Re: How do I debug if the queries are not getting resolved?
Thanks folks I just disabled DNSSEC validation from bind config file (globally) and those domains started resolving fine. On Tue, Dec 12, 2023, 13:25 Greg Choules < gregchoules+bindus...@googlemail.com> wrote: > Hello. > There are well known and documented issues with the zone "gov.in" and > there were some recent problems with "gov" as well. > Please search this mailing list archive for those domains and you may find > some useful hints, tips and information that explain and help you with your > own problem. > > Cheers, Greg > > On Tue, 12 Dec 2023 at 00:48, Blason R wrote: > >> Oh I forgot to tell you that. This is BIND RPZ and all the queries are >> recursive. >> >> Dig output just dies out and does not spit anything. >> >> And this specifically i noticed with .gov and .gov.in domain. This is >> the reason I thing it might be related with DNSSEC. >> >> Also wanted to understand overall how do I debug any queries. >> >> On Tue, Dec 12, 2023, 00:28 Marco Moock wrote: >> >>> Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R: >>> >>> > I require assistance in troubleshooting the resolution issue for >>> > specific domains that are not being resolved properly. The version of >>> > BIND I am currently using is BIND 9.18.20-1. >>> >>> First, tell us if those queries are authoritative on that server or not. >>> >>> Try using dig and post the output here. >>> -- >>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >>> from this list >>> >>> ISC funds the development of this software with paid support >>> subscriptions. Contact us at https://www.isc.org/contact/ for more >>> information. >>> >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> -- >> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe >> from this list >> >> ISC funds the development of this software with paid support >> subscriptions. Contact us at https://www.isc.org/contact/ for more >> information. >> >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How do I debug if the queries are not getting resolved?
Oh I forgot to tell you that. This is BIND RPZ and all the queries are recursive. Dig output just dies out and does not spit anything. And this specifically i noticed with .gov and .gov.in domain. This is the reason I thing it might be related with DNSSEC. Also wanted to understand overall how do I debug any queries. On Tue, Dec 12, 2023, 00:28 Marco Moock wrote: > Am 11.12.2023 um 23:37:36 Uhr schrieb Blason R: > > > I require assistance in troubleshooting the resolution issue for > > specific domains that are not being resolved properly. The version of > > BIND I am currently using is BIND 9.18.20-1. > > First, tell us if those queries are authoritative on that server or not. > > Try using dig and post the output here. > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How do I debug if the queries are not getting resolved?
Hi Guys, I require assistance in troubleshooting the resolution issue for specific domains that are not being resolved properly. The version of BIND I am currently using is BIND 9.18.20-1. TIA Blason R -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Facing issues while resolving only one record
Yes, bypassing DNSSEC Validation seems to have a solution. Thanks for the help. On Wed, Aug 30, 2023 at 7:30 PM Bhangui, Sandeep - BLS CTR via bind-users < bind-users@lists.isc.org> wrote: > This seems to be an issue with the domain incometax.gov.in. > > > > DNSSEC looks like is broken for that domain. > > > > NS servers at our location also cannot resolve that directly but if I > forward that query to any ISP provider NS which are more lax it resolves > just fine. > > > > Thanks > > Sandeep > > > > *From:* bind-users *On Behalf Of *John > W. Blue via bind-users > *Sent:* Wednesday, August 30, 2023 9:39 AM > *To:* bind-users > *Subject:* RE: Facing issues while resolving only one record > > > > *CAUTION*: *This email originated from outside of BLS. DO NOT click > (select) links or open attachments unless you recognize the sender and know > the content is safe. Please report suspicious emails through the “Phish > Alert Report” button on your email toolbar. * > > Recommend you turn off DNSSEC validation and see if it starts working. > > > > If it does, then you know the issue is with how DNSSEC is configured on > your server. > > > > John > > > > *From:* bind-users [mailto:bind-users-boun...@lists.isc.org > ] *On Behalf Of *Blason R > *Sent:* Wednesday, August 30, 2023 8:20 AM > *To:* bind-users > *Subject:* Facing issues while resolving only one record > > > > Hi all, > > > > I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support > Version) > > And I am facing this weird issue. Somehow eportal.incometax.gov.in site > is not getting resolved through DNS. > > > > I tried a lot but unfortunately the issue still persists. > > > > Here are packet capture logs. > > > > listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length > 262144 bytes > 18:47:19.56 ens18 In IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ > A? eportal.incometax.gov.in. (42) > 18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: > 30627+% [1au] A? eportal.incometax.gov.in. (65) > 18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:21.573628 ens18 In IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ > ? eportal.incometax.gov.in. (42) > 18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% > [1au] ? eportal.incometax.gov.in. (65) > 18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: > 16204+% [1au] DNSKEY? incometax.gov.in. (57) > 18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: > 34205+% [1au] ? eportal.incometax.gov.in. (65) > 18:47:23.20 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:23.584820 ens18 In IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ > A? eportal.incometax.gov.in. (42) > 18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 > [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: > 28883 [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: > 46716 [1au] DNSKEY? incometax.gov.in. (57) > 18:47:25.597312 ens18 In IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ > ? eportal.incometax.gov.in. (42) > 18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: > 12762 [1au] DNSKEY? incometax.gov.in. (57) > > > > I feel this is something related to DNS RRKEY Record size? > > > > Plus then I dumbdb on my server and went through cache using command > > *#rndc dumpdb -all* > > > > And here is the output > > > > incometax.gov.in. 3422NS ns01.incometax.gov.in. > 3422NS ns02.incometax.gov.in. > ns01.incometax.gov.in. 131 \- ;-$NXRRSET > ; ns01.incometax.gov.in. RRSIG NSEC ... > ; ns01.incometax.gov.in. NSEC ns02.incometax.gov.in. A RRSIG NSEC > ; incometax.gov.in. SOA ns01.incometax.gov.in. > ns-admin.cpc.incometax.gov.in. 2023060970 7200 3600 1209600 3600 > ; incometax.gov.in. RRSIG SOA ... > ns02.incometax.gov.in. 120 \- ;-$NXRRSET > ; ns02.incometax.gov.in. RRSIG NSEC ... > ; ns02.incometax.gov.in. NSEC ns03.incometax.gov.in. A RRSIG NSEC > ; incometax.gov.in. SOA ns02.incometax.gov.in. > ns-admin.c
Facing issues while resolving only one record
Hi all, I have bind BIND 9.18.17-1+ubuntu22.04.1+isc+1-Ubuntu (Extended Support Version) And I am facing this weird issue. Somehow eportal.incometax.gov.in site is not getting resolved through DNS. I tried a lot but unfortunately the issue still persists. Here are packet capture logs. listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes 18:47:19.56 ens18 In IP 192.168.1.162.61110 > 192.168.1.133.53: 20+ A? eportal.incometax.gov.in. (42) 18:47:19.587705 ens18 Out IP 192.168.1.133.40263 > 208.67.222.222.53: 30627+% [1au] A? eportal.incometax.gov.in. (65) 18:47:19.599214 ens18 Out IP 192.168.1.133.44299 > 1.1.1.1.53: 62952+% [1au] DNSKEY? incometax.gov.in. (57) 18:47:20.800736 ens18 Out IP 192.168.1.133.56154 > 8.8.8.8.53: 16152+% [1au] DNSKEY? incometax.gov.in. (57) 18:47:21.573628 ens18 In IP 192.168.1.162.53536 > 192.168.1.133.53: 21+ ? eportal.incometax.gov.in. (42) 18:47:21.576427 ens18 Out IP 192.168.1.133.55356 > 8.8.8.8.53: 57361+% [1au] ? eportal.incometax.gov.in. (65) 18:47:22.002738 ens18 Out IP 192.168.1.133.33064 > 208.67.222.222.53: 16204+% [1au] DNSKEY? incometax.gov.in. (57) 18:47:22.777934 ens18 Out IP 192.168.1.133.58739 > 208.67.222.222.53: 34205+% [1au] ? eportal.incometax.gov.in. (65) 18:47:23.20 ens18 Out IP 192.168.1.133.60920 > 9.9.9.9.53: 46145+% [1au] DNSKEY? incometax.gov.in. (57) 18:47:23.584820 ens18 In IP 192.168.1.162.53962 > 192.168.1.133.53: 22+ A? eportal.incometax.gov.in. (42) 18:47:24.405041 ens18 Out IP 192.168.1.133.56475 > 198.41.0.4.53: 12349 [1au] DNSKEY? incometax.gov.in. (57) 18:47:25.205136 ens18 Out IP 192.168.1.133.33517 > 192.36.148.17.53: 18768 [1au] DNSKEY? incometax.gov.in. (57) 18:47:25.237837 ens18 Out IP 192.168.1.133.43646 > 156.154.100.20.53: 28883 [1au] DNSKEY? incometax.gov.in. (57) 18:47:25.259888 ens18 Out IP 192.168.1.133.51762 > 59.160.103.171.53: 46716 [1au] DNSKEY? incometax.gov.in. (57) 18:47:25.597312 ens18 In IP 192.168.1.162.53963 > 192.168.1.133.53: 23+ ? eportal.incometax.gov.in. (42) 18:47:26.498891 ens18 Out IP 192.168.1.133.52631 > 125.16.225.122.53: 12762 [1au] DNSKEY? incometax.gov.in. (57) I feel this is something related to DNS RRKEY Record size? Plus then I dumbdb on my server and went through cache using command *#rndc dumpdb -all* And here is the output incometax.gov.in. 3422NS ns01.incometax.gov.in. 3422NS ns02.incometax.gov.in. ns01.incometax.gov.in. 131 \- ;-$NXRRSET ; ns01.incometax.gov.in. RRSIG NSEC ... ; ns01.incometax.gov.in. NSEC ns02.incometax.gov.in. A RRSIG NSEC ; incometax.gov.in. SOA ns01.incometax.gov.in. ns-admin.cpc.incometax.gov.in. 2023060970 7200 3600 1209600 3600 ; incometax.gov.in. RRSIG SOA ... ns02.incometax.gov.in. 120 \- ;-$NXRRSET ; ns02.incometax.gov.in. RRSIG NSEC ... ; ns02.incometax.gov.in. NSEC ns03.incometax.gov.in. A RRSIG NSEC ; incometax.gov.in. SOA ns02.incometax.gov.in. ns-admin.cpc.incometax.gov.in. 2023071447 7200 3600 1209600 3600 ; incometax.gov.in. RRSIG SOA ... ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 131] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 120] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 130] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 119] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 128] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 117] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] ; ns02.incometax.gov.in [v6 TTL 114] [v4 unexpected] [v6 nxrrset] ; ns01.incometax.gov.in [v6 TTL 125] [v4 unexpected] [v6 nxrrset] ;
Can we use rndc addzone to add zone in rpz configuration?
