ANYCAST (in one cloud).
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
I'm a bit confused on the need for a blank forwarders statement inside of a
zone statement in the named.conf file. Given an internal zone on a
recursive server with global forwarders, what are the situations which
would require me to code a blank forwarders statement inside of a zone
statement in
Of course, anycast would have solved this issue by allowing one to
add/remove a server from a properly configured environment without
affecting the clients...
On 03/01/2014 18:00, wbr...@e1b.org wrote:
From: Mark Andrews ma...@isc.org
After that specify a final date for them to fix their
Unless the goal is to move all DNS services off that subnet. Our network
staff would love to reclaim the /24 our DNS servers are tying up with very
little else on it wasting 250 addresses.
I'm not sure I'm describing a properly configured anycast environment
well. Since in anycast the client
I want to confirm my understanding of security of DDNS updates.
I have a stealth master A feeding slave B and C.
I have allow-update-forwarding { any; } specified on B and C.
If a client D presents an update to B or C it will automatically be
forwarded to A.
If B or C are in the allow-updates
In message CAM-YptcevrqfJN0371Zk43gyDt5TiEKusf4EW6=XPvzpwP=
h...@mail.gmail.com
, Bob McDonald writes:
I want to confirm my understanding of security of DDNS updates.
I have a stealth master A feeding slave B and C.
I have allow-update-forwarding { any; } specified on B and C.
If a client
AM, Bob McDonald bmcdonal...@gmail.com wrote:
I agree that TSIG or SIG(0) signed updates are certainly a more
desirable approach than allowing updates via address. My DHCP server is
setup to sign all of it's updates this way. However, I have AD domain
controllers in the environment that don't
Signed updates, that is...
On Sun, Mar 16, 2014 at 5:32 AM, Bob McDonald bmcdonal...@gmail.com wrote:
Ok so it's not painless. Do the updates still get forwarded to the master
by the slaves or do I need to have all Windows devices needing update
capability to point at the master?
TIA
This sounds like a Microsoft IP stack where it can be configured to search
the parent domain after a domain failure. (as opposed to domain suffix
search order). An attempt to resolve everything for the client no matter
what the client types in. This generates unnecessary traffic, IMHO.
Bob
Did you specify 127.0.0.1 in the listen-on options statement?
I am using Ubuntu 12.04.4, BIND 9.8.1-P1, and just added:
allow-query-on { 127.0.0.1; };
To the default /etc/bind/named.conf.options file.
That should make it only answer queries sent to 127.0.0.1, and not answer
queries sent to
(normal FQDN). If the target name is in RPZ it should not be terminated
with a period. Apparently when doing the recursion required to resolve the
target names, bind doesn't use RPZ. Is this the correct behaviour? Details
are in my previous posts.
Regards,
Bob
On Thu, Apr 16, 2015 at 2:07 PM, Bob
I'm using RPZ to return fake addresses for hosts. Although it seems to
work well for A records, I'm questioning the way it processes CNAME records.
Shown below is the output from DIG. Both records are in RPZ. However,
you'll notice that the first DIG returns a NXDOMAIN response. The CNAME
target
Requested information:
options {
directory /opt/incontrol/dns/db;
allow-query { 127.0.0.1; rfc1918-nets; };
also-notify { 172.26.100.10 port 5053 ; 172.26.100.11 ; };
listen-on { 127.0.0.1; };
listen-on { 172.26.99.160; };
listen-on-v6 { none; };
masterfile-format
There are several companies that sell IPAM (IP address management)
solutions around the world. One of the side benefits, along with IP address
management, is the configuration and management of DNS and DHCP (as well as
in some cases, NTP). They also can provide hardware platforms for running
DNS
1) status REFUSED - server with recursion turned off. with or without
+norecurse on the dig command.
2) status NXDOMAIN - server with recursion turned on with or without
+norecurse on the dig command (and access to the internet in my case)
3) status may be NOERROR depending on if a forwarder can
Is SELINUX enabled on the server? (several of the red hat centric distros
have it enabled by default.) That would cause the server to act as if it
were running normally while not accepting queries.
