I have some gripes with what I do understand. First, re: Fedora, no one distro/OS can truly claim to be best. The best advice to a beginner is to choose one and to learn it very well. Fedora can be a good choice, as can other GNU/Linux distros, as also can be various *BSD flavors. The point is: it depends what the user is comfortable to manage. CHROOT, DNS is one of the services more targeted to enter inside a system. False. A chroot is a fine idea if you know how to set it up and to maintain it, but it is certainly not a requirement for a beginner. A beginner in BIND (as in anything else) will do best by starting simple and building on what is learned. Also, while DNS is indeed a target of abuse, I honestly cannot recall a single exploit of BIND 9 that would lead to system penetration. It is true that BIND's named has had more than its share of security issues and bugs, but TTBOMK all of these have been crashes, causing only denial of service. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
On 2020-10-16 06:05, Sami Ait Ali Oulahcen via bind-users wrote: I've been looking for a way to implement this on nft or through firewalld, but couldn't find anything comprehensive. So if it does get updated, please let us know :) It won't be by me, for more than one reason (I am no longer at ISC, and I am not [yet] a nft user, and I'm NEVER going to be a user of firewalld.) I can, however, suggest that there is nothing stopping you from staying with iptables through the "legacy" tools which install. The iptables framework is not planned for deprecation AFAIK. The Netfilter project likes to see users moving to the new framework, but they well understand that millions of production sites are hesitant to make changes on something which works well. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
On 2020-10-16 04:34, Michael De Roover wrote: Interesting article, thanks for sharing this! I'm slightly confused YW! about some things in it though. Does this mean that any traffic will be put on the connection tracker and be treated as stateful unless we use CT --notrack, or can the kernel make a heuristic based on what's in the iptables rule (i.e. if it only covers a port or a network range, it must be stateless)? Everything is kept in the kernel's conntrack table unless connection tracking is disabled for any given packet. Conntrack table lifetimes vary per L4 protocol and can be tweaked by kernel sysctl(8) settings. I'm not sure what the defaults are nor precisely where they are documented, but they are probably in the kernel source tree's "Documentation/" subdirectory. What constitutes a busy server? For a recursor it'd be easy to achieve high throughput, but does an authoritative name server for a single website need it? This was an ISC customer site, a major ISP. They provisioned a new RHEL server for DNS and it was failing miserably with all the dmesg about "Conntrack table full; dropping packet". It has been a lot of years since then, so I am not sure if it was an authoritative or recursive server, but the possibility of conntrack table overflow exists for either. Of course only a big site (or a foolish one with 53/udp open to the world) is likely to have a recursive server busy enough for this. If you're just a small operator, you're mostly unlikely to be bitten in this way. But then you never know when you could be "slashdotted", so it's better to be safe than to be surprised by a DoS. On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote: Absolutely right; I wrote this Linux-centric article about it: https://kb.isc.org/docs/aa-01183 It has not been updated to cover nftables. Note also that this is a good reason NOT to use the NAT that other posters have encouraged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarders used in order or based on RTT ?
On Fri, Oct 16, 2020 at 10:22 AM Matus UHLAR - fantomas wrote: >> On 16.10.20 09:56, Bob Harold wrote: > >The BIND ARM (9.16.2) says: > >"There may be one or more forwarders, and they are queried in turn until > >the list is exhausted or an answer is found." > > > >But [an old mailinglist post] says: > >"Forwarders are selected based on an RTT(round-trip-time)-based algorithm" > > > >So which is correct? > > both are. The ARM does not say they are queried in defined order. > The order is defined by RTT To be fair, the ARM strongly implies in its context that it's the order you put them in the list. The ARM discrepancy has already been noted by ISC, but the first bug report in the long long ago on it was never really fixed.They raised the issue again internally a few months ago and so I would anticipate that the ARM will be fixed in a not too distant release. https://gitlab.isc.org/isc-projects/bind9/-/issues/2030 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarders used in order or based on RTT ?
