DNSTAP overload condition logging

2021-11-18 Thread Carsten Strotmann 

Hi,

how can a BIND 9 operator detect an DNSTAP overload condition?

My understanding is that BIND 9 worker threads write DNSTAP 
information
into a circular buffer in memory, which is that read by a 
different

thread to write out the data (to file or socket).

Is there any indication to the user (log message, marker in DNSTAP 
data)
in the situation where BIND 9 receives more DNSTAP events than it 
could

write out, so that older events get overwritten in the buffer?

I've read dnstap.c and I could not find a hint, but I've could 
missed

it.

Greetings

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to measure use of forwarders?

2021-11-18 Thread Carsten Strotmann 

Hello Richard,

"Parkin, Richard (R.)"  writes:


Hello!

 

We recently re-addressed some of our external-facing cache 
servers into a new network and discovered that our IPs
appear to be blackholed going to certain third-party auth 
servers, either intentionally or unintentionally.  Our
workaround while we sort through these issues is implementing 
forwarders.


 

I’d like to understand how much traffic is flowing to each 
forwarder (QPS, etc) and monitor that for any issues.  Is
there a way to do that effectively in Bind without putting some 
kind of network device on the outbound path to

measure it?  If not, does anyone have any suggestions?



I've done a webinar this week for ISC on the topic of 
"Instrumenting BIND 9
on Linux with BCC/eBPF". In this webinar, I've used logging of 
forwarding
decisions as one example to instrument BIND 9 with eBPF. The 
bpftrace
script I've presented might work as a starting point to create 
custom
BIND 9 logging for forwarding operations, which does not slow down 
the operation of

the BIND 9 server itself.

A recording of the webinar is available at


Greetings

Carsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Evan Hunt 
On Thu, Nov 18, 2021 at 04:06:01PM -0800, Fred Morris wrote:
> Thanks for the encouragement folks, I forged ahead and I've got a
> different error now:
> 
> "response-policy zone 'rpz1.m3047.net' for view standard is not a
> master or slave zone"
> 
> That's the final denoument. There are several intermediate steps, such
> as moving all zone definitions into the views and converting all zone
> references in the second view to "in-view standard;" (where "standard"
> is the name of the first view).
> 
>   * There are a total of three RPZs.
>   * Two are utilized in the first view. (actually this is a lie)
>   * All three are utilized in the second view.
> 
> and the "lie" is that the "unused" RPZ is dynamically updated in the
> first view (that's where update requests are sent); I suppose I could
> jigger that so that the updates happen in the second view. But the
> stopper is that error message, and that RPZ is common to both views.
> 
> This is 9.12 FWIW.

(That's pretty outdated, BTW. End of life was 2.5 years ago.)

You can set things up so that one view will transfer a copy of a zone
from another, by using a TSIG key so that transfer requests from localhost
to localhost will be routed to the correct view:

key them-key { ... };
acl our-clients { ... };

view us {
match-clients { !key them-key; our-clients; };

zone example.com {
type secondary;
file "example-secondary.db";
primaries { 127.0.0.1 key them-key; };
};
};

view them {
match-clients { any; };

zone example.com {
type primary;
file "example-primary.db";
allow-transfer { localhost; };
};
};

-- 
Evan Hunt -- e...@isc.org
Internet Systems Consortium, Inc.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Fred Morris 
Thanks for the encouragement folks, I forged ahead and I've got a
different error now:

"response-policy zone 'rpz1.m3047.net' for view standard is not a
master or slave zone"

That's the final denoument. There are several intermediate steps, such
as moving all zone definitions into the views and converting all zone
references in the second view to "in-view standard;" (where "standard"
is the name of the first view).

  * There are a total of three RPZs.
  * Two are utilized in the first view. (actually this is a lie)
  * All three are utilized in the second view.

and the "lie" is that the "unused" RPZ is dynamically updated in the
first view (that's where update requests are sent); I suppose I could
jigger that so that the updates happen in the second view. But the
stopper is that error message, and that RPZ is common to both views.

This is 9.12 FWIW.

--

Fred Morris


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread stuart@registry.godaddy 
Look in to "match-destination" in a view, i.e.

acl abcd.anycast {
10.10.10.1; 
};
view "abcd" {
match-clients {
any;
};
match-destinations {
abcd.anycast;
};
...
};

The response-policy definition (and associated zone) can go into a view, 
instead of global options.

