Re: RPZ and negative answers
Am Thu, 4 Apr 2013 23:51:23 GMT
schrieb Vernon Schryver v...@rhyolite.com:
From: Chris Buxton cli...@buxtonfamily.us
A company wants to halt the spread of a piece of malware that
uses DNS lookups to find its CC. ...
The company has determined the first N domains of the sequence,
but does not know how to calculate the complete set of domains.
...
Unfortunately, because RPZ doesn't return a policy-based answer when
there is no positive answer to be found out on the Internet, RPZ is
not a suitable solution. Therefore, the customer is forced to create
the individual zones normally, mixing them with other data in their
management solution, rather than using RPZ to trap the malware into
contacting the honeypot server.
Why isn't it both sufficient and better to list the NS servers or
NS servers for the NS servers of the evil domains? Won't NS servers
for the N domains be known, espcially after the first of the N
domains goes active?
Uhm... maybe I'm doing something wrong but RPZ answer rewrites on NXDOMAIN
hosts do work for me.
We do have a customer who wants us to resolve some hosts which are normally on
their insite zone inside their platform in our datacenter wile the rest of the
zone should be answered by the outside zone.
Here's our config
named.conf:
options {
directory /named/dns01.somecustomer.de/;
query-source address x.x.x.x port *;
listen-on port 53 { x.x.x.x; };
pid-file log/named.pid;
allow-query { any; };
minimal-responses yes;
version ;
statistics-file log/stats;
max-cache-size 1000M;
clients-per-query 25;
};
view MESA_live {
match-clients { any; };
response-policy {
zone myrpz-rpz;
};
empty-zones-enable yes;
empty-server blackhole.easynet.de;
empty-contact admin.easynet.com;
zone com {
type delegation-only;
};
zone net {
type delegation-only;
};
zone myrpz-rpz {
type master;
file conf/myrpz-rpz;
allow-query { none; };
};
}
view MCS_compact {
...
};
myrpz-rpz:
$TTL 43200
@ IN SOA a.prim-ns.de. hostmaster.de.easynet.net. (
2012041802 ;
28800 ;
7200;
604800 ;
1200;
)
IN NS localhost.
subdomain.domain.de 60 A 172.26.30.231
The above setting is rewriting NXDOMAIN answers for subdomain.domain.de to the
above IP address while every other host still has the information of the
customers outside zone.
Am I doing something substantially wrong here RPZ wise?
Ciao
Torsten
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: What can cause excessive amount of _dns-sd queries?
Am Thu, 23 Aug 2012 13:43:32 +0200 schrieb Eivind Olsen eiv...@aminor.no: Hello. I haven't seen this before.. I'm currently seeing someone (1 ip address) do about 2.1 million queries / hour where a majority of the queries seem to be: b._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + db._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + r._dns-sd._udp.0.129.16.172.in-addr.arpa IN PTR + talk.l.google.com IN A + gmail-pop.l.google.com IN A + gmail-imap.l.google.com IN A + ...and similar variations of these. Have any of you seen something like this before? Hi Eivind, these seem to be DNS Service Discovery requests and yes, we see loads of them on our servers. http://files.dns-sd.org/draft-cheshire-dnsext-dns-sd.txt Ciao Torsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how can i start and stops bind service using named command
Am Thu, 8 Mar 2012 10:10:04 +0300 schrieb mustafa alhussona mustafarajim...@gmail.com: hi i have bind9.9.0 installed manually now i want to start the service using the command named i used named -fg to start it and it works, now how i can stop it the man named page is encrypted and the options of this command are not clear, i dont have bind9 script , i want to start the named services in the background, stop it and restart the service is there any way to do that, thanks best regards rndc stop ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnssec-keygen not responding
Am Wed, 30 Nov 2011 09:40:44 +0100 schrieb Adam Tkac at...@redhat.com: On Wed, Nov 30, 2011 at 12:18:04AM -0500, Alan Clegg wrote: On 11/30/2011 12:15 AM, vishesh kumar wrote: Hi All I am trying to generate keys for signing vishesh.com http://vishesh.com domain using following command (for testing purpose) dnssec-keygen -a RSASHA1 -b 768 -n ZONE vishesh.com http://vishesh.com. But its not responding , i waited around 30 minutes but there is no result Operating system is RHEL6 on VirtualBox 4.1 You don't have enough entropy in the virtual environment. You can (if you understand the issues surrounding it), use /dev/urandom as your random source, or look at installing something like haveged (http://freecode.com/projects/haveged) to solve the problem. Another good solution is to pass -r keyboard to dnssec-keygen. Regards, Adam In RHEL there is a RPM package called unuran. It's a random number generator daemon using either a piece of hardware or /dev/urandom as source. Running this will provide enough entropy to create lots of keys. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Port number in A record in zone file
Am Thu, 17 Nov 2011 14:46:45 +0100
schrieb Aleksander Kurczyk aleksanderkurc...@o2.pl:
Hello,
Yesterday I asked here how can I run multiple named processes on different
ports in one OS. Now I have some troubles with that. How can I specify the
port number in zone file A record?
