Re: forums.iobit.com

[Barry S. Finkel]

Please ignore the message I mistakenly sent to bind-users.
Thanks.

--Barry Finkel.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how two dns bind master sync?

[Barry S. Finkel]

On 8/23/2018 9:21 AM, Bob McDonald  wrote:


This may be an unpopular opinion, especially on the BIND-Users mailing
list (sometimes BIND is not the best answer).

It sounds like you might want something like multi-master DNS servers
that Active Directory (with AD integrated zones) provides.

Here's the Microsoft AD DNS explanation:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/active-directory-integrated-dns-zones

This may be the time to start some dialogue around the way Bind processes
updates. While AD integrated DNS does process updates for multiple masters,
it does it outside the Bind-centric communications path. (I believe it uses
AD to forward updates from one master to the others). Bind needs some sort
of multi-master framework but there are a few issues if things stay the way
they are. There are obvious issues with serial number accounting and slave
notification. There are also issues with update processing (and
forwarding). Right now the only server that can accept updates is the
master. Forwarded updates are stamped as coming from the forwarding node.
That makes tracking updates almost impossible. (And that seems to be the
case for both signed and un-signed updates) I may be not seeing something
but from my point of view, that, above all else, must change if a
meaningful multi-master framework is to emerge.

Regards,

Bob



As I wrote many years ago when I had MS AD DNS Servers as slaves to my
BIND servers - See KB28286.  With multi-master servers, it is not clear
what an updated zone serial number should be.  Take this example:

A zone ad.example.com is mastered on two AD DNS Servers.  Each one has
the same contents and serial number, say 100.  Then, at the same time
one update comes in to each server.  Each server performs the update
and updates the serial number to 101.  But each server now has a
different version of the 101-serial zone.  Somehow, under the covers,
AD synchronizes the zones so that they have the same content.  What
should the serial number be for this combined zone?  It can't be 102,
because during the synchronization process another update may have come
into one of those servers, causing the serial number there to have been
increased to 102.  I have no idea what the new serial number should be.

That is why I chose ONE of the several MS AD DNS Servers as the "master"
to my BIND slave servers.  And NO MS machine used the MS AD DNS Servers
as its DNS Servers; all were configured to use my BIND servers as their
DNS servers. That way I did not care what the serial number was on the
other AD DNS servers that were not the master for my BIND slaves.

And, as another related issue, there were times when the serial number
of an AD zone decreased during times when that Domain Controller was
being patched.

--Barry Finkel


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Max slaves limit?

[Barry S. Finkel]

On Sun, 17 Dec 2017 22:06:58 +0530, vijay bommareddy 
wrote:

Hello folks,

I'm trying to find more information on the practical limitations of adding
more slaves.
Can someone tell me, how many number of slaves does BIND technically
support? Is there a maximum limit per master server?

Thank you
Vijay


A minor point - if there are too many slaves, then the NS list might
not fit into a UDP packet, causing TCP to be used.  I do not know
how many NS records would be needed to exceed the UDP packet size;
it would depend upon the length of the nodenames of the DNS servers.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Issue with AT IPs?

[Barry S. Finkel]

On 12/5/2017 "Lightner, Jeffrey" wrote:


We're having issues send email to a user @SIDDHAFLOWERS.COM

Investigation here shows that the issue we have is querying your name servers 
(both by name and by IP) are refusing to respond to our name servers.

Their name servers:
NS1.QUICKFIX8.COM
NS2.QUICKFIX8.COM

Our name servers:
DSWADNS1.WATER.COM
DSWADNS2.WATER.COM

We find other name servers such as those as Google are able to query their name 
servers.   Based on that I determined their name server IP (for both) is 
74.124.202.236.   However, if I attempt to reach port 53 (DNS) on that IP from 
our name servers it simply fails to connect.   Our Network Security engineer 
did a capture and shows we send packets but never get a response.

Interestingly further testing shows this is an issue from any of our AT 
provided IPs:
12.44.84.194
12.44.84.213
12.44.84.214
12.44.84.216
But not from separate QTS Datacenter provided IPs:
209.10.103.136
209.10.103.148

I've reached out to the folks at QuickFix and am waiting to hear back but we've 
seen a similar issue on another domain using separate name servers.Is it 
possible there is some sort of blacklist for DNS (not email) that people might be 
subscribing to that would cause them to block AT IPs?  We can do queries from 
our DNS to most domains but have identified these 2 as problems so suspect there 
might be others.

By the way, I can reach their mail server via command line connection to port 
25 on its IP.   The issue here is purely in querying the DNS servers which of 
course means mail programs can't determine the MX records themselves.

Last night I did see some posts suggesting commenting out query-source but 
testing that didn't do anything.   We do have our query-source setup for random 
outbound ports and I verified last night that it still works based on the test 
site for that.

Most of what I find about blacklisting is about spam blacklisting of mail 
servers not blacklisting of DNS server queries and it is the latter we are 
experiencing.


CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential 
information and is for the sole use of the intended recipient(s). If you are 
not the intended recipient, any disclosure, copying, distribution, or use of 
the contents of this information is prohibited and may be unlawful. If you have 
received this electronic transmission in error, please reply immediately to the 
sender that you have received the message in error, and delete it. Thank you



Here is a query I just did:

D:\>dig SIDDHAFLOWERS.COM mx @ns1.quickfix8.COM.

; <<>> DiG 9.9.3-P1 <<>> SIDDHAFLOWERS.COM mx @ns1.quickfix8.COM.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63456
;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;SIDDHAFLOWERS.COM. IN  MX

;; ANSWER SECTION:
SIDDHAFLOWERS.COM.  14400   IN  MX  1 aspmx.l.google.COM.
SIDDHAFLOWERS.COM.  14400   IN  MX  10 aspmx2.googlemail.COM.
SIDDHAFLOWERS.COM.  14400   IN  MX  5 alt2.aspmx.l.google.COM.
SIDDHAFLOWERS.COM.  14400   IN  MX  5 alt1.aspmx.l.google.COM.
SIDDHAFLOWERS.COM.  14400   IN  MX  10 aspmx3.googlemail.COM.
SIDDHAFLOWERS.COM.  14400   IN  MX  10 alt3.aspmx.l.google.COM.
SIDDHAFLOWERS.COM.  14400   IN  MX  10 alt4.aspmx.l.google.COM.

;; AUTHORITY SECTION:
SIDDHAFLOWERS.COM.  86400   IN  NS  ns2.quickfix8.COM.
SIDDHAFLOWERS.COM.  86400   IN  NS  ns1.quickfix8.COM.

;; ADDITIONAL SECTION:
ns1.quickfix8.COM.  14400   IN  A   74.124.202.236
ns2.quickfix8.COM.  14400   IN  A   74.124.202.236

;; Query time: 128 msec
;; SERVER: 74.124.202.236#53(74.124.202.236)
;; WHEN: Tue Dec 05 13:08:20 Central Standard Time 2017
;; MSG SIZE  rcvd: 296


D:\>

The problem is not with the "two" name servers for the domain
you are trying to reach.  Note the quotation marks.
I was able to contact the ONE IP address and get a DNS
response.  If, for some reason, you do not have a path
to that IP address, you will not get a response.  And, there
is no fall-back, as both name servers are on the same IP
address.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and Windows DNS logging and archiving

[Barry S. Finkel]

On 7/22/2017 ,7:33 AM, Mick Lee wrote:


Hi Guys,

Can anyone offer any advice based on their experience?