Stuart

On 19/11/21, 7:40 am, "bind-users on behalf of Fred Morris" 
 wrote:

[You don't often get email from m3...@m3047.net. Learn why this is 
important at http://aka.ms/LearnAboutSenderIdentification.]

Caution: This email is from an external sender. Please do not click links 
or open attachments unless you recognize the sender and know the content is 
safe. Forward suspicious emails to isitbad@.



I wanted to provide enhanced recursive DNS to (internal) clients on an
"opt in" basis, which is to say that clients could choose whether or not
to receive enhanced replies based on what they configured as their local
caching resolver. The enhanced services come in the form of a Response
Policy Zone (RPZ).

Didn't see any reason that it had to be separate instances of BIND,
thought maybe I could do it with views, but I've run into a couple of
roadblocks:

1. listen-on isn't supported in views.
2. internet wisdom augurs that response-policy isn't supported either.

Is there a way to do this or should I bite the bullet and run two copies
of BIND?

Thanks in advance...

--

Fred Morris


___
Please visit 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=04%7C01%7Cstuart%40registry.godaddy%7Cdad3a7b53cce4d00c11708d9aad39ccd%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C637728648249954539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gjtq6vOlM%2BQIHcqfrVgJD%2Fzbjm3vLdF%2BKg74%2FtPQsuA%3D&reserved=0
 to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at 
https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.isc.org%2Fcontact%2F&data=04%7C01%7Cstuart%40registry.godaddy%7Cdad3a7b53cce4d00c11708d9aad39ccd%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C637728648249954539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=xptHiGDaNrn7P99mhYJrI%2Fbw2nAf%2FH7%2FJCRFUvabkrc%3D&reserved=0
 for more information.


bind-users mailing list
bind-users@lists.isc.org

https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.isc.org%2Fmailman%2Flistinfo%2Fbind-users&data=04%7C01%7Cstuart%40registry.godaddy%7Cdad3a7b53cce4d00c11708d9aad39ccd%7Cd5f1622b14a345a6b069003f8dc4851f%7C0%7C0%7C637728648249954539%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Gjtq6vOlM%2BQIHcqfrVgJD%2Fzbjm3vLdF%2BKg74%2FtPQsuA%3D&reserved=0


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Tony Finch 
Fred Morris  wrote:
>
> Didn't see any reason that it had to be separate instances of BIND,
> thought maybe I could do it with views, but I've run into a couple of
> roadblocks:
>
> 1. listen-on isn't supported in views.

Right, listen-on is for the server as a whole.

To control which view is used to answer a query based on the server
address, use the `match-destinations` option. For details see
https://bind9.readthedocs.io/en/v9_16_23/reference.html#view-statement-grammar

> 2. internet wisdom augurs that response-policy isn't supported either.

Don't believe everything you read on the internet :-)

Yes, you can have different RPZ configurations in different views.

Another trick that's useful for the kind of setup you are planning is to
use the `attach-cache` option so that your views can share the same cache.
This improves performance and reduces memory usage. It still works with
differing RPZ policies because RPZ only affects the responses sent to
clients; RPZ doesn't change how recursion works or what records are saved
in the cache.

Tony.
-- 
f.anthony.n.finchhttps://dotat.at/
Fair Isle, Faeroes: Westerly or southwesterly 7 to severe gale 9,
occasionally storm 10 for a time in Faeroes, decreasing 5 to 7 later.
Rough or very rough, becoming high for a time. Occasional rain.
Moderate, occasionally poor.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Niall O'Reilly 
match-destinations ?

⁣---
>From an Android device, using BlueMail, which forces top-posting.​

On 18 Nov 2021, 20:40, at 20:40, Fred Morris  wrote:
>I wanted to provide enhanced recursive DNS to (internal) clients on an
>"opt in" basis, which is to say that clients could choose whether or
>not
>to receive enhanced replies based on what they configured as their
>local
>caching resolver. The enhanced services come in the form of a Response
>Policy Zone (RPZ).
>
>Didn't see any reason that it had to be separate instances of BIND,
>thought maybe I could do it with views, but I've run into a couple of
>roadblocks:
>
>1. listen-on isn't supported in views.
>2. internet wisdom augurs that response-policy isn't supported either.
>
>Is there a way to do this or should I bite the bullet and run two
>copies
>of BIND?
>
>Thanks in advance...
>
>--
>
>Fred Morris
>
>
>___
>Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>unsubscribe from this list
>
>ISC funds the development of this software with paid support
>subscriptions. Contact us at https://www.isc.org/contact/ for more
>information.
>
>
>bind-users mailing list
>bind-users@lists.isc.org
>https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Possible to condition a view based on the interface the query comes in on?