Hi, Keen to know if rndc addzone functionality can be used to add zones in bind serving response-policy? If so then what would be my view? Do I need to define my view to make it work? I tried this and its failing hence wondering if rndc can be used to add zone or delete zone on the fly? Here is my config ** options { version "x"; allow-query { localhost;subnets; }; directory "/var/cache/bind"; recursion yes; * allow-new-zones yes;* querylog yes; forwarders { 9.9.9.9 }; // dnssec-validation auto; request-ixfr yes; auth-nxdomain no;# conform to RFC1035 // listen-on-v6 { any; }; listen-on port 53 { any; }; response-policy { zone "whitlist.allow" policy passthru; zone "immediate.block"; zone "malware.trap"; zone "block.tld"; zone "cryptojack.block"; zone "ransomwareips.block"; }; }; And I wanted to add lets say porn.block zone ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Queries Using API - BIND9
Hmmm nice suggestion and appreciate that. But it would too much for normal user looking for more simpler manner. Any way if no option then will have to live with vpn option for now. On Mon, 11 May 2020, 22:34 Petr Menšík, wrote: > Hi, > > AFAIK BIND is supported also on Windows. Would it be possible just to > install BIND service on local machine and configure it to download DLZ > zone from your servers. It could authenticate using ddns keys. And > forward would be also straightforward. As a bonus, they would get local > validating resolver. > > I think that would be quite satisfying for their security, but would > prevent you from watching them too close. I think that would be an > advantage in sort, especially when they are in "private" mode. > > Of course some scripts to configure the installation would be required, > because ordinary user does not want to configure BIND. Some smart > installer might be enough. > > Regards, > Petr > > On 5/11/20 6:14 AM, Blason R wrote: > > Hi Folks, > > > > I am seeking solution for our below problem and wanted to know if any > open > > source option can help us here? > > We have our internal DNS RPZ firewall built on BIND9. Due to the current > > situation since all users are working from home we are not able to route > > their queries to internal DNS servers. Well, when they are on VPN > > definitely queries are then passed through internal DNS server but they > > left open when not connected to VPN. > > > > Is there any solution using - > > > >- API by which we can route the queries for user who are on Internet > >- Or any client utility which can be installed on user's > desktop/laptop > >where we can embed our BIND RPZ server and then route the queries to > >internal one using NAT? > >- Or any other alternative community can suggest? > > > > > > This is just like Cisco Umbrella or any other Paid DNS firewall solutions > > but seeking if we can have any open source option? > > > > Thanks & Regards > > Blason R > > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > Petr Menšík > Software Engineer > Red Hat, http://www.redhat.com/ > email: pemen...@redhat.com > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Queries Using API - BIND9
Nah those are regular users - And thinking to work on DoT Proxy and force that through GPO for browsers. On Mon, May 11, 2020 at 12:27 PM Vadim Pavlov wrote: > If your users has admins permissions you probably will not find any open > source tool which support that. For restricted accounts on Win - create > policies. > > BR, > Vadim > > On May 10, 2020, at 23:52, Blason R wrote: > > Thats a nice starting point - > > https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/ > > But still looking for any client utility so that users can not shutdown or > can not suspend the service > > On Mon, May 11, 2020 at 12:18 PM Blason R wrote: > >> Hmm- Any docs on configuring DOH Proxy? >> >> On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann < >> daniel.stirnim...@switch.ch> wrote: >> >>> >>> >>> On 11.05.20 08:18, Vadim Pavlov via bind-users wrote: >>> > The main issue that bind does’t provide an authentication method. So in >>> > any case you somehow should manage the access to the DNS server vice >>> > versa it will became open resolver and will be used for DDoS attacks. >>> >>> If you were to use DoH, you could use Basic Authentication. The DoH URL >>> you could configure on your client systems could be something like this: >>> >>> https://username:passw...@doh.example.com/dns-query >>> >>> >>> Daniel >>> >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Queries Using API - BIND9
Thats a nice starting point - https://www.nginx.com/blog/using-nginx-as-dot-doh-gateway/ But still looking for any client utility so that users can not shutdown or can not suspend the service On Mon, May 11, 2020 at 12:18 PM Blason R wrote: > Hmm- Any docs on configuring DOH Proxy? > > On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann < > daniel.stirnim...@switch.ch> wrote: > >> >> >> On 11.05.20 08:18, Vadim Pavlov via bind-users wrote: >> > The main issue that bind does’t provide an authentication method. So in >> > any case you somehow should manage the access to the DNS server vice >> > versa it will became open resolver and will be used for DDoS attacks. >> >> If you were to use DoH, you could use Basic Authentication. The DoH URL >> you could configure on your client systems could be something like this: >> >> https://username:passw...@doh.example.com/dns-query >> >> >> Daniel >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Queries Using API - BIND9
Hmm- Any docs on configuring DOH Proxy? On Mon, May 11, 2020 at 11:56 AM Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > > > On 11.05.20 08:18, Vadim Pavlov via bind-users wrote: > > The main issue that bind does’t provide an authentication method. So in > > any case you somehow should manage the access to the DNS server vice > > versa it will became open resolver and will be used for DDoS attacks. > > If you were to use DoH, you could use Basic Authentication. The DoH URL > you could configure on your client systems could be something like this: > > https://username:passw...@doh.example.com/dns-query > > > Daniel > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Queries Using API - BIND9
I can do that - But 1. How can I control unauthorized use? 2. Since one its populated over Internet it can be used by any one right? 3. Plus from user end they can change the DNS to avoid protection. On Mon, May 11, 2020 at 11:01 AM Reindl Harald wrote: > > > Am 11.05.20 um 06:14 schrieb Blason R: > > I am seeking solution for our below problem and wanted to know if any > > open source option can help us here? > > We have our internal DNS RPZ firewall built on BIND9. Due to the current > > situation since all users are working from home we are not able to route > > their queries to internal DNS servers. Well, when they are on VPN > > definitely queries are then passed through internal DNS server but they > > left open when not connected to VPN. > > > > Is there any solution using - > > > > * API by which we can route the queries for user who are on Internet > > * Or any client utility which can be installed on user's > > desktop/laptop where we can embed our BIND RPZ server and then route > > the queries to internal one using NAT? > > * Or any other alternative community can suggest? > > when you are in the position to use something like this you can also > tell your users they have to configure their machines for using a public > dns you are hosting and you are done > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Queries Using API - BIND9
Hi Folks, I am seeking solution for our below problem and wanted to know if any open source option can help us here? We have our internal DNS RPZ firewall built on BIND9. Due to the current situation since all users are working from home we are not able to route their queries to internal DNS servers. Well, when they are on VPN definitely queries are then passed through internal DNS server but they left open when not connected to VPN. Is there any solution using - - API by which we can route the queries for user who are on Internet - Or any client utility which can be installed on user's desktop/laptop where we can embed our BIND RPZ server and then route the queries to internal one using NAT? - Or any other alternative community can suggest? This is just like Cisco Umbrella or any other Paid DNS firewall solutions but seeking if we can have any open source option? Thanks & Regards Blason R ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS RPZ Protection From DoH
Gotcha :) On Wed, Oct 2, 2019 at 10:41 PM Vadim Pavlov wrote: > You didn’t get the sarcasm in the previous email :) > The issue is that you can not 100% block DoH w/o blocking HTTPs. You may > block well-known domains and IPs but there are many unknown and for > targeted attacks new servers can be created even behind legit (but > compromised) websites. > > Vadim > > On Oct 2, 2019, at 10:04, Blason R wrote: > > Block 443? Not even possible since most of the portals/web servers now a > days works on TCP/443 > > On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg wrote: > >> On 10/2/19 8:00 AM, Blason R wrote: >> > Hmm that is a good idea to block the DOH queries but what I understood >> > is blocking on perimeter level would be more appropriate. >> >> To nullify the abilities of DoH, you can block port TCP/443. >> >> That is pretty much guaranteed to keep DoH from working, but you may >> want to test this solution in the lab before you deploy widely. >> >> This method of controlling DoH may have side-effects. >> >> AlanC >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS RPZ Protection From DoH