Regards,
Bob
Message: 2
Date: Fri, 10 Jul 2015 08:42:32 +1000
From: Neil nei...@iprimus.com.au
devices in that view of class
chaos. I think I understand this last one.
Setting recursion off does not seem to affect the warning message generated
by omitting the root hints zone for class chaos.
Bob
On Wed, Aug 26, 2015 at 5:50 AM, Bob McDonald bmcdonal...@gmail.com wrote:
The warning is issued
It appears that receiving an NSID response depends on having server-id set
in the options block. However, I'm seeing no way to restrict such queries.
regards,
Bob
On Fri, Aug 28, 2015 at 7:48 AM, Bob McDonald bmcdonal...@gmail.com wrote:
No, and there seems to be sparse documentation
No, and there seems to be sparse documentation of the use of NSID in
troubleshooting. I'm all ears. I would. however, like to restrict queries
to inside networks/users and negate access to that data from the outside
altogether.
TIA,
Bob
Alan Clegg wrote:
Has anyone recommended doing debugging
more template friendly, I know.
However, your suggestion changes my response for excluded addresses from
SERVFAIL to REFUSED. Much better.
Cheers!
On Wed, Aug 26, 2015 at 5:02 AM, Tony Finch d...@dotat.at wrote:
Bob McDonald bmcdonal...@gmail.com wrote:
To further lock this information down
Bind 9 provides configurable hosts within the chaos class which can be
queried to provide troubleshooting infornation. They are:
version.bind
hostname.bind
These are all configurable within the options block of the DNS
configuration file. In the past, the suggestion was to specify something
The warning is issued either way (with or without recursion specified). But
I see the logic in not needing it if recursion is set to no.
Thanks again,
Bob
On Wed, Aug 26, 2015 at 5:45 AM, Tony Finch d...@dotat.at wrote:
Bob McDonald bmcdonal...@gmail.com wrote:
I'd still include the hint
for non-recursive (authoritative only) servers I have:
options {
directory "/var/cache/bind";
allow-query { any; };
allow-query-cache { none; };
allow-recursion { none; };
listen-on { 127.0.0.1; };
listen-on { 172.26.99.117; };
listen-on-v6
Is this hosted on some sort of load-balancer?
Add a +norecurse to your dig and see how that changes things.
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
I'm having issues with resolution of a domain in the .ro TLD.
See below:
; <<>> DiG 9.9.5-P1 <<>> @127.0.0.1 ns01.ebsromania.ro. +trace
; (1 server found)
;; global options: +cmd
. 263965 IN NS a.root-servers.net.
. 263965 IN NS
I have a child domain that is delegated to a second site. Pretty
straightforward situation. In the parent zone I have NS records that point
to the DNS servers at the second site.
The issue comes up when a slaved copy of the parent domain is running at a
third site and that third site doesn't have
me to server B?)
Hope that's clearer.
Bob
On Thu, Aug 11, 2016 at 11:52 AM, Matthew Pounsett <m...@conundrum.com>
wrote:
>
>
> On 11 August 2016 at 09:13, Bob McDonald <bmcdonal...@gmail.com> wrote:
>
>> I have a child domain that is delegated to a second s
o whether or not this might work. I'm ok
either way. Just curious.
Thanks for the replies.
Bob
On Thu, Aug 11, 2016 at 12:21 PM, Matthew Pounsett <m...@conundrum.com>
wrote:
>
>
> On 11 August 2016 at 10:14, Bob McDonald <bmcdonal...@gmail.com> wrote:
>
>>
>>
I think what you are looking for is:
acl test0 { !192.168.1.50/32; 192.168.1.0/24; };
http://jodies.de/ipcalc is a good resource for checking. (As was mentioned
by Reindl...)
Learning basic sub-netting of IP addresses (Both IPv4 and IPv6) takes time
but it's necessary for DNS configuration.
On first glance it looks like although the domain registration points to
the DNS servers at planetdomain.com., the actual domain has NS records (and
an MNAME entry in the SOA) which point to DNS servers at netregistry.net.