Thanks

Mick

On 19 Jul 2017 2:16 p.m., "Mick Lee"  wrote:

Hi All,

I wonder if I could get some advice and guidance based on everyones
experience.

I have a mix of pre-compiled versions of BIND on Linux (can't change or
re-compiled I'm afraid) and Windows DNS, and I have a need to log DNS
queries from about 100 or so of these types of servers, to identify queries
to specific domains, and to be able to go back through and search for
queries to domains which we now know to be bad.

I am currently using query logging on Linux, and Syslog to move the data
around, and simple regex matching to look for domains, but I need to get
the data from Windows servers and the current tooling is not
performant/scalable.

I could just enable Windows DNS logging and try to get the files from the
servers somehow, but from what I remember there are issues around log file
rotation and the potential for data loss there.  One of my colleagues
suggested sending the DNS queries to the Windows event log, but I am not
sure I can even do that, and I am worried about the impact too - there are
approx. 10,000 DNS qps across all servers in total.

Should I be looking at some off the shelve software (although I don't have
a lot of budget), what would even do this, or is there some open source
tool that would do the job (I have some scripting ability) - I'm quite open
to any ideas?

Any advice or guidance anyone can offer would be greatly appreciated.

(I know each environment is different, so apologies if I have left any
important detail out, please point this out if so and I will try to fill in
the gaps)

Many Thanks

Mick


The last time I looked at MS Windows DNS logging (6 years ago),
it was not useful.  I could specify the max size of the log,
and when that max size was reached, the log file was cleared,
and a new log file started.  I was logging everything, and the
50Mb log file filled up about every 1.5 days.  So, frequently
the log file was cleared in the middle of the night, erasing
what evidence I wanted to preserve.  I remember asking MS
to implement a real syslog facility where old log files
would be saved.  I have no idea if MS ever implemented better
DNS logging.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS forwarding

[Barry S. Finkel]

On 5/22/2017 10:48 AM, bind-users-requ...@lists.isc.org wrote:

On 05/22/2017 07:16 AM, Barry S. Finkel wrote:

Maybe I am misinterpreting the problem.  When I was managing a mixed
AD-BIND DNS scenario, ALL of the computers used the BIND servers for
their DNS resolution; none used the AD servers.  But I had all of the
AD zones slaved on my BIND servers, so there was no need for any machine
to use the AD servers for DNS resolution.  The AD servers had only
the AD zones, so if any machine queried the AD server for a non-AD zone,
the request would have been forwarded to the BIND servers anyway.


On Mon, 22 May 2017 08:46:59 -0600  Grant Taylor replied:


Could your AD clients still reach the AD DNS servers?  (It sounds like
they could.)

It's been my experience that AD clients still want to reach the master
name server (in the SOA record) to do Dynamic DNS updates.

(I've also successfully forced those through a BIND secondary configured
to forward the dynamic updates to the AD master.)



-- Grant. . . . unix || die



The only dynamic updates were to the AD"_" zones.  Windows desktops and
servers had static IP addresses, so they did not use DHCP.  One forward
zone and five /24 reverse zones were completely dynamic, and those zones
were mastered on a Windows DNS Server and slaved on my BIND servers.

As I have written before, there were lots of serial number updates
in these zones (forward, reverse, and "_") were the one contents did
not change.  This caused a lot of unnecessary zone transfers between
the Windows DNS masters and my BIND slaves.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS forwarding

[Barry S. Finkel]

On Wed, 17 May 2017 17:44:12,  Elias Pereira  wrote:


Hello,

Our scenario today consists of one:

- DNS Server (Authoritative to our subdomains. Ex: www.mydomain.com*,
moodle.mydomain.com, etc)
- samba3 PDC server
- Openldap server (user base for samba)

All our IPs are public.

This scenario above works like a charm!! :D

Now, I'm implementing a new samba4 AD server.

In order for me to be able to put users in the AD domain, I need to
configure the samba4 AD IP as primary dns on the computers. In the bind
installed on samba4 AD I configured the "forwarder" variable with the IP of
our DNS server.

The problem is that from this computer, if I need to access an internal
subdomain, for example our webserver*, I can not access. Gives resolution
error. For any other site, for example, google.com, I can access.

I'm not finding the problem. Any idea?

-- Elias Pereira


Maybe I am misinterpreting the problem.  When I was managing a mixed
AD-BIND DNS scenario, ALL of the computers used the BIND servers for
their DNS resolution; none used the AD servers.  But I had all of the
AD zones slaved on my BIND servers, so there was no need for any machine
to use the AD servers for DNS resolution.  The AD servers had only
the AD zones, so if any machine queried the AD server for a non-AD zone,
the request would have been forwarded to the BIND servers anyway.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enterprise DNS Architecture - AD and BIND

[Barry S. Finkel]

On 12/15/2016 8:16 AM, Bob Harold wrote:


On Wed, Dec 14, 2016 at 1:41 PM, Veaceslav Revutchi
<slavarevut...@gmail.com <mailto:slavarevut...@gmail.com>> wrote:

On Wed, Dec 14, 2016 at 10:35 AM, Barry S. Finkel <bsfin...@att.net
<mailto:bsfin...@att.net>> wrote:
> On 12/14/2016 Veaceslav Revutchi <slavarevut...@gmail.com
<mailto:slavarevut...@gmail.com>> wrote:
>
>> Since this thread is still fresh, what is the current best practice
>> when slaving from AD? Do you pick one DC and list it as master or is
>> it safe to list multiple? We are looking to do the same and just
>> started the conversation with our AD team. The serial numbers among
>> DCs authoritative for the same zone are quite spread out and it takes
>> a few minutes for the DC with the lowest number to catch up. I'm not
>> sure if I can assume that two DCs with the same serial number
have the
>> same zone contents. Haven't done a zone transfer comparizon yet.
>>
>> Curious to know what your experience is when slaving from AD.
>>
>> Thank you,
>> Slava
>
>
> I have not included the previous text in this reply.
>
> When I was managing a BIND/AD DNS infrastructure, I chose
> ONLY ONE of the AD DNS Servers as a master.  There is a problem
> with serial numbers (KB282826 - I have that number memorized).
> If a MS DNS Server is not a master for a slave, then the zone
> serial number does not matter, as the zone is internal only to
> the Windows infrastructure.  If the DNS Server is a master for
> the zone, then the zone serial number does matter.
>
> Assume, for example, that you have two MS DNS Servers for a zone,
> one on each of two Domain Controllers - DCA, and DCB.  Assume
> that for a given zone both DCs have the same zone contents and
> zone serial number, say 100.  Now, a machine sends a dynamic
update for
> the zone to DCA at the same time that another machine sends another
> update to that zone to DCB.  Each DC DNS now has a copy of the zone
> with an increased serial number (101) BUT with different contents.
> Sometime, under the covers of AD, the MS code will synchronize the
> zone contents between DCA and DCB, but what serial number should be
> assigned to the combined zone?  It can't be 101, as that has already
> been used.  Can it be 102?  What happens if another dynamic update
> is sent to DCA or DCB while the synchronization is occurring?
> This is the problem, and why I chose only one DC to be the master
> for all of the DC zones.
>
> Also note that with the MS "_" zones, there are dynamic updates that
> do not change the contents of a zone but do increase the zone serial
> number.  Thus there are lots of unnecessary zone transfers from the
> AD DNS Server to the BIND slave server(s).  (This was true when I was
> the DNS manager, and I never got permission to ask MS why the serial
> number was incremented when the zone had not changed.  Things might
> have changed in the past five years.)