There is a simple answer: You can't.
An A record consists of only an IPv4 address.
Ciao
Torsten
My config and zone files:
095160160157:/var/named root# cat srv1/named.conf
options {
directory /var/named/srv1;
version olo-dns-server-1.0;
allow-transfer { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
listen-on 127.0.0.1 port 2001;
};
zone srv1.local IN {
type master;
file srv1.local.master;
};
zone srv2.local IN {
type slave;
file srv2.local.slave;
};
zone srv3.local IN {
type slave;
file srv3.local.slave;
};
zone . IN {
type hint;
file named.ca;
};
zone localhost IN {
type master;
file localhost.zone;
allow-update { none; };
};
zone 0.0.127.in-addr.arpa IN {
type master;
file named.local;
allow-update { none; };
};
095160160157:/var/named root# cat srv1/srv1.local.master
$TTL 1d
$ORIGIN srv1.local.
@ IN SOA ns1 hostmaster 201700 12h 5m 3w 2h
IN NS ns1
IN NS ns2
IN NS ns3
ns1 IN A 127.0.0.1-- port 2001
ns2 IN A 127.0.0.1-- port 2002
ns3 IN A 127.0.0.1-- port 2003
11 IN A 192.168.1.11
12 IN A 192.168.1.12
13 IN A 192.168.1.13
095160160157:/var/named root# cat srv2/named.conf
options {
directory /var/named/srv2;
version olo-dns-server-1.0;
allow-transfer { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
listen-on 127.0.0.1 port 2002;
};
zone srv1.local IN {
type slave;
file srv1.local.slave;
};
zone srv2.local IN {
type master;
file srv2.local.master;
};
zone srv3.local IN {
type slave;
file srv3.local.slave;
};
zone . IN {
type hint;
file named.ca;
};
zone localhost IN {
type master;
file localhost.zone;
allow-update { none; };
};
zone 0.0.127.in-addr.arpa IN {
type master;
file named.local;
allow-update { none; };
};
095160160157:/var/named root# cat srv2/srv2.local.master
$TTL 1d
$ORIGIN srv2.local.
@ IN SOA ns1 hostmaster 201700 12h 5m 3w 2h
IN NS ns1
IN NS ns2
IN NS ns3
ns1 IN A 127.0.0.1-- port 2001
ns2 IN A 127.0.0.1-- port 2002
ns3 IN A 127.0.0.1-- port 2003
11 IN A 192.168.1.11
12 IN A 192.168.1.12
13 IN A 192.168.1.13
095160160157:/var/named root# cat srv3/named.conf
options {
directory /var/named/srv3;
version olo-dns-server-1.0;
allow-transfer { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
listen-on 127.0.0.1 port 2003;
};
zone srv1.local IN {
type slave;
file srv1.local.slave;
};
zone srv2.local IN {
type slave;
file srv2.local.slave;
};
zone srv3.local IN {
type master;
file srv3.local.master;
};
zone . IN {
type hint;
file named.ca;
};
zone localhost IN {
type master;
file localhost.zone;
allow-update { none; };
};
zone 0.0.127.in-addr.arpa IN {
type master;
file named.local;
allow-update { none; };
};
095160160157:/var/named root# cat srv3/srv3.local.master
$TTL 1d
$ORIGIN srv3.local.
@ IN SOA ns1 hostmaster 201700 12h 5m 3w 2h
IN NS ns1
IN NS ns2
IN NS ns3
ns1 IN A 127.0.0.1-- port 2001
ns2 IN A 127.0.0.1-- port 2002
ns3 IN A 127.0.0.1-- port 2003
11 IN A 192.168.1.11
12 IN A 192.168.1.12
13 IN A 192.168.1.13
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-transfer not covering ixfr requests?