Block 443? Not even possible since most of the portals/web servers now a days works on TCP/443 On Wed, Oct 2, 2019 at 6:57 PM Alan Clegg wrote: > On 10/2/19 8:00 AM, Blason R wrote: > > Hmm that is a good idea to block the DOH queries but what I understood > > is blocking on perimeter level would be more appropriate. > > To nullify the abilities of DoH, you can block port TCP/443. > > That is pretty much guaranteed to keep DoH from working, but you may > want to test this solution in the lab before you deploy widely. > > This method of controlling DoH may have side-effects. > > AlanC > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS RPZ Protection From DoH
Hmm that is a good idea to block the DOH queries but what I understood is blocking on perimeter level would be more appropriate. On Wed, Oct 2, 2019 at 4:58 PM Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > You cannot block DoH with RPZ but you can block bootstrapping DoH if the > web browser is configured to use "normal" DNS to lookup the DoH > endpoint. See also: > > https://github.com/bambenek/block-doh > > Daniel > > On 02.10.19 13:23, Blason R wrote: > > Hi Folks, > > > > Wondering if anyone has any clue or defining policies for blocking DoH > > [DND Over HTTPS] traffic using bind RPZ feature? > > > > Does anyone have any use case about it? > > > > Thanks and Regards, > > Blason R > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS RPZ Protection From DoH
Hi Folks, Wondering if anyone has any clue or defining policies for blocking DoH [DND Over HTTPS] traffic using bind RPZ feature? Does anyone have any use case about it? Thanks and Regards, Blason R ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND setup for GSLB (Global Service Load Balancing)
Well there are other cheaper Solutions are available like from Array network or peplink they can offer DNS sub domain delegation of GSLB. But I really doubt if any such OSS can do the similar job. On Thu, 12 Sep 2019, 21:10 Roberto Carna, wrote: > Hi people, is it possible to setup BIND in order to implement GSLB (Global > Service Load Balancing) between two sites ? > > I need a near Active-Active scenario between two datacenters in > different locations, and I want to do this with an open source solution. > > Thanks a lot ! > > Roberto > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Change DNS records automatically when a link is DOWN
I guess you need to DNS Sub-domain delegation. On Wed, Jun 5, 2019 at 8:51 PM Kevin Darcy wrote: > Publish all 3 NSes. > > Publish MX records with primary/failover preferencing. > > Use a load-balancer (free or commercial, software/hardware/cloud-based) to > direct the web traffic. > > - Kevin > > On Wed, Jun 5, 2019 at 11:16 AM Roberto Carna > wrote: > >> Dear people, I have two sites: >> >> - Main site with an Internet link and two BIND services (DNS1 y DNS2) and >> a /28 block, and web and mail services supported >> - Backup site with a second Internet link and a BIND service (DNS3) and >> another /28 block >> >> When the Internet link from main site is DOWN, the web and mail traffic >> come through the backup site to main site crossing a L2L. So I need to >> change the IP's of the FQDN hosts I have supported in the DNS3 in order to >> continue offering services (web and mail). How can I do this automatically? >> Is there any way that "something" monitors the main Internet link and in >> case it is DOWN automatically order to modify the FQDN records in DNS3 ??? >> >> Thanks a lot and regards!!! >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What is maximum size BIND can accept in A Record?>
Yep thats what I wanted so I was right and couple of records are above 254 hence my zone is failing. On Wed, Jun 5, 2019 at 4:37 PM Tony Finch wrote: > Blason R wrote: > > > As soon as I find the longs URLs with more than 150 words and remove it. > It > > start perfectly > > > > Though 150 is I considered and even tried with 200 and it worked. So > > wondering what is the limit? > > I infer that you are talking about length of domain names, specifically > owner names. > > The maximum length is 254 including the terminating dot. The maximum > length of a label (which is what the components between the dots are > called) is 63 characters. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Cromarty, Forth, Tyne: Cyclonic 3 to 5, becoming variable 3 or less. > Slight or > moderate. Thundery showers later. Good, occasionally poor. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What is maximum size BIND can accept in A Record?>
Hi Team, I have BIND RPZ built on BIND version BIND 9.10.3-P4-Ubuntu and wondering what is the maximum size of A record any zone can have? because really big domains are not getting parsed and my reloading is failing consistently. As soon as I find the longs URLs with more than 150 words and remove it. It start perfectly Though 150 is I considered and even tried with 200 and it worked. So wondering what is the limit? Thanks and Regards, Blason R ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS Re-binding Attack Prevention with BIND
Hi Tony, Thanks for the revert however, in my scenario I have Windows AD server is being used as a Authoritative DNS for exmaple.local which has forwarding set to BIND acting as a RPZ and wanting to see if we can conceal this vulnerability on BIND. I think since BIND is not a NS for example domain even if I enable this protection on BIND not sure if that would take effect? Thanks and Regards, Blason R On Mon, Jan 28, 2019 at 4:05 PM Tony Finch wrote: > Blason R wrote: > > > > Can someone guide me on prevention and possible configuration in BIND > from > > DNS Re-bind attack? > > Have a look for "rebinding" in > https://ftp.isc.org/isc/bind9/9.12.0/doc/arm/Bv9ARM.ch06.html > > There is evidence that very few people are using `deny-answer-aliases` > https://kb.isc.org/docs/aa-01639 though it's unclear to me whether that is > also true for `deny-answer-addresses`. > > Tony. > -- > f.anthony.n.finchhttp://dotat.at/ > Thames, Dover: Northwest 6 to gale 8, decreasing 4 or 5, backing southwest > later. Moderate or rough becoming slight or moderate. Showers. Good. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS Re-binding Attack Prevention with BIND
Hi Team, Can someone guide me on prevention and possible configuration in BIND from DNS Re-bind attack? Thanks and Regards, Blason R ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Its there!!! On Mon, Aug 13, 2018 at 6:58 PM Bob Harold wrote: > > > -- > Bob Harold > hostmaster, UMnet, ITcom > Information and Technology Services (ITS) > rharo...@umich.edu > 734-647-6524 desk > > > On Sun, Aug 12, 2018 at 2:38 AM Blason R wrote: > >> Hi Bob, >> >> I guess my scenario is not exactly understood I believe. Before that if I >> have set forwarder in Global option then ideally BIND should forward all >> queries to the forwarder, right? >> >> Lets say 192.168.3.15 is client >> 192.168.3.42 is BIND Server >> 192.168.3.78 is RPZ server >> >> I have one zone on 192.168.3.42 by name test.com and have all the >> entries on 192.168.3.42, so on users desktop 192.168.3.15 I have DNS >> configured as 192.168.3.42. >> > > Make sure 3.42 has in the global options: > forward only; > forwarders { 192.168.3.78; }; > > If you are missing the "forward only;" then bind will try to forward, but > if it does not get a quick answer it will try to resolve itself. > > -- > Bob Harold > > >> So, >> >> When query goes for ftp.test.com it will be resolved by 192.168.3.42 >> When query goes for bad.malware.com. it will be forwarded 192.168.3.78 >> where it will be wall-gardened. >> >> Now what I noticed is certain RPZ entries on 3.78 are not getting >> resolved from 192.168.3.15. And then I observed that certain .com entries >> 3.42 is trying resolve on his own even though he is not authoritative >> server and supposedly those ALL queries should have been forwarded to >> 192.168.3.78. >> >> PS: I guess there are certain folks are on list from commercial RPZ >> services, are they facing same issue? >> >> On Sun, Aug 12, 2018 at 10:12 AM Bob Harold wrote: >> >>> >>> On Fri, Aug 10, 2018 at 10:53 PM Blason R wrote: >>> >>>> Infact what I observed that the intermediate DNS servers are not >>>> forwarding he queries for .com and .net servers to my RPZ servers and it >>>> tries resolves directly on his own from TLD servers >>>> >>> >>> You need to work on the intermediate server to get it to forward. If it >>> is running Microsoft DNS, then I don't know enough to help you with that. >>> >>> I would suggest that you have the RPZ server be a 'slave' for the ' >>> test.com' zone (and all the zones that the AUTH server has). Then >>> point users directly at the RPZ server. >>> >>> -- >>> Bob Harold >>> >>> >>> >>>> 192.168.3.72 End User >>>> 192.168.3.15 [AUTH Server for test.com] and has forwarder to >>>> 192.168.3.44 [RPZ] >>>> >>>> So, 3.15 should only resolve for test.com else all queries should be >>>> forwarded to 192.168.3.44 >>>> >>>> *Which is not happening.* >>>> >>>> dig 003bbhq9.com >>>> >>>> ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com >>>> ;; global options: +cmd >>>> ;; Got answer: >>>> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844 >>>> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 >>>> >>>> ;; OPT PSEUDOSECTION: >>>> ; EDNS: version: 0, flags:; udp: 4096 >>>> ;; QUESTION SECTION: >>>> ;003bbhq9.com. IN A >>>> >>>> *;; AUTHORITY SECTION:* >>>> *com.530 IN SOA a.gtld-servers.net >>>> <http://a.gtld-servers.net>. nstld.verisign-grs.com >>>> <http://nstld.verisign-grs.com>. 1533954938 1800 900 604800 86400* >>>> >>>> ;; Query time: 0 msec >>>> ;; SERVER: 192.168.3.15#53(192.168.3.15) >>>> ;; WHEN: Sat Aug 11 08:12:17 IST 2018 >>>> ;; MSG SIZE rcvd: 114 >>>> >>>> >>>> On Sat, Aug 11, 2018 at 7:57 AM Blason R wrote: >>>> >>>>> Ok - Now I added like this and it disappeared. >>>>> >>>>> response-policy { zone "whitelist.allow" policy passthru; >>>>> zone "malware.trap"; >>>>> zone "ransomwareips.block"; } >>>>> qname-wait-recurse no break-dnssec no; >>>>> >>>>> >>>>> On Sat, Aug 11, 2018 at 7:51 AM Blason R wrote: >>>>> &g