Barry,

Appreciate you sharing this. This is good info.

Thank you!


My experience slaving AD zones with BIND servers:
Ignore "failed while receiving responses: not exact " errors.  I think
that just means that the serial number changed during the transfer.
I had them turn off 'notify' and we use the 'refresh' timer (15 minutes)
to pull updates.
I also ignore these errors for those servers:
failed to connect: timed out
failed while receiving responses: REFUSED

I list more than one, for redundancy, and ignore serial number
mismatches.  Since it is constantly increasing, updates missed on one
transfer should be in the next transfer.

That 'works'.  Whether that means "works fine" or "users have gotten
used to it" is hard to say.

--
Bob Harold




Other things I did not mention.

1) There were problems when the AD DC I chose as the master was
undergoing patching.  Sometimes the zone serial number for
one or more of the AD zones DECREASED.  Sometimes the
decrease was juswt during the patching and intermediate
reboots of the DC, but sometimes the decrease was
permanent.  I was not allowed to
open a trouble ticket with Microsoft, as my management did
not think that this was a real problem.  No one complained
about having received and used old AD data from DNS.

2) There were times when the zone transfer from the the AD DC to
   a BIND slave failed, and I had no idea why.  I did talk to one
   of the MS DNS Developers (because at the time we were having some
   major problems - since fixed), and I requested that all failed
   zo

Re: Enterprise DNS Architecture - AD and BIND

[Barry S. Finkel]

On 12/14/2016 Veaceslav Revutchi  wrote:


Since this thread is still fresh, what is the current best practice
when slaving from AD? Do you pick one DC and list it as master or is
it safe to list multiple? We are looking to do the same and just
started the conversation with our AD team. The serial numbers among
DCs authoritative for the same zone are quite spread out and it takes
a few minutes for the DC with the lowest number to catch up. I'm not
sure if I can assume that two DCs with the same serial number have the
same zone contents. Haven't done a zone transfer comparizon yet.

Curious to know what your experience is when slaving from AD.

Thank you,
Slava


I have not included the previous text in this reply.

When I was managing a BIND/AD DNS infrastructure, I chose
ONLY ONE of the AD DNS Servers as a master.  There is a problem
with serial numbers (KB282826 - I have that number memorized).
If a MS DNS Server is not a master for a slave, then the zone
serial number does not matter, as the zone is internal only to
the Windows infrastructure.  If the DNS Server is a master for
the zone, then the zone serial number does matter.

Assume, for example, that you have two MS DNS Servers for a zone,
one on each of two Domain Controllers - DCA, and DCB.  Assume
that for a given zone both DCs have the same zone contents and
zone serial number, say 100.  Now, a machine sends a dynamic update for
the zone to DCA at the same time that another machine sends another
update to that zone to DCB.  Each DC DNS now has a copy of the zone
with an increased serial number (101) BUT with different contents.
Sometime, under the covers of AD, the MS code will synchronize the
zone contents between DCA and DCB, but what serial number should be
assigned to the combined zone?  It can't be 101, as that has already
been used.  Can it be 102?  What happens if another dynamic update
is sent to DCA or DCB while the synchronization is occurring?
This is the problem, and why I chose only one DC to be the master
for all of the DC zones.

Also note that with the MS "_" zones, there are dynamic updates that
do not change the contents of a zone but do increase the zone serial
number.  Thus there are lots of unnecessary zone transfers from the
AD DNS Server to the BIND slave server(s).  (This was true when I was
the DNS manager, and I never got permission to ask MS why the serial
number was incremented when the zone had not changed.  Things might
have changed in the past five years.)

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Enterprise DNS Architecture - AD and BIND

[Barry S. Finkel]

On Tue, 8 Nov 2016 16:09:36 -0800 Ray Van Dolson  
wrote:



Greetings;

Am reviewing our DNS setup which has organically evolved over the years
and most certainly is due for an update:

- We have AD servers responsible for our primary domain (internally).

- We have other sets of AD servers responsible for other domains in
  DMZ's and such.

- We have a BIND Master/Slave pair acting as a hidden master for
  external zones as well as doing split view for some of those same
  zones where we want to return "non-public" IP's for queries that
  would otherwise be answered with an external address.

- We have multiple BIND caching servers.  Some at remote sites that
  handle split duty for Internet resolution (enabling accurate
  geolocation for Internet based services -- our own included) and
  internal lookups.

  In some cases, these "remote" caching servers need to forward lookups
  to other "super" caching servers which have more privileged access to
  the authoritative servers listed above... there are about a dozen of
  these zones.

  They do static-stub zones for the AD managed zones.

  Another challenge is when clients point to them directly, Dynamic DNS
  (RFC2136) doesn't work.  Theoretically we could make BIND handle this
  and forward on to AD, but adds complexity.

  The caching servers also do RPZ.

We're now wanting to add some additional logic to resopnd differently
to VPN clients for some of our VoIP technologies to send RTP over the
Internet vs. over a VPN tunnel...

I'd like to make this all much simpler, avoid mixing roles of servers
and help guide us as we decide what servers to deploy where.  KISS
principle I guess.

In an ideal world, I could completely pitch the whole split view thing
(where rr.domain.com resolves differently for Internet clients than for
"internal" clients).  I can't think of a good way to avoid this
complexity, however.

What I'm thinking:

- Have an AD server at every location we have a BIND server.  This way
  client machines talk DNS *only* to AD servers so Dynamic DNS &
  friends work reliably.  AD servers would then forward to BIND servers
  as needed.

+ Alternative: Configure clients to do DNS updates via DHCP Option
  81, etc. instead of via Dynamic DNS.  This would allow clients to
  point at BIND and take advantage of Anycast for resiliency and I
  avoid needing to figure out how to make BIND pass RFC 2136
  requests on from clients to AD reliably...

- Caching Servers will be the same configuration no matter where they
  are, and do the same things:

+ "." will forward out to OpenDNS or Google, etc. for Internet
  lookups.

+ Will be a "slave" for all AD owned domains.  Thought here is
  better client response times and fewer issues w/ TTL and cache
  and better resiliency...

- Alternative: Leave these as static-stub, but now I made need
  logic in Ansible or whereever to point to "nearby" AD servers
  depending on where the BIND server lives to keep response
  times low when things aren't cached.  That or not care about
  latency...

+ Will be a "slave" for all of the split-view zones (only for the
  "internal" view).  Could do static-stub here as well, but think
  slave may serve us better for similar reasons as w/ AD.

+ I can introduce my split view zones for VPN here as well.  I
  haven't thought this one through fully yet, but am hopeful I
  don't need to fully duplicate the zones above and could instead
  forward queries from one view to another

- Authoritative BIND Servers mostly stay as-is aside from needing to be
  configured to send notify's out to caching servers and proper FW
  access maintained for AXFR.

Please pick this apart and let me know where I'm going astray. :)

Thanks,
Ray


When I was managing a mixed AD/BIND DNS complex, I had AD DNS only for
one forward zone and five /24 reverse zones.  NO user machine used any
AD DNS server as its DNS server; ALL machines queried the BIND
servers, which were slaves for the AD zones.  The rest of the AD domains
that were slaved were around eleven sets of AD "_" zones.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation questions

[Barry S. Finkel]

On 8/11/2016 12:22 PM, bind-users-requ...@lists.isc.org wrote:

I have a child domain that is delegated to a second site. Pretty
straightforward situation. In the parent zone I have NS records that point
to the DNS servers at the second site.