That is certainly not obvious. How do I request improving the manual? "in turn" would seem to imply "in order", and the order would logically be the order I listed them. -- Bob Harold DNS and DHCP Hostmaster - UMNet Information and Technology Services (ITS) rharo...@umich.edu 734-512-7038 On Fri, Oct 16, 2020 at 10:21 AM Matus UHLAR - fantomas wrote: > On 16.10.20 09:56, Bob Harold wrote: > >The BIND ARM (9.16.2) says: > >"There may be one or more forwarders, and they are queried in turn until > >the list is exhausted > >or an answer is found." > > > >But > >https://lists.isc.org/pipermail/bind-users/2015-August/095544.html > >says: > >"Forwarders are selected based on an RTT(round-trip-time)-based algorithm" > > > >So which is correct? > > both are. The ARM does not say they are queried in defined order. > The order is defined by RTT > > >And did it change at some point? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Fucking windows! Bring Bill Gates! (Southpark the movie) > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: forwarders used in order or based on RTT ?
On 16.10.20 09:56, Bob Harold wrote: The BIND ARM (9.16.2) says: "There may be one or more forwarders, and they are queried in turn until the list is exhausted or an answer is found." But https://lists.isc.org/pipermail/bind-users/2015-August/095544.html says: "Forwarders are selected based on an RTT(round-trip-time)-based algorithm" So which is correct? both are. The ARM does not say they are queried in defined order. The order is defined by RTT And did it change at some point? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fucking windows! Bring Bill Gates! (Southpark the movie) ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
forwarders used in order or based on RTT ?
The BIND ARM (9.16.2) says: "There may be one or more forwarders, and they are queried in turn until the list is exhausted or an answer is found." But https://lists.isc.org/pipermail/bind-users/2015-August/095544.html says: "Forwarders are selected based on an RTT(round-trip-time)-based algorithm" So which is correct? And did it change at some point? -- Bob Harold DNS and DHCP Hostmaster - UMNet Information and Technology Services (ITS) rharo...@umich.edu 734-512-7038 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
I've been looking for a way to implement this on nft or through firewalld, but couldn't find anything comprehensive. So if it does get updated, please let us know :) On 10/16/20 10:34 AM, Michael De Roover wrote: Interesting article, thanks for sharing this! I'm slightly confused about some things in it though. Does this mean that any traffic will be put on the connection tracker and be treated as stateful unless we use CT --notrack, or can the kernel make a heuristic based on what's in the iptables rule (i.e. if it only covers a port or a network range, it must be stateless)? What constitutes a busy server? For a recursor it'd be easy to achieve high throughput, but does an authoritative name server for a single website need it? On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote: Absolutely right; I wrote this Linux-centric article about it: https://kb.isc.org/docs/aa-01183 It has not been updated to cover nftables. Note also that this is a good reason NOT to use the NAT that other posters have encouraged. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
Interesting article, thanks for sharing this! I'm slightly confused about some things in it though. Does this mean that any traffic will be put on the connection tracker and be treated as stateful unless we use CT --notrack, or can the kernel make a heuristic based on what's in the iptables rule (i.e. if it only covers a port or a network range, it must be stateless)? What constitutes a busy server? For a recursor it'd be easy to achieve high throughput, but does an authoritative name server for a single website need it? On Thu, 2020-10-15 at 20:42 -0500, Chuck Aurora wrote: > Absolutely right; I wrote this Linux-centric article about it: > > https://kb.isc.org/docs/aa-01183 > > It has not been updated to cover nftables. > > Note also that this is a good reason NOT to use the NAT that > other posters have encouraged. -- Michael De Roover ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Why are no notifies send?
Hi all, related parts from my named.conf: - - - include "/usr/local/etc/namedb/dns-keys/Kns4-he.net.conf"; // slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us server 216.218.133.2 { keys { ns4-he.net. ; }; }; server 2001:470:600::2 { keys { ns4-he.net. ; }; }; server 2001:470:100::2 { keys { ns4-he.net. ; }; }; // From slave.dns.he.net pulls zones from us, ns1.he.net receives notify from us acl not-he { !216.218.133.2; !2001:470:600::2; !2001:470:100::2; any; }; acl ns4-he { !not-he; key ns4-he.net.; }; also-notify { 2001:470:100::2 key "ns4-he.net" ; 144.91.89.26 key "ns5-ping" ; }; - - - I can’t see any notifies to 2001:470:100::2 in the logs. What am I doing wrong? Axel --- PGP-Key: CDE74120 ☀ computing @ chaos claudius signature.asc Description: Message signed with OpenPGP ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users