2021-11-18 Thread Fred Morris 
I wanted to provide enhanced recursive DNS to (internal) clients on an
"opt in" basis, which is to say that clients could choose whether or not
to receive enhanced replies based on what they configured as their local
caching resolver. The enhanced services come in the form of a Response
Policy Zone (RPZ).

Didn't see any reason that it had to be separate instances of BIND,
thought maybe I could do it with views, but I've run into a couple of
roadblocks:

1. listen-on isn't supported in views.
2. internet wisdom augurs that response-policy isn't supported either.

Is there a way to do this or should I bite the bullet and run two copies
of BIND?

Thanks in advance...

--

Fred Morris


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC implementation on IPv6 PTR Zones

2021-11-18 Thread Grant Taylor via bind-users 

On 11/18/21 3:14 AM, Mark Elkins wrote:
With IPv6 - you might want to use NSEC3 - as there can be huge holes in 
the reverse zone. Make the bad guy work at guessing what is in the zone.


Be mindful of current efforts for minimizing NSEC3 rounds / iterations 
which purportedly have a diminishing RoI for higher counts.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC implementation on IPv6 PTR Zones

2021-11-18 Thread Blažej Krajňák 
Hello

št 18. 11. 2021 o 10:28 Divya  napísal(a):

> Dear Admin,
>
> Has anybody implemented  DNSSEC on IPv6 reverse  zones?
> Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with
> BIND 9.17.16+CentOS  7.9.
>
> With Thanks & Regards
> Divya
>

I can confirm working DNSSEC for IPv6 reverse zone with BIND 9.16 on Debian
11.
https://dnsviz.net/d/6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.0.0.3.a.c.6.2.0.a.2.ip6.arpa/dnssec/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC implementation on IPv6 PTR Zones

2021-11-18 Thread Mark Elkins 

And I can testify that this works. I have 2001:42a0::/32 signed via AFRINIC.

One suggestion though. When one signs an IPv4 reverse - use NSEC - as 
everyone can guess what is there anyway.
With IPv6 - you might want to use NSEC3 - as there can be huge holes in 
the reverse zone. Make the bad guy work at guessing what is in the zone.
Also - if signing a brand new zone - try using Algo 13 (Elliptical 
curve) as it will generate shorter keys - so less chance of your zone 
being used in a DNS DDOS amplification attack - it doesn't amplify as much.



On 11/18/21 12:07 PM, Mark Andrews wrote:
You do it exactly the same as any other zone.  You create DNSKEYs. You 
sign the zone. You add DS records to the parent zone.


--
Mark Andrews


On 18 Nov 2021, at 20:28, Divya  wrote:


Dear Admin,

Has anybody implemented  DNSSEC on IPv6 reverse  zones?
Kindly help us to configure DNSSEC on reverse zones of IPV6 segment 
with BIND 9.17.16+CentOS  7.9.


With Thanks & Regards
Divya






___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
unsubscribe from this list


ISC funds the development of this software with paid support 
subscriptions. Contact us at https://www.isc.org/contact/ for more 
information.



bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za   Tel: +27.826010496 
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 



Posix SystemsVCARD for MJ Elkins

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNSSEC implementation on IPv6 PTR Zones

2021-11-18 Thread Mark Andrews 
You do it exactly the same as any other zone.  You create DNSKEYs. You sign the 
zone. You add DS records to the parent zone. 

-- 
Mark Andrews

> On 18 Nov 2021, at 20:28, Divya  wrote:
> 
> 
> Dear Admin,
> 
> Has anybody implemented  DNSSEC on IPv6 reverse  zones?
> Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 
> 9.17.16+CentOS  7.9.
> 
> With Thanks & Regards 
> Divya 
> 
> 
> 
> 
> 
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNSSEC implementation on IPv6 PTR Zones

2021-11-18 Thread Divya 
Dear Admin, 

Has anybody implemented DNSSEC on IPv6 reverse zones? 
Kindly help us to configure DNSSEC on reverse zones of IPV6 segment with BIND 
9.17.16+CentOS 7.9. 

With Thanks & Regards 
Divya 



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users