The issue comes up when a slaved copy of the parent domain is running at a
third site and that third site doesn't have a rule in their firewall
allowing DNS access to the second site (where the child domain is
delegated).

The question is this; can I use stub zones to reference the child domain on
the master server (instead of delegation) and the use forwarding at the
third site to direct queries for the child domain through the master
server?

I hope the picture I've tried to describe is somewhat clear.

Regards,

Bob


I think that this has been proposed, but I am not sure.
Take the child zone from the third server and slave the
zone on your servers.  That way you have a copy of the
zone, and your customers can access the contents of that zone.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Maintain task frequency

[Barry S. Finkel]

On Mon, 9 May 2016 17:54:22 -0500, Jorge Alberto Mart?nez Melo 
 wrote:

Hello bind users,

I am preparing some scripts to maintain some cache dns servers and I am
thinking about the most appropriate frequency of these tasks:
- to generate the root hints file (root cache).
- to clear the cache with rndc flush
- to generate the stats file with rndc stat

Thank you in advance for your comments

-- jamm


If I interpret your question correctly - here are my answers:

1) root hints - There is nothing you need to do, as BIMD will get
the information when it starts, based on the hints
that are built into the code.  And the hints information
rarely changes.

2) Clear cache - There is no need to clear the cache, as BIND will
 remove automatically any entry whose TTL has
 expired.

3) Generating stets - I have no answer for this.  You can generate
  stats at any interval you want.  The interval
  might depend upon  how busy the DNS server is.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Can bind be configured to not drop RR's from the cache when the upstream DNS server is unresponsive

[Barry S. Finkel]

On 3/17/2016  12:36:31 +0100 Ron wrote:


Can bind be configured to not drop RR's from the cache when
the upstream DNS server is unresponsive?



Hi,

subject says all. Read manpages, could not find this in the FAQ's.
Hope this is possible. If not does anyone know of other name servers
that offer this option?

Thanks,
Ron Arts


It seems to me that one task of the BIND process is periodically
to scan the cache to find entries whose TTL has expired.  That
process, per the DNS RFCs, will remove all entries whose TTL has
expired.  The process should not check to ensure that at least
one of the upstream DNS servers is responsive, as by definition
the record has expired and should not remain in DNS.  It is the
owner of the record who sets the TTL, and if the TTL is too short
AND all of the DNS servers that serve that record are inaccessible,
then the owner of the record has a problem.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About query response on a view

[Barry S. Finkel]

 Okan Bostan  wrote:

Hello List,

We are planning to migrate to Bind dns, I'm a bit newbie.

In our design we have two views; int and ext.
As internal view, recursion is on and we have our internal zones & forwarders. 
I have no problem with internal view.

In external view, recursion in no. Also have some zones. In testing external 
view, I can query the records in zones, thats not a problem also.

But when I try to query, for examplewww.google.com  it 
returns the root servers records by dig.

;; QUESTION SECTION:
;ww.IN  A

;; AUTHORITY SECTION:
.   518400  IN  NS  D.ROOT-SERVERS.NET.
.   518400  IN  NS  M.ROOT-SERVERS.NET.
.   518400  IN  NS  C.ROOT-SERVERS.NET.
.   518400  IN  NS  J.ROOT-SERVERS.NET.
.   518400  IN  NS  G.ROOT-SERVERS.NET.
.   518400  IN  NS  H.ROOT-SERVERS.NET.
.   518400  IN  NS  I.ROOT-SERVERS.NET.
.   518400  IN  NS  L.ROOT-SERVERS.NET.
.   518400  IN  NS  F.ROOT-SERVERS.NET.
.   518400  IN  NS  K.ROOT-SERVERS.NET.
.   518400  IN  NS  A.ROOT-SERVERS.NET.
.   518400  IN  NS  B.ROOT-SERVERS.NET.
.   518400  IN  NS  E.ROOT-SERVERS.NET.

And status: NOERROR

also in nslookup:

Name:www.google.com
Served by:
- E.ROOT-SERVERS.NET

- F.ROOT-SERVERS.NET

- J.ROOT-SERVERS.NET

- G.ROOT-SERVERS.NET

- D.ROOT-SERVERS.NET

- C.ROOT-SERVERS.NET

- A.ROOT-SERVERS.NET


But in our existing DNS enviroment, I get  status: SERVFAIL to same query.

Is this a normal behaviour ? How can I disable this Authority section with root 
server NS records?

My external view:

view "EXTERNAL" {

 match-clients {"any";};
 allow-query-on {ext_ip; };

 recursion  no;
 allow-recursion { none;};


 #Include SLAVE zones
 include "slave.zones";

 #Include REVERSE zones
 include "reverse.zones";



};// view EXTERNAL

Regards,

Okan.


Something got lost in "translation".

> But when I try to query, for example
> www.google.com

Did you really type "dig www.google.com"?

> ;; QUESTION SECTION:
> ;ww.IN  A

According to dig, you queried "ww.".
And the output of dig is correct - there is no DNS entry
with that name, and the authority section contains the
root servers, as it is those servers which would have
contained the zone, had it existed.

You did not give us the unedited output of "dig".

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: subdomain with domain

[Barry S. Finkel]

On 4/1/2015, Jeff Sadowski jeff.sadow...@gmail.com wrote

The other day I found that my secondary name servers running bind
where not dishing out

_msdcs.domain SRV records

This was causing join issues. It turned out that the Domain controller
had 2 different scopes one for

_msdcs.domain
and one for
domain

so I shared the second _msdcs.domain scope with all my bind secondary servers.


It would be a good idea to also have the other Active Directory
underscore zones:

 __sites.domain
 _tcp.domain
 _udp.domain

on your slave server.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Different answer when querying @server from different clients

[Barry S. Finkel]

On 3/6/2015 4:52 PM, bind-users-requ...@lists.isc.org wrote:

I don't think it is views.  The same thing happens against Google's
public DNS.  The two hosts route to the Internet differently and that
seems to at the root of the issue somehow.

[root@dc01 ~]# dig +short ns1.mediture.com
74.113.249.135
[root@dc01 ~]# dig +short ns2.mediture.com
107.23.33.118

[root@dc01 ~]# dig @8.8.8.8 +trace great.truchart.com

;  DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.1  @8.8.8.8 +trace 
great.truchart.com
; (1 server found)
;; global options: +cmd
.   18851   IN  NS  h.root-servers.net.
.   18851   IN  NS  c.root-servers.net.
.   18851   IN  NS  f.root-servers.net.
.   18851   IN  NS  k.root-servers.net.
.   18851   IN  NS  j.root-servers.net.
.   18851   IN  NS  m.root-servers.net.
.   18851   IN  NS  l.root-servers.net.
.   18851   IN  NS  a.root-servers.net.
.   18851   IN  NS  g.root-servers.net.
.   18851   IN  NS  e.root-servers.net.
.   18851   IN  NS  b.root-servers.net.
.   18851   IN  NS  i.root-servers.net.
.   18851   IN  NS  d.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 144 ms

com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
;; Received 496 bytes from 192.228.79.201#53(192.228.79.201) in 146 ms

truchart.com.   172800  IN  NS  ns1.mediture.com.
truchart.com.   172800  IN  NS  ns2.mediture.com.
;; Received 113 bytes from 192.52.178.30#53(192.52.178.30) in 129 ms

great.truchart.com. 3600IN  A   192.168.168.225
truchart.com.   86400   IN  NS  ns1.mediture.com.
truchart.com.   86400   IN  NS  ns2.mediture.com.
;; Received 129 bytes from 107.23.33.118#53(107.23.33.118) in 31 ms