Am Tue, 27 Sep 2011 22:03:44 +0200 schrieb Tom Schmitt tomschm...@gmx.de: The odd part is that both NS3 and NS4 weren't able to request ixfr transfers. Shouldn't allow-transfer cover these kind of transfer requests as well? First: Do you have statements provide ixfr; and request ixfr; in your config? Second: To do a ixfr a server is first sending a query for the SOA of the zone to determine if a update is necessary. If your servers aren't allowed to do a query, how should they get the SOA? And without a SOA, you don't have the serial number of the zone, so you can't do IXFR. Silly me... I forgot about the SOA requests triggered by a manual ixfr. :( Ciao Torsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
allow-transfer not covering ixfr requests?
I recently observered a rather strange phaenomenon. By accident I have configured a nameserver to allow queries from NS1 and NS2 and allow transfers from NS3 und NS4. So far so good... Naturally NS1 and NS2 could do all kinds of queries but no zone transfers. NS3 and NS4 weren't allowed to ask anything but were able to request axfr transfers. The odd part is that both NS3 and NS4 weren't able to request ixfr transfers. Shouldn't allow-transfer cover these kind of transfer requests as well? Ciao Torsten PS: All nameservers are running on a self-compiled 9.8.1 ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problems with nic.it
Am Tue, 20 Sep 2011 09:20:12 +0200 schrieb Lucio Crusca lu...@sulweb.org: Hello *, I'm new here though I've been using bind for about 10 years. I've just transferred a domain under the .it TLD for the first time. Here in Italy we have nic.it that regulates the .it domain names registrations and transfers. The domain transfer went ok, and now I have access to the control panel of the domain where I can set the NS records. I'd like to set those NS records to a Linux box running bind9 (9.7.0.dfsg.P1-1ubuntu0.3). However nic.it is refusing to change the NS records, because the new receiving nameservers are failing some automatic checks nic.it performs before changing the NS records. My hosting provider (the one where I transferred the domain) should tell me exactly what checks are failing, but, being the first time I have such problems, I don't know how long they will take to give me those informations. I've waited for 4 days until now. Hence I wonder if there existed any public DNS checker that could check a DNS which is not the NS pointed server yet, so that I could check the new DNS myself before submitting a new NS record change and going through the hassle of waiting nic.it automated checks, eventual failure and assistance from my hosting provider. Hi Lucio, Registry dns checks can be somewhat tricky at time. These are the tests performed by Registro.it 3.1.2.6 Checking the functionality of the nameserver The verification phase of the configuration of the nameservers associated with the domain name takes place after the registration of the domain name itself in the Registry Database. The procedure for the control of nameservers analyzes the hosts associated with domain names registered in the Registry Database that are in inactive/dnsHold and executes the appropriate query (i.e. queries to the nameserver) to verify that it is actually operative. In particular: - there must be at least 2 (two) authoritative nameservers for the domain name, and they must correspond exactly to those found in the registration of the domain name; - the IP addresses of hosts in the registration of the domain name must correspond to those actually associated with them in the DNS; - the domain name cannot be associated with a CNAME record; - the name of the nameserver specified in the SOA record for the domain name cannot be a CNAME; - the names of the authoritative nameservers for the domain name cannot be CNAMEs; - if there is an MX registration it cannot be associated with a CNAME; - if, during the checking procedure, at least one nameserver returns the following responses: o Not responding o Not reachable o Not running o Non-existent domain o Host not found o Server failure o Query failed the procedure returns an error; - all hosts in the registration must be authoritative for the domain name registered. Hopefully this will help. Ciao Torsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: CVE-2011-1910 vs bind 9.6-ESV-R4-P3
Am Wed, 3 Aug 2011 11:25:07 +0200 schrieb Issam Harrathi issam...@gmail.com: Hi all, when i see this about the affected version by the CVE-2011-1910: 9.6: 9.6.3, 9.6-ESV-R2, -R3, -R4, -R5b1 does this mean that the 9.6-ESV-R4-P1 is affected? Thanks. Issam Harrathi. No, because 9.6-ESV-R4-P1 is a patch for this bug. Ciao Torsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: MX choosing