Re: Need help on RPZ sever, bit urgent
Hi Bob, I guess my scenario is not exactly understood I believe. Before that if I have set forwarder in Global option then ideally BIND should forward all queries to the forwarder, right? Lets say 192.168.3.15 is client 192.168.3.42 is BIND Server 192.168.3.78 is RPZ server I have one zone on 192.168.3.42 by name test.com and have all the entries on 192.168.3.42, so on users desktop 192.168.3.15 I have DNS configured as 192.168.3.42. So, When query goes for ftp.test.com it will be resolved by 192.168.3.42 When query goes for bad.malware.com. it will be forwarded 192.168.3.78 where it will be wall-gardened. Now what I noticed is certain RPZ entries on 3.78 are not getting resolved from 192.168.3.15. And then I observed that certain .com entries 3.42 is trying resolve on his own even though he is not authoritative server and supposedly those ALL queries should have been forwarded to 192.168.3.78. PS: I guess there are certain folks are on list from commercial RPZ services, are they facing same issue? On Sun, Aug 12, 2018 at 10:12 AM Bob Harold wrote: > > On Fri, Aug 10, 2018 at 10:53 PM Blason R wrote: > >> Infact what I observed that the intermediate DNS servers are not >> forwarding he queries for .com and .net servers to my RPZ servers and it >> tries resolves directly on his own from TLD servers >> > > You need to work on the intermediate server to get it to forward. If it > is running Microsoft DNS, then I don't know enough to help you with that. > > I would suggest that you have the RPZ server be a 'slave' for the ' > test.com' zone (and all the zones that the AUTH server has). Then point > users directly at the RPZ server. > > -- > Bob Harold > > > >> 192.168.3.72 End User >> 192.168.3.15 [AUTH Server for test.com] and has forwarder to >> 192.168.3.44 [RPZ] >> >> So, 3.15 should only resolve for test.com else all queries should be >> forwarded to 192.168.3.44 >> >> *Which is not happening.* >> >> dig 003bbhq9.com >> >> ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 >> >> ;; OPT PSEUDOSECTION: >> ; EDNS: version: 0, flags:; udp: 4096 >> ;; QUESTION SECTION: >> ;003bbhq9.com. IN A >> >> *;; AUTHORITY SECTION:* >> *com.530 IN SOA a.gtld-servers.net >> <http://a.gtld-servers.net>. nstld.verisign-grs.com >> <http://nstld.verisign-grs.com>. 1533954938 1800 900 604800 86400* >> >> ;; Query time: 0 msec >> ;; SERVER: 192.168.3.15#53(192.168.3.15) >> ;; WHEN: Sat Aug 11 08:12:17 IST 2018 >> ;; MSG SIZE rcvd: 114 >> >> >> On Sat, Aug 11, 2018 at 7:57 AM Blason R wrote: >> >>> Ok - Now I added like this and it disappeared. >>> >>> response-policy { zone "whitelist.allow" policy passthru; >>> zone "malware.trap"; >>> zone "ransomwareips.block"; } qname-wait-recurse >>> no break-dnssec no; >>> >>> >>> On Sat, Aug 11, 2018 at 7:51 AM Blason R wrote: >>> >>>> This is not accepting and giving my syntax error. >>>> >>>> named-checkconf /etc/bind/named.conf >>>> /etc/bind/named.conf.options:29: syntax error near '}' >>>> >>>> >>>> And here is I added >>>> >>>> response-policy { zone "whitelist.allow" policy passthru; >>>> zone "malware.trap"; >>>> zone "ransomwareips.block"; } >>>> qname-wait-recurse no break-dnssec no; }; >>>> >>>> >>>> >>>> On Sat, Aug 11, 2018 at 1:17 AM Carl Byington >>>> wrote: >>>> >>>>> -BEGIN PGP SIGNED MESSAGE- >>>>> Hash: SHA512 >>>>> >>>>> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote: >>>>> > Nah I dont think that is the answer since you need a termination >>>>> after >>>>> > clause. >>>>> >>>>> Did you actually try the answer below? >>>>> >>>>> >>>>> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov >>>>> wrote: >>>>> >>>>> > Should be: >>>>> >>>>> >>>>> > response-policy {zone "whitelist.allow" policy passthru; >>>>> > zone "malware.trap"; >>>>> > zone "ransomwareips.block"; >>>>> > } qname-wait-recurse no break-dnssec no; >>>>> >>>>> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Infact what I observed that the intermediate DNS servers are not forwarding he queries for .com and .net servers to my RPZ servers and it tries resolves directly on his own from TLD servers 192.168.3.72 End User 192.168.3.15 [AUTH Server for test.com] and has forwarder to 192.168.3.44 [RPZ] So, 3.15 should only resolve for test.com else all queries should be forwarded to 192.168.3.44 *Which is not happening.* dig 003bbhq9.com ; <<>> DiG 9.9.4-RedHat-9.9.4-51.el7 <<>> 003bbhq9.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 6844 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;003bbhq9.com. IN A *;; AUTHORITY SECTION:* *com.530 IN SOA a.gtld-servers.net <http://a.gtld-servers.net>. nstld.verisign-grs.com <http://nstld.verisign-grs.com>. 1533954938 1800 900 604800 86400* ;; Query time: 0 msec ;; SERVER: 192.168.3.15#53(192.168.3.15) ;; WHEN: Sat Aug 11 08:12:17 IST 2018 ;; MSG SIZE rcvd: 114 On Sat, Aug 11, 2018 at 7:57 AM Blason R wrote: > Ok - Now I added like this and it disappeared. > > response-policy { zone "whitelist.allow" policy passthru; > zone "malware.trap"; > zone "ransomwareips.block"; } qname-wait-recurse > no break-dnssec no; > > > On Sat, Aug 11, 2018 at 7:51 AM Blason R wrote: > >> This is not accepting and giving my syntax error. >> >> named-checkconf /etc/bind/named.conf >> /etc/bind/named.conf.options:29: syntax error near '}' >> >> >> And here is I added >> >> response-policy { zone "whitelist.allow" policy passthru; >> zone "malware.trap"; >> zone "ransomwareips.block"; } qname-wait-recurse >> no break-dnssec no; }; >> >> >> >> On Sat, Aug 11, 2018 at 1:17 AM Carl Byington wrote: >> >>> -BEGIN PGP SIGNED MESSAGE- >>> Hash: SHA512 >>> >>> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote: >>> > Nah I dont think that is the answer since you need a termination after >>> > clause. >>> >>> Did you actually try the answer below? >>> >>> >>> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov wrote: >>> >>> > Should be: >>> >>> >>> > response-policy {zone "whitelist.allow" policy passthru; >>> > zone "malware.trap"; >>> > zone "ransomwareips.block"; >>> > } qname-wait-recurse no break-dnssec no; >>> >>> >>> >>> -BEGIN PGP SIGNATURE- >>> Version: GnuPG v2.0.14 (GNU/Linux) >>> >>> iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV >>> YfcAn2NO474pn6agGUmjjR49eq4+sw4Y >>> =VwoG >>> -END PGP SIGNATURE- >>> >>> >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Ok - Now I added like this and it disappeared. response-policy { zone "whitelist.allow" policy passthru; zone "malware.trap"; zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; On Sat, Aug 11, 2018 at 7:51 AM Blason R wrote: > This is not accepting and giving my syntax error. > > named-checkconf /etc/bind/named.conf > /etc/bind/named.conf.options:29: syntax error near '}' > > > And here is I added > > response-policy { zone "whitelist.allow" policy passthru; > zone "malware.trap"; > zone "ransomwareips.block"; } qname-wait-recurse > no break-dnssec no; }; > > > > On Sat, Aug 11, 2018 at 1:17 AM Carl Byington wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA512 >> >> On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote: >> > Nah I dont think that is the answer since you need a termination after >> > clause. >> >> Did you actually try the answer below? >> >> >> > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov wrote: >> >> > Should be: >> >> >> > response-policy {zone "whitelist.allow" policy passthru; >> > zone "malware.trap"; >> > zone "ransomwareips.block"; >> > } qname-wait-recurse no break-dnssec no; >> >> >> >> -BEGIN PGP SIGNATURE- >> Version: GnuPG v2.0.14 (GNU/Linux) >> >> iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV >> YfcAn2NO474pn6agGUmjjR49eq4+sw4Y >> =VwoG >> -END PGP SIGNATURE- >> >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