[root@www02 ~]# dig @8.8.8.8 +trace great.truchart.com

;  DiG 9.8.2rc1-RedHat-9.8.2-0.23.rc1.el6_5.1  @8.8.8.8 +trace 
great.truchart.com
; (1 server found)
;; global options: +cmd
.   18813   IN  NS  h.root-servers.net.
.   18813   IN  NS  c.root-servers.net.
.   18813   IN  NS  f.root-servers.net.
.   18813   IN  NS  k.root-servers.net.
.   18813   IN  NS  j.root-servers.net.
.   18813   IN  NS  m.root-servers.net.
.   18813   IN  NS  l.root-servers.net.
.   18813   IN  NS  a.root-servers.net.
.   18813   IN  NS  g.root-servers.net.
.   18813   IN  NS  e.root-servers.net.
.   18813   IN  NS  b.root-servers.net.
.   18813   IN  NS  i.root-servers.net.
.   18813   IN  NS  d.root-servers.net.
;; Received 228 bytes from 8.8.8.8#53(8.8.8.8) in 94 ms

com.172800  IN  NS  f.gtld-servers.net.
com.172800  IN  NS  b.gtld-servers.net.
com.172800  IN  NS  c.gtld-servers.net.
com.172800  IN  NS  l.gtld-servers.net.
com.172800  IN  NS  m.gtld-servers.net.
com.172800  IN  NS  k.gtld-servers.net.
com.172800  IN  NS  e.gtld-servers.net.
com.172800  IN  NS  j.gtld-servers.net.
com.172800  IN  NS  d.gtld-servers.net.
com.172800  IN  NS  g.gtld-servers.net.
com.172800  IN  NS  a.gtld-servers.net.
com.172800  IN  NS  i.gtld-servers.net.
com.172800  IN  NS  h.gtld-servers.net.
;; Received 508 bytes from 192.58.128.30#53(192.58.128.30) in 220 ms

truchart.com.  

Re: In BIND 8.2 running on Solaris 8, how to start logging

[Barry S. Finkel]

On 6/27/2014, Samad Agha samad.agha2...@gmail.com wrote:

Hi All,
I have two Solaris 8 servers running BIND 8.2. I'd like to retire them both
and transfer everything to a couple of RHEL 7 boxes. The City (I work for a
mid-size California city) has outsourced different aspects of our DNS that
I even lost track and have no idea what these two DNS servers serve. I'd
like to start logging all queries on these two boxes to know who queries
them. How do I start a comprehensive logging to capture all transactions
going through these two servers?

Please advise; please be thorough and don't assume anything. Many thanks in
advance.
Regards,
Samad


I may be missing something here.  The servers are running BIND.
What zones do the servers serve?  They serve the zones listed in the
BIND configuration file(s), and they may be recursive servers
for your clients.  Look at the config files to see what zones
are mastered or slaved on the servers.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Multi-master (HA)

[Barry S. Finkel]

On 2014-05-07 15:06, Lawrence K. Chen, P.Eng. wrote:

OTOH, the idea of multi-master is intriguing.the only down side I see, is 
hat I
 have one really powerful server for my current master(Sun Fire 
X4170)and my

 other servers are weak leftoversjust passed EOL last year.
 And, have all the servers doing full DNSSEC signing could be
 interesting.


It also raises the question of how does the outside world cope with all the 
servers

 having identical zones...signed on slightly different times, etc.
 (especially since I'm using unix timestamp for zone serialavoids
 issues of multiple admins incrementing serial without
 noticing others and/or collisions with DNSSEC's
 incrementing of serials.)

Dave Warren replied:


I wouldn't expect any real issues here, Windows DNS has done multimaster
DNS since Windows 2000. In the case of Windows, dynamic updates (via
client or GUI) can be done at any location, the serial numbers are
incremented automatically, but the zones and servers may vary from each
other for a brief period of time.

So for example, DC1 and DC2 may start with serial 100, DC1 will receive
2 changes and be up to 102, DC2 will give 5 different changes and be up
to 105. When Active Directory synchronization happens outside of DNS,
the two sides merge changes together, and set the serial to the higher
of the two plus one, so the serial would be 106. To the outside world,
records can appear/disappear for a brief period while the servers drift
out of sync, similar to what could happen in a BIND configuration
without notifies as resolvers hit the two DNS servers round-robin.

The only thing that causes issues is if you use DNS to create a
non-Active Directory slave. BIND will throw errors because it will see
serial 100, 101, 102, then get a notify from the second server about
101. However, the slave will still sync up once the AD servers sync to
106. The fix here is to configure BIND to only slave off of one master
or the other, not both.

While there might be other factors involved in turning BIND into a true
multi-master solution, I wouldn't expect zones drifting out of sync or
having minor differences to be a big factor since it happens in the wild
already.



As I have written before, see MS article 282826.  If one is going
to slave an MS AD DNS server, one has to choose ONLY ONE AD DNS
Server as a master.  As I see it, there is no way that AD can
choose a zone serial number from among all of the AD DNS Servers.
Assuming that a zone has the same contents and same serial number,
say n, on all Domain Controllers.  Then, one Windows machine sends
a DDNS update for the zone to DC1 at the same time that another Windows
machine sends a different DDNS update for that zone to DC2.  Now,
each DC has serial number n+1 and different contents.  When AD
synchronizes the zone contents and serial number under the covers,
what serial number can it choose?  It can't choose n+1, as that
serial number has already been used.  It can't choose n+2, as it
does not know if another DDNS for the same zone has arrived before
the synchronization has taken place.  IIRC, 282826 says that if a
DC is not used as a master for a BIND slave, then its zone serial
number is not important.

Another problem that I saw when I had BIND servers slaving AD
zones was this - during patching of the DCs, the zone serial number
might decrease.  In most cases, after the DC patching was complete,
the serial number reverted to the proper value.  I was not allowed to
open a trouble ticket with MS to determine why the zone serial on the
DC was decreasing.  The Windows support group did not see this as a
problem.  It might not have been a problem, as I saw many times where
the zone serial number changed in an AD zone when the zone contents had
not changed.  This just meant more unnecessary zone transfers from the
master to the slave.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Help with DKIM record

[Barry S. Finkel]

Felix Rubio Dalmau felixrubiodal...@gmail.com wrote:

Hi everybody,

   I have set up a bind9 server, and everything works fine except when I try to 
request some fields (e.g., TXT) for any server. If I do
host -t txt host
   I get
host has no TXT record

   whereas if I do
host -t txt host ns server
   I got the correct answer from that other server.

   Does anybody have any idea on how to fix this?

   Thank you,
   Felix


Do you know what default NS server you are querying when do do not
specify the server in your command line?  Does that server have the TXT
record?

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-users Digest, Vol 1773, Issue 1

[Barry S. Finkel]

Lawrence K. Chen, P.Eng. lkc...@ksu.edu wrote:


Hmmm, so that explains what I'm seeing in my logs of my nameservers
getting hammered by AD.

Should I be worried?  Is there anything that could be done on my end to
help reduce the impact?



On our campus, we have always allowed delegation of subdomains to
department nameservers, with the requirement that we be secondary to
them.  Some departments also have other domains on their nameservers,
again have us as their secondary (and often we're the only published
nameservers for these domains.)

But, AD was different...they did their own thing.

Except there's this problem now with their authoritative servers also
being open recursive query resolvers ... exposed to the whole world.