Anyone else have different results?
Regards,
Bob
Barry has a good point. I've seen cases where folks have added all of the
Domain Controller addresses for an AD forest to the NS list for a domain.
This results in huge TCP response packets for ALL requests to that domain.
Folks don't seem to get the concept of stealth slaves and the associated
Mea culpa of the Windows process. I should have indicated that as well.
Also I was remiss on not mentioning the MINIMAL-RESPONSES option in the
discussion. It sounds like there are some newer options available under
bind 9.11 and up (Thanks Mr. Andrews!)
That's why I read this list. It's a great
This is my understanding of how Current (ver. 9.8 and above) ISC Bind
works. It may or may not apply to older versions of ISC Bind and/or DNS
resolver programs from other sources. This is only MY understanding. You
are welcome to disagree and point out the folly of my understanding.
There are
pictures.
Regards,
Bob
On Fri, May 4, 2018 at 6:21 AM, Bob McDonald <bmcdonal...@gmail.com> wrote:
> This is my understanding of how Current (ver. 9.8 and above) ISC Bind
> works. It may or may not apply to older versions of ISC Bind and/or DNS
> resolver programs from other sources.
I have a server that has request-nsid yes; specified in the options block
within named.conf. However, I don't see the NSID responses in the resolver
channel log file. Anyone else see this behaviour? dig +nsid seems to work.
Regards,
Bob
___
Please
Is that a functionality change from previous versions? I seem to remember
it working at the info level.
I could be wrong...
On Wed, May 16, 2018 at 3:09 PM, Tony Finch <d...@dotat.at> wrote:
> Bob McDonald <bmcdonal...@gmail.com> wrote:
>
> > I have a server that has req
in the resolver
category at level info. The default is no.
Seems to suggest that they get logged at the info level.
Regards,
Bob
On Wed, May 16, 2018 at 3:18 PM, Bob McDonald <bmcdonal...@gmail.com> wrote:
> Is that a functionality change from previous versions? I seem to remember
>
Hmmm... My understanding was that the only requirement was that the DNS
server pointed to by the AD DC (in this case the AD is managed by SAMBA)
had to be authoritative for the domain in DNS which represented the
matching AD domain. This was a common holy war between MCSE folks and Bind
groupies.
I've recently been investigating having a local slave copy of the root zone
on a caching/forwarder type server. I've even put the local slave copy of
the root zone into a separate view accessed via a different loopback
address. (An limited example of this exists on the ISC site)
My question is
Thank you sir! I'll investigate the newer bind implementations.
Regards.
Bob
On Wed, Aug 15, 2018 at 12:41 PM Tony Finch wrote:
> Bob McDonald wrote:
>
> > I've recently been investigating having a local slave copy of the root
> zone
> > on a caching/forwarder
> I know that most of you hate nslookup but I have been using it since the
> 90's and it's my go-to utility. I get the same responses whether I use
> Dig or nslookup. If nslookup doesn't return what I am looking for, I do
> use Dig also.
I don't think anyone hates nslookup (well maybe a few do )
> This may be an unpopular opinion, especially on the BIND-Users mailing
> list (sometimes BIND is not the best answer).
>
> It sounds like you might want something like multi-master DNS servers
> that Active Directory (with AD integrated zones) provides.
Here's the Microsoft AD DNS explanation:
Consider the follwing example:
Server A
DNSSEC=yes
DNSSEC-validation=yes
Valid trust anchor for the root zone
DNSSEC validation seems to work correctly
Zone one.com. is setup as a forward zone to server B
Server B
DNSSEC=no
DNSSEC-validation=N/A
authoritative and the master for one.com.
When
).
I suspect it's the issue of having the DNSSEC-enable set to off on server B
even though it's not validating. (But that's just a guess...)