Am Fri, 22 Jul 2011 16:50:35 +0800 schrieb Feng He short...@gmail.com: Given the MX hosts for sympatico.ca domain: $ dig sympatico.ca mx +short 5 mxmta.sympatico.ca. $ dig mxmta.sympatico.ca +short 67.69.240.17 67.69.240.24 67.69.240.22 67.69.240.23 67.69.240.21 67.69.240.20 67.69.240.19 67.69.240.18 when the peer MTA fail to talk to one of these hosts,will it try the next one? or it just give up? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users Since there's no fallback MX the MTA will try once and then store the mail for a later retry (depends on how your MTA is configured). Since the TTL of mxmta.sympatico.ca is just 1800 seconds there might be a good chance that your MTA will try another server unless the next try is within 1800 seconds (where it will just reuse the already cached one) or your bad luck provides you with the not working IP address again. Ciao Torsten ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Wild cards in zone file
Am Tue, 24 May 2011 09:55:19 +0100 schrieb John Kennedy skeb...@gmail.com: I tried to google this but could not hit the right keywords (been a long week)... I have 3 hosts on a domain (example.com) like so: int.project A 10.10.10.2 stage.project A 10.10.10.3 test.project A 10.10.10.4 Now I want everything else to go to 10.10.10.5 *.project A 10.10.10.5 Is this possible? Thanks, John Yes, just add the wildcard record to the zone and it will work. Ciao Torsten ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: slave AXFR bind9
My first thoughts on this: Has the slave received a notify from the master server? Does the slave accept the notify? What else is in the logs? Could you please also provide your named configuration (options and the zone statement) of both master and slave? Ciao Torsten Am Thu, 21 Apr 2011 06:55:13 + schrieb hugo hugoo hugo...@hotmail.com: Dear all, I am really lost with the working of my slave zone. Here the situation/configuration. I use a server called lenny where the zone is idendified as slave. I use a server called custmaster where the zone is master. After a stop/start of the BIND9 in the Lenny server (slave zone), the slave zone is never synchronised with the master zone. In my test, the serial number in the master is greater than in the slave. lennydnstest01:~# dig @194.78.73.65 bind9testcarlos.be AXFR è what is on the master zone (dig use the IP address of the master) ; DiG 9.6-ESV-R3 @194.78.73.65 bind9testcarlos.be AXFR ; (1 server found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.30 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 ;; Query time: 5 msec ;; SERVER: 194.78.73.65#53(194.78.73.65) ;; WHEN: Wed Apr 20 14:03:20 2011 ;; XFR size: 8 records (messages 1, bytes 250) dnscustmaster901:/etc/bind/zones/master# cat bind9testcarlos.be == master zone file $TTL 3600;Positive Caching bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( 1999101725 ; Serial 600 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ); Negative Caching bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. cs1.sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.4 ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600IN A 1.2.3.30 lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR è what is on the slave zone ; DiG 9.6-ESV-R3 @localhost bind9testcarlos.be AXFR ; (2 servers found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN A 1.2.3.4 sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.20 cs1.sgtest1.bind9testcarlos.be. 3600 IN A 1.2.3.4 bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101723 600 3600 604800 86400 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Apr 20 14:03:21 2011 ;; XFR size: 8 records (messages 1, bytes 250) ennydnstest01:~# cat /etc/bind/zones/slave/bind9testcarlos.be== slave zone file $ORIGIN . $TTL 86400 ; 1 day bind9testcarlos.be IN SOA ns1.skynet.be. dnsmaster.skynet.be. ( 1999101723 ; serial 600; refresh (10 minutes) 3600 ; retry (1 hour) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.uat. NS ns2.uat. $ORIGIN bind9testcarlos.be. $TTL 3600 ; 1 hour ns A 1.2.3.4 ns2 A 1.2.3.4 sgtest1 A 1.2.3.20 $ORIGIN sgtest1.bind9testcarlos.be. cs1 A 1.2.3.4 After a reload zonefile (not working with rndc reload) == AXFR is done! lennydnstest01:~# rndc reload bind9testcarlos.be zone refresh queued lennydnstest01:~# dig @localhost bind9testcarlos.be AXFR ; DiG 9.6-ESV-R3 @localhost bind9testcarlos.be AXFR ; (2 servers found) ;; global options: +cmd bind9testcarlos.be. 86400 IN SOA ns1.skynet.be. dnsmaster.skynet.be. 1999101725 600 3600 604800 86400 bind9testcarlos.be. 86400 IN NS ns.uat. bind9testcarlos.be. 86400 IN NS ns2.uat. ns.bind9testcarlos.be. 3600IN A 1.2.3.4 ns2.bind9testcarlos.be. 3600IN
Re: rndc: 'reload' failed: not found
This usually happens when your nameserver isn't configured for the zone to be reloaded. Ciao Torsten Am Tue, 8 Mar 2011 14:47:02 +0800 schrieb ShanyiWan w...@114.com.cn: Cent OS+BIND 9.7.3+DLZ(BDB as backend) # rndc reload 2mysite.net rndc: 'reload' failed: not found rndc reload not work correctly,why? -- ShanyiWan 2011-03-08 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