Since they won't turn off recursion (and there's no way to limit its scope)

So, we've started pushing that they need to use us as secondaries.

Right now it has only been tested with Central AD, where I'm seeing one
DC sending updates ranging from a few minutes to a few hours.  While the
other DC is trying at intervals of 2-9 minutes, but its N-1

Though when they were first trying to get it going...they had some
trouble, which turned out that it thought the IP space of my nameservers
belonged to it and that my nameservers were not part that space.

Namely, one of my DNS vlans is 129.130.254.0/28 (ns-1.ksu.edu lives
here, ns-2.ksu.edu/ns-3.ksu.edu live in the other one)...where some
other portion of the /24 is a vlan that they have servers in.

Hmmm, I noticed in the dump of ads.ksu.edu, it has A records for my
nameserversis that a problem?



Where I used to work, there was NO computer that had an AD DNS
Server address in its TCP/IP configuration.  ALL computers
used the two BIND internal servers for their DNS resolution.
The Domain Controllers were NOT accessible from the Internet,
so we were not worried about Internet access to those DC DNS
Servers.  Only one sub-domain was completely DHCP-dynamic and mastered
on a Windows DC DNS, so with the exception of this forward zone and its
five /24 reverse zones, the only zones on the Windows DCs were the
AD zones - _msdcs, _sites, _tcp, and _udp.  The forward and reverse
zones were on the BIND servers only, and all these _ zones were
slaved on the BIND servers.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind-users Digest, Vol 1766, Issue 2

[Barry S. Finkel]

markus weber bumpemacve...@googlemail.com wrote:


Hey Guys,

I am new to administer a Bind server and after a few problems i ran into i
need to monitor the zonefile transfers of my slave server.
I have searched on google and nagios plugin sites but could not find
anything that fits my needs entirely.

Here is the Setup:
- MS ActiveDirectory as primary Nameservers (not under my control)
- 2 Bind server as slave for various zones (behind a loadbalancer)

The problem i ran into, was that the zone transfer didn't work for some
reason and the zone we hold expired causing our mailgateway to stop
relaying mails :/

As i sayed i googled around and as i could not find anything i hacked a
nagios plugin myself ( you can find the code here
https://github.com/seppovic/Nagios-plugins/blob/master/libexec/check_dns_zonetransfer.pl).
But i am curious if i took the right route. These are my assumptions and
a first approach:

- read named.conf and get master servers
- query soa of slave and get serial
- query first master and get serial
- if serial match:
 get zonefile modification time (not sure if this is significant)
and compare it with localtime and soa-expiretime
 + warn or crit on threshold
 (stat($zoneFile)[9] + $SOA_S-expire) - time
- if master serial  slave serial
 create tempfile and check for how long it stays lower then masters
serial
 + warn or crit on threshold
- else
 test next master
 on last master exit with error ( this should not become true ever,
right?)


A few problems i discovered:
- sometimes have a higher serial then all masters have, is this normal on
an AD DNS? or am I doing something wrong i thought this could not happen.
- Some Zones nearly always reach expireation time. and i get a lot of
critical messages and a few hours/minutes before expireation it does the
update.

i hope you can guide me a bit and tell me if this is what i want xD

many thanks in advance
seppovic


When I had BIND slaves of zones mastered on Windows Domain Controller
DNS Servers, the problem I had was that Microsoft in the EventLog only
logged successful zone transfers.  I told MS (in a conversation with one
of the DNS developers) that I needed failed zone transfers to be logged
along with the reason for the refused transfer.  The response from the
developer was that MS did not want all of the failed zone transfers
filling up the EventLog.  In my case, there were lots of unnecessary
successful zone transfers, but if one failed, I had no way of knowing
why.  There might have been information in the Windows dns.log file
(where I had complete logging), but when that file got to its max size,
MS would clear the file and start again, losing all of the information.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Re: Monitoring Zonefiletransfer

[Barry S. Finkel]

A few problems i discovered:
- sometimes have a higher serial then all masters have, is this normal on
an AD DNS? or am I doing something wrong i thought this could not happen.



Only transfer from one AD master.  Microsoft AD doesn't maintain
consistent serials across the servers.  The serials should be
monotonically increasing from a individual server.



And when I had BIND slaves for AD masters, when patches were being
applied to the Domain Controllers (i.e., the ONE DC that I had
selected as a master), a zone serial number would decrease.  In most
(but not all) cases, after the DC patching was finished, the zone
serial number would go back to normal.  I was not allowed to open a
trouble ticket with Microsoft.  Every morning at 7AM I ran a cron to
capture the zone serial numbers on all of the 44+ AD zones on all my
BIND DNS servers.

(I just realized that in my post about a half-hour ago on this
subject, I had forgotten to change the Subject: line from the
digest).

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Monitoring Zonefiletransfer

[Barry S. Finkel]

Only transfer from one AD master.  Microsoft AD doesn't maintain
consistent serials across the servers.  The serials should be
monotonically increasing from a individual server.



Oh, i didn't know that. Thats weird behavior isn't it? I will give it
definitely a try, I just added 3 of those servers to Masters option
because i thought it would increase the reliability in case of an error.



See MS KB article 282826, where MS documents the handling of zone
serial numbers in an AD environment.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Monitoring Zonefiletransfer

[Barry S. Finkel]

On 2014-02-19 16:06, Barry S. Finkel wrote:


See MS KB article 282826, where MS documents the handling of zone
serial numbers in an AD environment.


And Dave Warren replied:


My experience is that it tends to work pretty well if BIND only points
to one particular MS DNS server at a time, with a failover script that
detects when that DNS server goes down and flips to another master (if
you're worried about such things)

That being said, even without that script and with multiple MS DNS
masters configured in BIND at once, any issues generally work themselves
out within 15 minutes or so, once the Active Directory serial number
update propagates through the MS DNS infrastructure. As described in the
article, the servers self-increment properly when a slave is detected,
and occasionally sync up the serial numbers between MS DNS servers
(again, only moving update).

The only inconsistencies are in those recently added/modified records,
so if you just plan for 15 minute update times for non-MS secondaries to
sync up and ignore the periodic serial is lower than expected
warnings, multi-mastering works fine in practice.

-- Dave Warren



That MS KB article states that if a Domain Controller DNS Server is
not used as a master for a slave server, then the zone serial number
is irrelevant.  But if the Server is used as a master, then the serial
number is relevant.  Assume one zone that is mastered on two DCs, and
the two serial numbers match (and the serial is N).  A dynamic update
for the zone is sent to DC1, and the serial number there is increased to
N+1.  At the same time a different dynamic update for the zone is sent
to DC2, and DC2 then has serial number N+1.  The two copies of the zone
are different, but they both have the same serial number.  When Active
Directory synchronizes the zone, what serial number can it use for the
synched zone?  It can't use N+1, because that serial has been used, and
the zone might have already been transferred to the slave server.
It can't be N+2, because, in the meantime, another dynamic update may
have come to DC1 or DC2, so serial N+2 might have already been used.

Another thing that I hinted in an earlier reply - With AD zones, the
serial number can increase unnecessarily.   In the past, when a
dynamic DNS update was sent to a DC, and that update was already in DNS
(e.g., a re-lease of a DHCP address), the Windows DNS Server code
treated the update as a no-op, except for updating an internal timestamp
in the zone.  But sometime later, MS changed the code, so that the
dynamic DNS update is no longer treated as a no-op.  This causes

1) the DNS update to be initially refused because it does not have
   TSIG authorization, and the client (or DHCP Server) has to re-send
   the update.