This is not accepting and giving my syntax error. named-checkconf /etc/bind/named.conf /etc/bind/named.conf.options:29: syntax error near '}' And here is I added response-policy { zone "whitelist.allow" policy passthru; zone "malware.trap"; zone "ransomwareips.block"; } qname-wait-recurse no break-dnssec no; }; On Sat, Aug 11, 2018 at 1:17 AM Carl Byington wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Fri, 2018-08-10 at 13:17 +0530, Blason R wrote: > > Nah I dont think that is the answer since you need a termination after > > clause. > > Did you actually try the answer below? > > > > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov wrote: > > > Should be: > > > > response-policy {zone "whitelist.allow" policy passthru; > > zone "malware.trap"; > > zone "ransomwareips.block"; > > } qname-wait-recurse no break-dnssec no; > > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAltt65oACgkQL6j7milTFsF1fgCfYX/B4MaSrPqmoskfYvFAUQVV > YfcAn2NO474pn6agGUmjjR49eq4+sw4Y > =VwoG > -END PGP SIGNATURE- > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Hello, Well even though the entry is there in RPZ zone it is still being returned as nxdomain. On Fri, Aug 10, 2018, 3:01 PM WILSON Sam wrote: > I'm sorry, I don't understand the question. Your message shows a query > and an NXDOMAIN response. That seems to be correct. I don't know whether > your RPZ configuration is supposed to change that. > > Sam > > > > On 9 Aug 2018, at 18:25, Blason R wrote: > > > > Is it a big?? I mean certain domains from my rpz feeds are properly > getting resolved while few are giving nxdomain though they appear in zone. > > > > On Thu, Aug 9, 2018, 8:57 PM Sam Wilson wrote: > > On 2018-08-09 14:00:55 +, Blason R said: > > > > > For example this one. > > > > > > 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? > > > 0351dag.com. (29) > > > 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 > > > NXDomain 0/1/0 (102) > > > > $ dig 0351dag.com > > > > ; <<>> DiG 9.8.3-P1 <<>> 0351dag.com > > ;; global options: +cmd > > ;; Got answer: > > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466 > > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > > > ;; QUESTION SECTION: > > ;0351dag.com. IN A > > > > ;; AUTHORITY SECTION: > > com.900 IN SOA a.gtld-servers.net. > nstld.verisign-grs.com. > > 1533828275 1800 900 604800 86400 > > > > Sam > > > > -- > > The University of Edinburgh is a charitable body, registered in > > Scotland, with registration number SC005336. > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > -- > Sam Wilson > Communications Infrastructure Section, IT Infrastructure > Information Services, The University of Edinburgh > Edinburgh, Scotland, UK > > > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Hello All, I have been debugging my issue from last 30+ hrs without luck and dang its something related to forwarding. Again here is my quick scenario I have Windows DNS Server 192.168.1.42 Has Forwarder set to 192.168.1.179 [BIND/RPZ] Now certain domains when queried from end user e.g 192.168.1.100 has DNS set to 192.168.1.42 does not get resolved at all. While I troubleshooting I observed that may be 192.168.1.42 has got root zone "." and is trying to resolve locally instead of forwarding. I noticed this issue is happening randomly with any domains but mostly it observed for .com and .net domain entries. Again I tried replacing 192.168.1.42 with Linux BIND server and its same behavior so I don't think its related with Windows. I want all other queries should strictly forward to my RPZ forwarding server. How do I do that can someone help me in troubleshooting? I can provide the logs and config. Or if someone has a similar setup can try simulating at their end and confirm, plz? On Fri, Aug 10, 2018 at 1:17 PM Blason R wrote: > Nah I dont think that is the answer since you need a termination after > clause. > > > Thanks and Regards, > Lionel F > > On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov wrote: > >> Should be: >> >> response-policy {zone "whitelist.allow" policy passthru; >> zone "malware.trap"; >> zone "ransomwareips.block"; >> } qname-wait-recurse no break-dnssec no; >> >> Vadim >> >> On 09 Aug 2018, at 20:50, Blason R wrote: >> >> This is the error I am getting >> >> /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse' >> >> On Fri, Aug 10, 2018 at 9:10 AM Blason R wrote: >> >>> Hi there, >>> >>> Where it should appear? ARM says it should appear inl Global-section of >>> response-policy which I tried but getting error. >>> >>> response-policy {zone "whitelist.allow" policy passthru; >>> zone "malware.trap"; >>> zone "ransomwareips.block"; >>> }; >>> qname-wait-recurse no; >>> break-dnssec no; >>> >>> >>> On Fri, Aug 10, 2018 at 8:09 AM Blason R wrote: >>> >>>> Well mine is bit different. I have RPZ and almost 40+ RPZ entries >>>> wall gardened. And in my scenario users are talking to windows based AD/DNS >>>> server and then that server has forwarder set to RPZ. >>>> >>>> >>>>1. First issue; I observed certain entries from BIND/RPZ zone are >>>>being resolved by windows server directly to their original IPs and not >>>> the >>>>wall-gardened IP. Where I believe once the forwarder is set all those >>>>queries should have been routed to RPZ server? [If anyone here having >>>>Windows DNS expertise, pls help] >>>>2. And another, certain RPZ queries if queried through AD/DNS >>>>server are not at all getting resolved. When I captured packets on >>>> BIND/RPZ >>>>server I see that those domains are getting NXdomain by RPZ and not sure >>>>why. >>>> >>>> Thanks and Regards, >>>> Lionel F >>>> >>>> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold wrote: >>>> >>>>> >>>>> On Thu, Aug 9, 2018 at 9:31 AM Blason R wrote: >>>>> >>>>>> For example this one. >>>>>> >>>>>> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? >>>>>> 0351dag.com. (29) >>>>>> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 >>>>>> NXDomain 0/1/0 (102) >>>>>> >>>>> >>>>> With RPZ, the name is looked up normally first, and only if there is >>>>> an answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns >>>>> that and does not use RPZ. >>>>> If that is not what you want, then you probably want to set the option: >>>>> qname-wait-recurse no; >>>>> >>>>> -- >>>>> Bob Harold >>>>> >>>>> >>>>> >>>>> >>>>>> >>>>>> On Thu, Aug 9, 2018 at 6:59 PM Blason R wrote: >>>>>> >>>>>>> Hi Bind-Users, >>>>>>> >>>>>&g
Re: Need help on RPZ sever, bit urgent
Nah I dont think that is the answer since you need a termination after clause. Thanks and Regards, Lionel F On Fri, Aug 10, 2018 at 12:58 PM Vadim Pavlov wrote: > Should be: > > response-policy {zone "whitelist.allow" policy passthru; > zone "malware.trap"; > zone "ransomwareips.block"; > } qname-wait-recurse no break-dnssec no; > > Vadim > > On 09 Aug 2018, at 20:50, Blason R wrote: > > This is the error I am getting > > /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse' > > On Fri, Aug 10, 2018 at 9:10 AM Blason R wrote: > >> Hi there, >> >> Where it should appear? ARM says it should appear inl Global-section of >> response-policy which I tried but getting error. >> >> response-policy {zone "whitelist.allow" policy passthru; >> zone "malware.trap"; >> zone "ransomwareips.block"; >> }; >> qname-wait-recurse no; >> break-dnssec no; >> >> >> On Fri, Aug 10, 2018 at 8:09 AM Blason R wrote: >> >>> Well mine is bit different. I have RPZ and almost 40+ RPZ entries >>> wall gardened. And in my scenario users are talking to windows based AD/DNS >>> server and then that server has forwarder set to RPZ. >>> >>> >>>1. First issue; I observed certain entries from BIND/RPZ zone are >>>being resolved by windows server directly to their original IPs and not >>> the >>>wall-gardened IP. Where I believe once the forwarder is set all those >>>queries should have been routed to RPZ server? [If anyone here having >>>Windows DNS expertise, pls help] >>>2. And another, certain RPZ queries if queried through AD/DNS server >>>are not at all getting resolved. When I captured packets on BIND/RPZ >>> server >>>I see that those domains are getting NXdomain by RPZ and not sure why. >>> >>> Thanks and Regards, >>> Lionel F >>> >>> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold wrote: >>> >>>> >>>> On Thu, Aug 9, 2018 at 9:31 AM Blason R wrote: >>>> >>>>> For example this one. >>>>> >>>>> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? >>>>> 0351dag.com. (29) >>>>> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 >>>>> NXDomain 0/1/0 (102) >>>>> >>>> >>>> With RPZ, the name is looked up normally first, and only if there is an >>>> answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that >>>> and does not use RPZ. >>>> If that is not what you want, then you probably want to set the option: >>>> qname-wait-recurse no; >>>> >>>> -- >>>> Bob Harold >>>> >>>> >>>> >>>> >>>>> >>>>> On Thu, Aug 9, 2018 at 6:59 PM Blason R wrote: >>>>> >>>>>> Hi Bind-Users, >>>>>> >>>>>> I would really appreciate if someone can help me understanding my >>>>>> issue with BIND RPZ server? >>>>>> >>>>>> I have one windows server say 192.168.1.42 and then RPZ server with >>>>>> 192.168.1.179. I noticed that there are certain domains which are not >>>>>> getting resolved from end users. >>>>>> >>>>>> Ideally since those end user has 192.168.1.42 DNS Server set and has >>>>>> forwarder set to 192.168.1.179 should forward all queries to 1.179, >>>>>> right? >>>>>> >>>>>> But certain domains from my response-policy are even though >>>>>> wall-gardened those are being catered as NXdomain. >>>>>> >>>>>> Anything I am missing pertaining to RPZ? >>>>>> >>>>>> Or if I am querying all those domains directly to RPZ server then I >>>>>> am getting proper answer. This issue is noticed when I have forwarder >>>>>> server is between >>>>>> >>>>>> options { >>>>>> version "test"; >>>>>> allow-query { localhost;subnets; }; >>>>>> directory "/var/cache/bind"; >>>>>> recursion yes; >>>>>> querylog yes; >>>>>> forwarders { >>>>>> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; >>>>>> }; >>>>>> // dnssec-validation auto; >>>>>> request-ixfr yes; >>>>>> auth-nxdomain no;# conform to RFC1035 >>>>>> // listen-on-v6 { any; }; >>>>>> listen-on port 53 { any; }; >>>>>> listen-on port 15455 {any;}; >>>>>> response-policy { zone "whitelist.allow" policy passthru; >>>>>> zone "wg.block"; >>>>>> zone "bad.trap"; >>>>>> zone "block.tld"; >>>>>> zone "ransomwareips.block"; }; >>>>>> }; >>>>>> >>>>>> ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