Thanks,
Bob
On Wed, Apr 11, 2018 at 9:48 AM, Tony Finch <d...@dotat.at> wrote:
> Bob McDonald <bmcdonal...@gmail.com> wrote:
> >
> &
Personally, I leave the version statement alone. I like having my
"internal" servers return the current running version when queried. I
disable chaos queries on my internet facing servers via views thus
effectively not answering any queries for the version or hostname from
folks I don't know. I
Having multiple CNAME records for the same hsotname is a violation of
rfc1034. (that and bind9 won't allow it...)
Surely there must be some creative solution which doesn't a) violate the
DNS specs and b) doesn't suggest the use of deprecated software (bind8).
Regards,
Bob
I have a DNS server that serves a zone for domain example.org.
That DNS server lives at 192.0.2.53
As part of hosting that domain, a child domain is delegated. (
gtm-int.example.org.)
There are two NS records as follows:
gtm-int.example.org. IN NS gtm-int-east.example.org.
gtm-int.example.org. IN
The most obvious thing is to look at the zone and see if that key is
included in an allow-update statement for the zone.
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
What does your request show when you include a +nodnssec switch on the dig?
-Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
If I'm reading this correctly, it looks like delegation DOES work from the
slave.
Looking at the zone file for sub.example.org. from the main DNS server, is
the delegation present for dyn.sub.example.org.? (e.g. is there a
dyn.sub.example.org. IN NS dynsub.example.org. in the zone file for
Would adding the following to the zone config work?
forwarders {};
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support
Without seeing your configuration, I can only suggest trying the
minimal-responses option.
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with
Same thing here. Here's what I found.
1) there's and old version of the root hints file. Nov 2017. Current is
sept 2020. New one didn't change things. I'll look at my other setup which
slaves the root.
Caveat: I'm running FreeBSD 12.1
2) Upon executing the dig a second time, it resolves.
My config took the following combination before it would work:
max-recursion-depth 20;
max-recursion-queries 275;
I'm running both IPv4 and IPv6.
Regards,
Bob
On Thu, Oct 1, 2020 at 2:37 AM Borja Marcos wrote:
>
>
> > On 30 Sep 2020, at 22:34, Mark Andrews wrote:
> >
> >
May I suggest the following?:
If you are an individual that is so pedantic that seeing a spelling error
causes you to lose sleep or have other soul searing consternation, send an
email (gently worded) to the poster only. Please also be encouraging to
that individual pointing out that these types
You could use RPZ for the entry "www.google.com" and then the rest of the
domain would resolve from the internet.
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development
Is there an entry in your server options similar to this?
notify-delay nn;
Regards,
Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support
I'm guessing that the zone files hosted on the new DNS servers still
contain NS records pointing to the old DNS servers.
Based on your post, that's my guess.
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
Turning off validation for that domain fixes the issue.
When using dig to diagnose this issue, one might be tempted to use the
DNSSEC switch. However, the following command:
dig eportal.incometax.gov.in. +NODNSSEC
will NOT turn off DNSSEC validation.
The DNSSEC switch in dig is used to display
This is why I try to read this list every day...
Thanks Mark.
I need to go back to RTFM (or read the man page)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
Coding a zone statement within the dhcp config file tells dhcp where to
send DDNS updates to. This has traditionally been a method used to update a
truly stealth (hidden) DNS master/primary zone.
However, in the case of using bind DNS servers to provide DNS for Windows
Active Directory, this can
I also get the same value for the serial number from a dig soa .
A couple of questions.
1) I assume you are updating the serial number on the master (primary) zone
file. Correct? Is this a stealth (hidden) master?
2) On that same server, what are your values for NOTIFY and if specified,
Forgive my ignorance if this is a trivial question.
Supposing I have an internal IP network (rfc1918) where there atr local
caching servers (recursive) which clients connect to and scattered around
are several authoritative servers which provide answers for internal only
zones. Those internal
Thanks for the answers. A couple more questions and then I'll stand down.
First, it's Ben Croswell. Just pointing that out.
Second, my reading of the definition of a static-stub zone in the Bvarm
indicates that its use is to allow a local copy of the NS list which may
differ from the primary
It's always an architectural choice to use anycast with your authoritative
zones. I'm speaking from purely a private network (inside) viewpoint. I
typically only use anycast for recursive DNS servers on my
private (internal) network.