2) the zone serial number is updated, even when there is no update to
   the zone; this causes unnecessary zone transfers.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS with several ip adessess

[Barry S. Finkel]

With today's hardware (virtualization, etc) it?s not very expensive to build 
out new servers.


One caveat with using virtual servers.   Make sure that the DNS server
on which the host machine relies is NOT the DNS server that is
virtualized on that host.  The host machine needs to be up before
the VMs residing on that host come up.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Internernal view is answering to external ping

[Barry S. Finkel]

Post your*full*  config not half of it.  How the hell do you expect
people to identify problems unless you give them the neccessary
details.

Do you give you car mechanic only access to the boot when you have
a engine problem?

You said you created views yet you didn't send anything that described
how the views were configured.

Mark


Also, be sure to change any secret authentication string
so that it is not archived for the world to see.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New warning message...

[Barry S. Finkel]

This was discussed here already, and imho this is anti-spf bullshit like
all those spf breaks forwarding FUD. The SPF RR is already here and is
preferred over TXT that is generik RR type, unlike SPF.



It is not Fear, Uncertainty, and Doubt that SPF breaks forwarding.
SPF *DOES* break forwarding.  I have a case I am researching right now
where forwarded mail is undeliverable due to SPF checking at the
new destination.

--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NAMED LOGS

[Barry S. Finkel]

 Date: Mon, 22 Jul 2013 14:21:51 +0200

From: Grace Ingabiregrac...@ricta.org.rw

Dear Team,



Does anyone know what is going on here? As I can't understand why we do
receive a lot of these messages in our logs.



Jul 22 14:18:21 ns1 named[13045]: client 200.222.123.108#43576: query
(cache) 'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 201.228.140.4#25482: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 201.228.139.161#63987: query
(cache) 'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 46.39.192.1#39972: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 201.228.139.162#48785: query
(cache) 'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 200.148.23.5#37623: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 177.19.209.110#64974: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 200.45.48.238#30572: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:21 ns1 named[13045]: client 200.45.191.41#24254: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 46.39.192.1#6612: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 200.222.123.108#23817: query
(cache) 'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 82.209.195.12#61851: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 41.74.171.185#11223: update
forwarding 'org.rw/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 78.136.107.50#58919: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 46.140.67.168#37418: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 200.40.220.201#4560: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 118.69.241.180#23006: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:22 ns1 named[13045]: client 84.232.1.100#52278: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 195.229.242.133#46507: query
(cache) 'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 200.40.220.194#23686: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 46.39.192.1#28150: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 84.232.1.100#61843: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 202.248.197.77#37917: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 61.220.10.137#1475: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 46.39.192.1#57197: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 46.39.192.1#35102: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 189.1.87.5#42806: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 196.3.132.118#21462: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:23 ns1 named[13045]: client 74.125.178.21#56160: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:24 ns1 named[13045]: client 201.228.140.7#64057: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:24 ns1 named[13045]: client 200.168.137.39#41361: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:24 ns1 named[13045]: client 189.1.84.126#63800: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:24 ns1 named[13045]: client 201.228.140.7#40111: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:24 ns1 named[13045]: client 200.168.137.39#28376: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:25 ns1 named[13045]: client 46.39.192.1#36140: query (cache)
'www.minghui.org.s210.ip4.verteiltesysteme.net/A/IN' denied

Jul 22 14:18:25 ns1 

Re: New warning message...

[Barry S. Finkel]

On 7/22/2013 11:17 AM, bind-users-requ...@lists.isc.org wrote:

This was discussed here already, and imho this is anti-spf bullshit like
all those spf breaks forwarding FUD. The SPF RR is already here and is
preferred over TXT that is generik RR type, unlike SPF.

On 22.07.13 08:50, Barry S. Finkel wrote:

It is not Fear, Uncertainty, and Doubt that SPF breaks forwarding.
SPF*DOES*  break forwarding.



No, it does not. If a mail gets delivered to address, which is sending it
further (forwarding it), the envelope sender has to be changed, because
it's not the original sender who sends the another mail.  Forwarding without
changing envelope address is already broken, it's just people don't care
without SPF.



  I have a case I am researching right now
where forwarded mail is undeliverable due to SPF checking at the
new destination.

Rewrite the sender's address. You have more choices, SRS is one of them.

-- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/


I have no control over what my Mail User Agent does. And a quick reading
of section 3.6.6 of RFC 5322 does not tell me what is the correct action
on a forwarded message:

 1) Change the From: address, or

 2) Keep the From: address.

My MUA, Thunderbird, does 1).  And I do not see any configuration
option.  I am not sure which action is correct.

I do not know what implications for forwarding SMTP (RFC 5321) has.
--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Troubleshooting DNSSEC issue w/ ic.fbi.gov

[Barry S. Finkel]

The SOA RNAME should work:


fbi.gov.600INSOAns1.fbi.gov. dns-admin.fbi.gov.
2013071601 7200 3600 2592000 43200


In my years as a DNS administrator, about 50% of the time I tried to
send e-mail to the SOA RNAME, that mail was returned as undeliverable.
I never have trusted that field.
--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re:: BIND 9.4.x and check-names

[Barry S. Finkel]

Ben-Eliezer, Tal (ITS)tal.ben-elie...@its.ny.gov wrote:


Good Morning,

I recently implemented a change in our DNS environment with the intention of 
suppressing the log events related to AD-integrated zones, and their Non-RFC 
compliant nature.

In the global configuration I added the following statements:

check-names slave ignore;
check-names master ignore;

Flushed  reloaded.

However, I still see these entries appear in the logs. Could someone please 
chime in and let me know if my expectation or implementation was incorrect? 
Many thanks!!

default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
/IN: gc._msdcs./A: bad owner name (check-names)
default.log:12-Apr-2013 00:45:37.447 general: warning: zone 
/IN: gc._msdcs./A: bad owner name (check-names)

Best Regards,

Tal Ben-Eliezer


I would place those in each zone definition, rather than a global
config.  You want to be alerted if a non-AD zone has a name
issue.  Without more information, I cannot tell right now why those
directives did not work.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Simple question about zone and CNAME

[Barry S. Finkel]

On 4/8/2013 9:10 AM, bind-users-requ...@lists.isc.org wrote:

In article mailman.59.1365230565.20661.bind-us...@lists.isc.org, Phil
Mayers p.may...@imperial.ac.uk wrote:

Sam Wilsonsam.wil...@ed.ac.uk  wrote:


 [adding an A record for ed.ac.uk.]
 


If your AD realm is also called ed.ac.uk then adding an A record will
definitely affect things.

Which is exactly the opposite of what our AD guys said, but not with
such great conviction.:-)

Sam


AD clients, if they do not know about SRV records for finding the
LDAP servers, will use the A records for the AD domain to locate
the Domain Controllers.  Where I used to work we did not segregate
AD, so internally,

 example.com

pointed to the Domain Controllers.  Externally,

 example.com

had no IP address because the DCs were not accessible from the
external Internet.  When we had the DC addresses externally, then
AD clients would see the addresses, try to authenticate to the AD,
experience timeouts, and get frustrated.  Without an external
address, AD clients do not try to access the DCs.  The drawback
is that we can not have

 example.com

externally have the same address as

 www.example.com

to aid browser users.
--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Overriding Included Zone File Entries

[Barry S. Finkel]

On 3/5/2013 1:08 PM, Pat Suwalskip...@suwalski.net wrote:


Hello everyone,

I have a question about using the $INCLUDE directive in my zone files.