This is the error I am getting /etc/bind/named.conf.options:24: expected 'zone' near 'qname-wait-recurse' On Fri, Aug 10, 2018 at 9:10 AM Blason R wrote: > Hi there, > > Where it should appear? ARM says it should appear inl Global-section of > response-policy which I tried but getting error. > > response-policy {zone "whitelist.allow" policy passthru; > zone "malware.trap"; > zone "ransomwareips.block"; > }; > qname-wait-recurse no; > break-dnssec no; > > > On Fri, Aug 10, 2018 at 8:09 AM Blason R wrote: > >> Well mine is bit different. I have RPZ and almost 40+ RPZ entries >> wall gardened. And in my scenario users are talking to windows based AD/DNS >> server and then that server has forwarder set to RPZ. >> >> >>1. First issue; I observed certain entries from BIND/RPZ zone are >>being resolved by windows server directly to their original IPs and not >> the >>wall-gardened IP. Where I believe once the forwarder is set all those >>queries should have been routed to RPZ server? [If anyone here having >>Windows DNS expertise, pls help] >>2. And another, certain RPZ queries if queried through AD/DNS server >>are not at all getting resolved. When I captured packets on BIND/RPZ >> server >>I see that those domains are getting NXdomain by RPZ and not sure why. >> >> Thanks and Regards, >> Lionel F >> >> On Thu, Aug 9, 2018 at 11:08 PM Bob Harold wrote: >> >>> >>> On Thu, Aug 9, 2018 at 9:31 AM Blason R wrote: >>> >>>> For example this one. >>>> >>>> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? >>>> 0351dag.com. (29) >>>> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 >>>> NXDomain 0/1/0 (102) >>>> >>> >>> With RPZ, the name is looked up normally first, and only if there is an >>> answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that >>> and does not use RPZ. >>> If that is not what you want, then you probably want to set the option: >>> qname-wait-recurse no; >>> >>> -- >>> Bob Harold >>> >>> >>> >>> >>>> >>>> On Thu, Aug 9, 2018 at 6:59 PM Blason R wrote: >>>> >>>>> Hi Bind-Users, >>>>> >>>>> I would really appreciate if someone can help me understanding my >>>>> issue with BIND RPZ server? >>>>> >>>>> I have one windows server say 192.168.1.42 and then RPZ server with >>>>> 192.168.1.179. I noticed that there are certain domains which are not >>>>> getting resolved from end users. >>>>> >>>>> Ideally since those end user has 192.168.1.42 DNS Server set and has >>>>> forwarder set to 192.168.1.179 should forward all queries to 1.179, right? >>>>> >>>>> But certain domains from my response-policy are even though >>>>> wall-gardened those are being catered as NXdomain. >>>>> >>>>> Anything I am missing pertaining to RPZ? >>>>> >>>>> Or if I am querying all those domains directly to RPZ server then I am >>>>> getting proper answer. This issue is noticed when I have forwarder server >>>>> is between >>>>> >>>>> options { >>>>> version "test"; >>>>> allow-query { localhost;subnets; }; >>>>> directory "/var/cache/bind"; >>>>> recursion yes; >>>>> querylog yes; >>>>> forwarders { >>>>> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; >>>>> }; >>>>> // dnssec-validation auto; >>>>> request-ixfr yes; >>>>> auth-nxdomain no;# conform to RFC1035 >>>>> // listen-on-v6 { any; }; >>>>> listen-on port 53 { any; }; >>>>> listen-on port 15455 {any;}; >>>>> response-policy { zone "whitelist.allow" policy passthru; >>>>> zone "wg.block"; >>>>> zone "bad.trap"; >>>>> zone "block.tld"; >>>>> zone "ransomwareips.block"; }; >>>>> }; >>>>> >>>>> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Hi there, Where it should appear? ARM says it should appear inl Global-section of response-policy which I tried but getting error. response-policy {zone "whitelist.allow" policy passthru; zone "malware.trap"; zone "ransomwareips.block"; }; qname-wait-recurse no; break-dnssec no; On Fri, Aug 10, 2018 at 8:09 AM Blason R wrote: > Well mine is bit different. I have RPZ and almost 40+ RPZ entries wall > gardened. And in my scenario users are talking to windows based AD/DNS > server and then that server has forwarder set to RPZ. > > >1. First issue; I observed certain entries from BIND/RPZ zone are >being resolved by windows server directly to their original IPs and not the >wall-gardened IP. Where I believe once the forwarder is set all those >queries should have been routed to RPZ server? [If anyone here having >Windows DNS expertise, pls help] >2. And another, certain RPZ queries if queried through AD/DNS server >are not at all getting resolved. When I captured packets on BIND/RPZ server >I see that those domains are getting NXdomain by RPZ and not sure why. > > Thanks and Regards, > Lionel F > > On Thu, Aug 9, 2018 at 11:08 PM Bob Harold wrote: > >> >> On Thu, Aug 9, 2018 at 9:31 AM Blason R wrote: >> >>> For example this one. >>> >>> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? >>> 0351dag.com. (29) >>> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain >>> 0/1/0 (102) >>> >> >> With RPZ, the name is looked up normally first, and only if there is an >> answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that >> and does not use RPZ. >> If that is not what you want, then you probably want to set the option: >> qname-wait-recurse no; >> >> -- >> Bob Harold >> >> >> >> >>> >>> On Thu, Aug 9, 2018 at 6:59 PM Blason R wrote: >>> >>>> Hi Bind-Users, >>>> >>>> I would really appreciate if someone can help me understanding my issue >>>> with BIND RPZ server? >>>> >>>> I have one windows server say 192.168.1.42 and then RPZ server with >>>> 192.168.1.179. I noticed that there are certain domains which are not >>>> getting resolved from end users. >>>> >>>> Ideally since those end user has 192.168.1.42 DNS Server set and has >>>> forwarder set to 192.168.1.179 should forward all queries to 1.179, right? >>>> >>>> But certain domains from my response-policy are even though >>>> wall-gardened those are being catered as NXdomain. >>>> >>>> Anything I am missing pertaining to RPZ? >>>> >>>> Or if I am querying all those domains directly to RPZ server then I am >>>> getting proper answer. This issue is noticed when I have forwarder server >>>> is between >>>> >>>> options { >>>> version "test"; >>>> allow-query { localhost;subnets; }; >>>> directory "/var/cache/bind"; >>>> recursion yes; >>>> querylog yes; >>>> forwarders { >>>> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; >>>> }; >>>> // dnssec-validation auto; >>>> request-ixfr yes; >>>> auth-nxdomain no;# conform to RFC1035 >>>> // listen-on-v6 { any; }; >>>> listen-on port 53 { any; }; >>>> listen-on port 15455 {any;}; >>>> response-policy { zone "whitelist.allow" policy passthru; >>>> zone "wg.block"; >>>> zone "bad.trap"; >>>> zone "block.tld"; >>>> zone "ransomwareips.block"; }; >>>> }; >>>> >>>> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Well mine is bit different. I have RPZ and almost 40+ RPZ entries wall gardened. And in my scenario users are talking to windows based AD/DNS server and then that server has forwarder set to RPZ. 1. First issue; I observed certain entries from BIND/RPZ zone are being resolved by windows server directly to their original IPs and not the wall-gardened IP. Where I believe once the forwarder is set all those queries should have been routed to RPZ server? [If anyone here having Windows DNS expertise, pls help] 2. And another, certain RPZ queries if queried through AD/DNS server are not at all getting resolved. When I captured packets on BIND/RPZ server I see that those domains are getting NXdomain by RPZ and not sure why. Thanks and Regards, Lionel F On Thu, Aug 9, 2018 at 11:08 PM Bob Harold wrote: > > On Thu, Aug 9, 2018 at 9:31 AM Blason R wrote: > >> For example this one. >> >> 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? >> 0351dag.com. (29) >> 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain >> 0/1/0 (102) >> > > With RPZ, the name is looked up normally first, and only if there is an > answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that > and does not use RPZ. > If that is not what you want, then you probably want to set the option: > qname-wait-recurse no; > > -- > Bob Harold > > > > >> >> On Thu, Aug 9, 2018 at 6:59 PM Blason R wrote: >> >>> Hi Bind-Users, >>> >>> I would really appreciate if someone can help me understanding my issue >>> with BIND RPZ server? >>> >>> I have one windows server say 192.168.1.42 and then RPZ server with >>> 192.168.1.179. I noticed that there are certain domains which are not >>> getting resolved from end users. >>> >>> Ideally since those end user has 192.168.1.42 DNS Server set and has >>> forwarder set to 192.168.1.179 should forward all queries to 1.179, right? >>> >>> But certain domains from my response-policy are even though >>> wall-gardened those are being catered as NXdomain. >>> >>> Anything I am missing pertaining to RPZ? >>> >>> Or if I am querying all those domains directly to RPZ server then I am >>> getting proper answer. This issue is noticed when I have forwarder server >>> is between >>> >>> options { >>> version "test"; >>> allow-query { localhost;subnets; }; >>> directory "/var/cache/bind"; >>> recursion yes; >>> querylog yes; >>> forwarders { >>> 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; >>> }; >>> // dnssec-validation auto; >>> request-ixfr yes; >>> auth-nxdomain no;# conform to RFC1035 >>> // listen-on-v6 { any; }; >>> listen-on port 53 { any; }; >>> listen-on port 15455 {any;}; >>> response-policy { zone "whitelist.allow" policy passthru; >>> zone "wg.block"; >>> zone "bad.trap"; >>> zone "block.tld"; >>> zone "ransomwareips.block"; }; >>> }; >>> >>> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