That said, here are some thoughts. (This is my understanding
Let's not overthink this. I fear that I've activated a lot of creative
circuitry in individuals and provided flimsy details around my example.
There are no outside clients. In this example, I'm only discussing inside
clients on inside DNS. The recursive resolvers that ALL inside clients
connect
For both versions of bind, please submit the actual dig command and the
complete results received. That will make diagnosing this issue MUCH easier.
Regards,
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software
Are the zones cern.ch and spectrum-lb.cern.ch on the same authoritative
sDNS server?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
I'm thinking about redesigning an internal DNS environment. To begin
with, all internal DNS zones would reside on non-recursive servers
only. That said, all clients would connect to recursive resolvers.
The question is this; do I use an internal root with pointers to the
internal zones (as well
>>I'm thinking about redesigning an internal DNS environment. To begin
>>with, all internal DNS zones would reside on non-recursive servers
>>only.
>why?
My understanding has always been that the recommendation is/was to
separate recursive and non-recursive servers. Now I understand I'm
talking
OK, if a known client accesses DNS on the internal network, that
client is pointed at a recursive resolver (e.g by DHCP). That resolver
either provides access to the internal DNS zones (e.g. via stub zones)
or sends the client query to the root servers on the internet. An
unknown client (e.g.
Thanks Evan and Ondrej. I'll let the folks at FreeBSD know also. Their
bind packages still include that file.
Bob
On Wed, Jan 4, 2023, 14:59 Evan Hunt wrote:
> On Mon, Jan 02, 2023 at 07:33:46AM -0500, Bob McDonald wrote:
> > I've upgraded to bind 9.16.36.
> >
> > I
I've upgraded to bind 9.16.36.
I went to the ISC site and picked up the bind.keys file.
However, it is intended for use in bind 9.11 and contains the managed-keys
clause. This throws an error in the syslog messages during startup. It
appears to still function correctly.
In the ARM for bind 9.16
Under certain circumstances, DNS zones representing Windows Active
Directory domains can have rather large numbers of NS records if there
are/were DCs running DNS. This can happen in any DNS zone with a large
number of secondary DNS servers.
The size of the TCP packets is a problem. You might
Mea Culpa. Apparently RPZ IS the issue here.
I learn something new every time I read this list.
My apologies for the waste of bandwidth.
Bob
On Mon, Jan 16, 2023 at 9:02 AM Bob McDonald wrote:
> This is just conjecture but I'll take a stab at this problem.
>
> First, the fact that
This is just conjecture but I'll take a stab at this problem.
First, the fact that the zone is RPZ really doesn't have any bearing on
this problem.
Do you control both the primary and secondary zones?
Please provide the SOA for the zone. This will allow the list to see some
key timer values.
My RaspberryPI has two micro SD cards with different OS setups.
One is Debian Bullseye running Bind 9.16.37.(I upgraded from Buster 6+
months ago)
The other is FreeBSD 13.1 running Bind 9.18.13.
I've found that the BSD distros tend to be more generous with their
offerings on DNS software
I'm implementing a caching resolver under FreeBSD 13.1 running on a
RaspberryPI. Bind 9.18.11
My named.conf is below. My question is do these look like workable options?
I include logging and a statistics channel in my preliminary
implementations for more detail on what's going on. That will go
My bind 9.18.24 server runs under Debian.
When I query with dig it appears to take long enough to resolve that it
goes to the next DNS server in the client's IP stack. The secondary server
in my list is quad9. It seems to resolve correctly. If I point to the
address of my Debian server, it works
Thanks Mark. It's right there in the log.
Bob
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users
Would this be true for FreeBSD as well? I also have a bind 9.18.24
instance running on freeBSD
and it seems to be ok.
Bob
> The crypto policy stuff ultimately creates and maintains files in
/etc/crypto-policy/backends, which has a list of acceptable or
not-acceptable crypto settings.
> Whilst
81 matches
Mail list logo