We run DNS for a moderately large number of domains, largely pointing at
the same servers. So, I'd really like to have the following setup:

db.common.inc:

  mail IN A n.n.n.n
  mail2 IN A n.n.n.n
  www IN A n.n.n.n
  @ IN TXT v=spf1...

And then have individual zone files be able to override the various values:

db.special.domain.com:

  $INCLUDE db.common.inc
  www IN A x.x.x.x

Of course, this just round-robins the A record for the www entry.

Does anyone know if it is possible to make the new entry override the
previously included one rather than add to it?

If not, is there a typical config structure that has worked for someone
trying to do a similar setup?

Many thanks,
--Pat


What you need to do is have the common piece in an $INCLUDE file
and put changed items (such as www in your example) in each view.
If www changes in each view, then do not include it in the common
file.  If, for example, you have three views, and www is the same
in two views and different in the third, then you still have to
have www in each view and not in the common file.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: question about dns query distribution

[Barry S. Finkel]

HI Lawrence,

We have recursive / caching name server for our Broadband internet
services. And we have 60-40 traffic ratio. I mean 60 % queries comes
on primary and 40% on secondary.

Why primary does not getting 100% ?

Is there any way to do it ? or what is the reason behind it that both
servers' having queries ?

BR
Ben


In DNS there is no concept of a primary and secondary name server.
All of the name servers listed in the NS records for a zone are equal,
and any can be used to handle a DNS query (assuming, of course, that
each server has the zone properly configured).  BIND will use the server
that has the shortest response time, but I do not know what other DNS
implementations do.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS Blackholing

[Barry S. Finkel]

On 12/4/2012 6:00 AM, John Hascall j...@iastate.edu wrote:

We have found that RPZ works quite well for us.
We have 366825 names in our RPZ zone at present
and scaling thus far has been a non-issue.

A question from the OP that has not yet been answered -
Make the zones masters on all servers.  What I did was to
have a file in common storage accessible to each DNS server,
and every 10 minutes a cron job would run to see if the
file in common storage had  been updated.  If so, then
the file was copied to the local disk, and an rndc reconfig
command was issued to re-read the config file.  Note that the
10-minute cron ran at a different minute on each server to insure that
only one server was reloading at any given time.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND and DNSSEC

[Barry S. Finkel]

On 11/1/2012 3:31 PM, Sten Carlsen st...@s-carlsen.dk wrote:

The typical server setup (for own servers) is that one name is used for
setting up e.g. the mail server, the ideal situation for everybody is
that whether I am in house or visiting you, if I have any internet
access, I can read and send mail.

Now if there is an internal zone with a different name, how will you set
up the mail client? internal name is not accessible from outside and
external name is not present in internal name space. - two mail
clients? changing setups when moving between networks?

In this case, either 1) you have one mail server at the external border
and one mail server internal, or 2) the same MX record in the external
and internal view. You can have a common records file that you
$INCLUDE in both views.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ISC Bind in Active Directory

[Barry S. Finkel]

On 10/18/2012 3:17 PM, bind-users-requ...@lists.isc.org wrote:

Hi All,

I'm hopping to get some feedback from people who use ISC Bind and DHCPD in 
Active Directory environments.

Currently we use Bind/DHCPD for dynamic DNS and DHCP.  It's been a pretty 
stable service, redundant and we are polling statistics with Cacti.  There is 
concern by Management of using a somewhat non standard approach for Active 
Directory SRV records being handled by ISC services and not AD.

The options we are looking at is migrating to AD for DNS and DHCP services or 
to have Bind/DHCPD handle SRV records for AD.

Some technical info on our our BIND environment.

Some Client Identifiers
300 DHCP Pools
Dynamic DNS
Cacti Graphs - Reporting
Syslog via Splunk

Overall it's been a very stable design for the last 5+ years.

If you have any relevant feed back I would appreciate it.  I'm looking for 
information on experience with Active Directory integration with ISC or if 
anyone has had problems/stability issues with AD doing DNS/DHCP or AD working 
with ISC.

Thanks in advance.

Here's a brief survey for Schools that have ISC running in an AD environment.

http://www.surveymonkey.com/s/2VYNKWR

-
Aaron Thompson
Network Architect for IT Operations

Berklee College of Music
1140 Boylston Street, MS-186-NETT
Boston, MA 02215-3693

www.berklee.edu
617.747.8656

-
Aaron Thompson
Network Architect for IT Operations

What I did was to have the AD zones mastered on Windows Domain Controllers.
I chose ONE of the DCs to be the master for slaving all of these AD zones
on my BIND servers.  There were NO CLIENT MACHINES (to my knowledge) tha
were configured to use the Windows DNS Servers as their resolvers.  All
machines pointed to the BIND slaves.

This let Windows AD register any SRV records it wanted; the updated zones
were then transferred (via DNS protocols) to my BIND slaves.  The
only problem was this - when AD first appeared, the Microsoft DNS code
would update the zone serial number, even if the DNS update made no change
to the zone (except to update an internal timestamp in the AD-integrated
zone).  After I opened a support call (in the Windows Server 2000 
timeframe),

the MS code was changed to not increase the zone serial number if the zone
contents were not really changing.  As of a year
ago, the code had been modified so zone serial numbers were increasing.
Even with MS DHCP - if a lease was renewed, the DNS update was refused, and
the DHCP server had to re-send the update with TKEY/TSIG authentication
before the update was accepted.  But the zone serial number was incremented,
causing unnecessary zone transfers from the DC to the BIND servers.
I was not allowed to open a support call with MS to see why the code was
changed and to get the code changed.
--Barry Finkel
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: ho to filter hundeds of domains ?

[Barry S. Finkel]

Rick Colocciacoloc...@geneseo.edu  wrote:


add this line to /etc/named.conf

include locallyblockeddomains.zones;


contents of locallyblockeddomains.zones:

// This bind zone is intended to be included in a running dns server f
a local net
//
// It will return a 127.0.0.1 for the domains listed as malware
//
//  This is for locally determined domains we want blocked
//
//
zone r.im  {type master; file /etc/namedb/blockeddomain.hosts;};
snipped many more out
zone emailupgrader.clan.su {type master;file
/etc/named/blockeddomain.hosts;};




this is the /etc/namedb/blockeddomain.hosts file:

$TTL86400   ; one day

@   IN  SOA ns1.geneseo.edu coloccia.geneseo.edu (
2007112601  ; serial
28800   ; refresh  8 hours
7200; retry2 hours
864000  ; expire  10 days
86400 ) ; min ttl  1 day

IN  NS  ns1.geneseo.edu.
A   127.0.0.1
*   IN  A   127.0.0.1
*   IN  ::1
; This zone will kill all traffic to a listed domain




Done.

Add domains you want blocked to the locallyblockeddomains.zones file.


In my previous job, the cyber-security created a list of domains
from various sources.  They tested the file on a test BIND server
before loading the file into the AFS shared file system.  I had a cron
on my DNS servers that ran every 10 minutes that checked for a new file,
and if it saw one, it copied the file to the local disk and ran rndc
to reload the new config file.
--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: VMware Bind

[Barry S, Finkel]

On Jun 5, 2012, at 9:58 AM, Manson, John wrote:



Will bind run on VMware?

There may be two problems:

1) Will there be problems when the server is rebooted?  If the server relies
   on the DNS server running in a VM, there could be problems.

2) When I tried a test master BIND in a VM, there was not enough entropy
   to generate DNSSEC keys.

--Barry Finkel

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users