Well this is valid when users are directly talking to RPZ servers. What if there is one more resolver in between like Active Directory which itself acts as a DNS server? In that case I believe you don't need to do that, right? On Fri, Aug 10, 2018 at 12:33 AM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 08/09/2018 01:01 AM, Lee wrote: > > yes, it works just fine > > Good. > > > it does, so you have to flag your local zones as rpz-passthru. eg: > > *.home.net CNAME rpz-passthru. > > localhost CNAME rpz-passthru. > > 8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8 > > 8.0.0.0.10.rpz-ip CNAME . ; 10.0.0.0/8 > > 12.0.0.16.172.rpz-ipCNAME . ; 172.16.0.0/12 > > 16.0.0.168.192.rpz-ip CNAME . ; 192.168.0.0/16 > > That makes sense. RPZ would filter the private IPs by default, but > zones with said records can be told to not be blocked by RPZ. > > Thank you for the clarification Lee. > > > > -- > Grant. . . . > unix || die > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
Is it a big?? I mean certain domains from my rpz feeds are properly getting resolved while few are giving nxdomain though they appear in zone. On Thu, Aug 9, 2018, 8:57 PM Sam Wilson wrote: > On 2018-08-09 14:00:55 +0000, Blason R said: > > > For example this one. > > > > 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? > > 0351dag.com. (29) > > 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 > > NXDomain 0/1/0 (102) > > $ dig 0351dag.com > > ; <<>> DiG 9.8.3-P1 <<>> 0351dag.com > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 44466 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 > > ;; QUESTION SECTION: > ;0351dag.com. IN A > > ;; AUTHORITY SECTION: > com.900 IN SOA a.gtld-servers.net. > nstld.verisign-grs.com. > 1533828275 1800 900 604800 86400 > > Sam > > -- > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need help on RPZ sever, bit urgent
For example this one. 18:59:26.905177 IP 192.168.1.120.65049 > 192.168.1.42.53: 42074+ A? 0351dag.com. (29) 18:59:26.905299 IP 192.168.1.42.53 > 192.168.1.120.65049: 42074 NXDomain 0/1/0 (102) On Thu, Aug 9, 2018 at 6:59 PM Blason R wrote: > Hi Bind-Users, > > I would really appreciate if someone can help me understanding my issue > with BIND RPZ server? > > I have one windows server say 192.168.1.42 and then RPZ server with > 192.168.1.179. I noticed that there are certain domains which are not > getting resolved from end users. > > Ideally since those end user has 192.168.1.42 DNS Server set and has > forwarder set to 192.168.1.179 should forward all queries to 1.179, right? > > But certain domains from my response-policy are even though wall-gardened > those are being catered as NXdomain. > > Anything I am missing pertaining to RPZ? > > Or if I am querying all those domains directly to RPZ server then I am > getting proper answer. This issue is noticed when I have forwarder server > is between > > options { > version "test"; > allow-query { localhost;subnets; }; > directory "/var/cache/bind"; > recursion yes; > querylog yes; > forwarders { > 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; > }; > // dnssec-validation auto; > request-ixfr yes; > auth-nxdomain no;# conform to RFC1035 > // listen-on-v6 { any; }; > listen-on port 53 { any; }; > listen-on port 15455 {any;}; > response-policy { zone "whitelist.allow" policy passthru; > zone "wg.block"; > zone "bad.trap"; > zone "block.tld"; > zone "ransomwareips.block"; }; > }; > > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Need help on RPZ sever, bit urgent
Hi Bind-Users, I would really appreciate if someone can help me understanding my issue with BIND RPZ server? I have one windows server say 192.168.1.42 and then RPZ server with 192.168.1.179. I noticed that there are certain domains which are not getting resolved from end users. Ideally since those end user has 192.168.1.42 DNS Server set and has forwarder set to 192.168.1.179 should forward all queries to 1.179, right? But certain domains from my response-policy are even though wall-gardened those are being catered as NXdomain. Anything I am missing pertaining to RPZ? Or if I am querying all those domains directly to RPZ server then I am getting proper answer. This issue is noticed when I have forwarder server is between options { version "test"; allow-query { localhost;subnets; }; directory "/var/cache/bind"; recursion yes; querylog yes; forwarders { 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; }; // dnssec-validation auto; request-ixfr yes; auth-nxdomain no;# conform to RFC1035 // listen-on-v6 { any; }; listen-on port 53 { any; }; listen-on port 15455 {any;}; response-policy { zone "whitelist.allow" policy passthru; zone "wg.block"; zone "bad.trap"; zone "block.tld"; zone "ransomwareips.block"; }; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding forwarders
Hi there, Due to the architecture since I have my internal DNS RPZ built I wanted my other internal DNS servers should send traffic to RPZ server and then RPZ would resolve on behalf of client. Client --->DNS AUTH Server for xyz.com===> Fporwarder ==> 192.168.3.44===> INTERNET On Wed, Aug 8, 2018 at 10:26 PM Matus UHLAR - fantomas wrote: > On 08.08.18 19:32, Blason R wrote: > >I am bit confused about DNS forwarders. I have two BIND Servers one is > >being used as Authoritative DNS server which has forwarder set > > why? > > > to other > >server like this > > > >Auth Server for xvyz.com 192.168.3.15 > >Recursive Server 192.168.3.44 > > > >Now if I am debugging from client side using -debug option I see > >192.168.3.15 is directly resolving with ROOT DNS Servers though I have > >recursive no; option set in my BIND config. > > BIND has internal list of root servers. > > > Ideally the query should have > >gone to 192.168.3.44 but in debug I am seeing the below output. > > ideally you would not use forwarder on BIND, unless you really must. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > If Barbie is so popular, why do you have to buy her friends? > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Queries regarding forwarders
Hi there, I am bit confused about DNS forwarders. I have two BIND Servers one is being used as Authoritative DNS server which has forwarder set to other server like this Auth Server for xvyz.com 192.168.3.15 Recursive Server 192.168.3.44 Now if I am debugging from client side using -debug option I see 192.168.3.15 is directly resolving with ROOT DNS Servers though I have recursive no; option set in my BIND config. Ideally the query should have gone to 192.168.3.44 but in debug I am seeing the below output. Well how do I trace if forwarding is happening? C:\Users\Administrator>nslookup -type=a -debug www.cisco.com Got answer: HEADER: opcode = QUERY, id = 1, rcode = NOERROR header flags: response, auth. answer, want recursion, recursion questions = 1, answers = 1, authority records = 2, additional QUESTIONS: 15.3.168.192.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 15.3.168.192.in-addr.arpa name = dns.xyz.com ttl = 10800 (3 hours) AUTHORITY RECORDS: -> 3.168.192.in-addr.arpa nameserver = dns02.xyz.com ttl = 10800 (3 hours) -> 3.168.192.in-addr.arpa nameserver = dns.xyz.com ttl = 10800 (3 hours) ADDITIONAL RECORDS: -> dns.xyz.com internet address = 192.168.3.15 ttl = 10800 (3 hours) -> dns02.xyz.com internet address = 192.168.3.14 ttl = 10800 (3 hours) Server: dns.xyz.com Address: 192.168.3.15 Got answer: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 5, authority records = 13, additiona QUESTIONS: www.cisco.com, type = A, class = IN ANSWERS: -> www.cisco.com canonical name = www.cisco.com.akadns.net ttl = 838 (13 mins 58 secs) -> www.cisco.com.akadns.net canonical name = wwwds.cisco.com.edgekey.net ttl = 299 (4 mins 59 secs) -> wwwds.cisco.com.edgekey.net canonical name = wwwds.cisco.com.edgekey.net.globalredir.akadns. ttl = 14531 (4 hours 2 mins 11 secs) -> wwwds.cisco.com.edgekey.net.globalredir.akadns.net canonical name = e2867.dsca.akamaiedge.net ttl = 3599 (59 mins 59 secs) -> e2867.dsca.akamaiedge.net internet address = 23.57.126.108 ttl = 19 (19 secs) AUTHORITY RECORDS: -> net nameserver = a.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = l.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = e.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = i.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = d.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = f.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = b.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = h.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = g.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = c.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = k.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = j.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) -> net nameserver = m.gtld-servers.net ttl = 4663 (1 hour 17 mins 43 secs) ADDITIONAL RECORDS: -> m.gtld-servers.net internet address = 192.55.83.30 ttl = 103500 (1 day 4 hours 45 mins) -> m.gtld-servers.net IPv6 address = 2001:501:b1f9::30 ttl = 163960 (1 day 21 hours 32 mins 40 secs) -> d.gtld-servers.net internet address = 192.31.80.30 ttl = 77579 (21 hours 32 mins 59 secs) Non-authoritative answer: Name:e2867.dsca.akamaiedge.net Address: 23.57.126.108 Aliases: www.cisco.com www.cisco.com.akadns.net wwwds.cisco.com.edgekey.net wwwds.cisco.com.edgekey.net.globalredir.akadns.net C:\Users\Administrator> ** ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about BIND and RPZ
Well I was working on the same but you really need to have good RPZ feeds. I subscribed to third party feeds and have worked on my RPZ but later you need to have good reporting engine. Hence better to have a dedicated RPZ server instead and that's what I could suggest. This is not marketing talk but I know vendor that I am working with who is offering a good product instead. Best Regards, Lionel F On Sat, Aug 4, 2018 at 7:23 PM Felipe Arturo Polanco < felipeapola...@gmail.com> wrote: > Hi, > > I have a question regarding BIND and its RPZ functionality. > > We are using a DNS provider that blocks malware by returning an NXDOMAIN > response back whenever a match is found. > > The way they differentiate between real non-existent websites vs malware > sites is by turning off the 'recursion available' bit in the NXDOMAIN > response, non-existent sites do have this bit turned on. > > Is there a way to match this flag in an RPZ policy to redirect malware > sites response to a wall garden website while not matching real > non-existent websites? > > Thanks, > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Little confusion about BIND/AD [DNS] Setup
Hi there, I have little confusion about bind and Windows AD/DNS Setup and woudl appreciate if someone can shed some light on my query. Well, I have BIND/RPZ setup in my environment and I have AD/DNS server, users are configured to talk to Windows DNS server and it has forwarder set to my BIND/RPZ. Now the issue I faced is on my BIND/RPZ is; I had forwarder set as 9.9.9.9 which was flaggin one of site wrongly while 8.8.8.8 is resolving that perfectly. Hence users while accessing site via AD/DNS -> RPZ -> 9.9.9.9 initially was consistently getting error. Later I decided to change the forwarder in my BIND and added as 8.8.8.8. Restarted the service that must have cleared the cache but users who were using AD/DNS were still getting that wrong pages. I guess that was being served from DNS cache since it was showing a TTL value of almost 24 hrs. Hence wondering if TTL value from my BIND/RPZ can be lowered? Will that really make any difference? And which DNS server is responsible for giving the TTL value to users? How can I eventually set the lower TTL value in my environment so that records from end users may get flushed faster? Windows, BIND RPZ or NS of end portal which is being accessed? Thanks and Regards, Lionel F ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My IXFR/AXFR stopped suddenly
OK - It seems there is a lot of confusion on setup as I didnt give the entire config. Here is my entire config *Master config* zone "block.now" { type master; file "/var/lib/bind/zones/block.now.db"; notify explicit; also-notify { 2.2.2.2 port 15455; }; allow-transfer { 2.2.2.2; }; *Slave Config* zone "block.now" { type slave; file "/var/lib/bind/zones/block.now.db"; masters { 3.3.3.3; }; allow-transfer { none; }; allow-query { localhost;}; allow-notify { 3.3.3.3; }; }; */etc/bind/named.conf.options* options { version "custombind"; allow-query { localhost;subnets; }; directory "/var/cache/bind"; recursion yes; querylog yes; forwarders { 1.1.1.1;9.9.9.9;208.67.222.222;8.8.8.8; }; // dnssec-validation auto; request-ixfr yes; auth-nxdomain no;# conform to RFC1035 // listen-on-v6 { any; }; listen-on port 53 { any; }; listen-on port 15455 {any;}; response-policy { zone "whitelist.allow" policy passthru; zone "block.now"; }; }; @ Matus UHLAR - fantomas - Yes that is the basic stuff. One clue I see here is whenever I do rndc reload there are no logs generated in xfer-out.log however on slave notify logs are seen. Even after zone refresh time it always shows 1 record transferred in fact some time I even add added or deleted more than 1 records. Hence finally I deleted the file from slave and restarted the daemon and it done the trick. On Sat, Jul 7, 2018 at 9:30 PM Matus UHLAR - fantomas wrote: > On 07.07.18 11:31, Blason R wrote: > >Well after numerous try I could not succeed hence then I had to delete the > >block.now.db file and had to restart the service > >it then done the AXFR and later IXFR started as well. > > have you incremented the serial number on master? > > if the serial on the slave is bigger or the same as the one on the master > (or the one in the NOTIFY), slave does not try to xfer the zone. > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > WinError #9: Out of error messages. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My IXFR/AXFR stopped suddenly
Well after numerous try I could not succeed hence then I had to delete the block.now.db file and had to restart the service it then done the AXFR and later IXFR started as well. On Sat, Jul 7, 2018 at 9:55 AM Blason R wrote: > Well, I just tried transferring zone using dig and it was successful from > slave > > On slave > dig AXFR block.now @xx.xx.xx.xx > > On master xfer-out.log > > 07-Jul-2018 09:53:11.520 client xx.xx.xx.xx#16129 (immediate.block): > transfer of 'block.now/IN': AXFR started (serial 2018061016) > 07-Jul-2018 09:53:11.521 client xx.xx.xx.xx#16129 (immediate.block): > transfer of 'block.now/IN': AXFR ended > > > > On Sat, Jul 7, 2018 at 9:07 AM Blason R wrote: > >> Yes Anand is right; I didnt diclose the full config at Slave but its been >> configured to listen on port 15455 and that UDP port is listening and I can >> connect to that port using nc. >> >> It was in fact working absolutely fine but suddenly it stopped. >> >> @Ananad - can you confirm what command should I run on slave to debug and >> that is what I wanted which I am not aware of. >> >> On Sat, Jul 7, 2018 at 3:28 AM Anand Buddhdev wrote: >> >>> On 06/07/2018 23:52, Sten Carlsen wrote: >>> >>> Hello Sten, >>> >>> >> The slave is configured to listen on port 15455. >>> > Where in the slave's configuration is that specified? Rather the master >>> > sends notifys on two ports: 53 and 15455. >>> >>> Blason has not shown his full config, but it must be listening on port >>> 15455 to be receiving the NOTIFY message, as shown by the log entry. >>> >>> The master has: >>> >>> notify explicit; >>> also-notify { >>> 2.2.2.2 port 15455; >>> }; >>> >>> This tells the master to notify 2.2.2.2 on port 15455. There is no >>> notify on port 53. What made you think that port 53 is being used? >>> >>> Anand >>> ___ >>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >>> unsubscribe from this list >>> >>> bind-users mailing list >>> bind-users@lists.isc.org >>> https://lists.isc.org/mailman/listinfo/bind-users >>> >> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My IXFR/AXFR stopped suddenly
Well, I just tried transferring zone using dig and it was successful from slave On slave dig AXFR block.now @xx.xx.xx.xx On master xfer-out.log 07-Jul-2018 09:53:11.520 client xx.xx.xx.xx#16129 (immediate.block): transfer of 'block.now/IN': AXFR started (serial 2018061016) 07-Jul-2018 09:53:11.521 client xx.xx.xx.xx#16129 (immediate.block): transfer of 'block.now/IN': AXFR ended On Sat, Jul 7, 2018 at 9:07 AM Blason R wrote: > Yes Anand is right; I didnt diclose the full config at Slave but its been > configured to listen on port 15455 and that UDP port is listening and I can > connect to that port using nc. > > It was in fact working absolutely fine but suddenly it stopped. > > @Ananad - can you confirm what command should I run on slave to debug and > that is what I wanted which I am not aware of. > > On Sat, Jul 7, 2018 at 3:28 AM Anand Buddhdev wrote: > >> On 06/07/2018 23:52, Sten Carlsen wrote: >> >> Hello Sten, >> >> >> The slave is configured to listen on port 15455. >> > Where in the slave's configuration is that specified? Rather the master >> > sends notifys on two ports: 53 and 15455. >> >> Blason has not shown his full config, but it must be listening on port >> 15455 to be receiving the NOTIFY message, as shown by the log entry. >> >> The master has: >> >> notify explicit; >> also-notify { >> 2.2.2.2 port 15455; >> }; >> >> This tells the master to notify 2.2.2.2 on port 15455. There is no >> notify on port 53. What made you think that port 53 is being used? >> >> Anand >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: My IXFR/AXFR stopped suddenly
Yes Anand is right; I didnt diclose the full config at Slave but its been configured to listen on port 15455 and that UDP port is listening and I can connect to that port using nc. It was in fact working absolutely fine but suddenly it stopped. @Ananad - can you confirm what command should I run on slave to debug and that is what I wanted which I am not aware of. On Sat, Jul 7, 2018 at 3:28 AM Anand Buddhdev wrote: > On 06/07/2018 23:52, Sten Carlsen wrote: > > Hello Sten, > > >> The slave is configured to listen on port 15455. > > Where in the slave's configuration is that specified? Rather the master > > sends notifys on two ports: 53 and 15455. > > Blason has not shown his full config, but it must be listening on port > 15455 to be receiving the NOTIFY message, as shown by the log entry. > > The master has: > > notify explicit; > also-notify { > 2.2.2.2 port 15455; > }; > > This tells the master to notify 2.2.2.2 on port 15455. There is no > notify on port 53. What made you think that port 53 is being used? > > Anand > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
My IXFR/AXFR stopped suddenly
Hi Team, Any clue how do I troubleshoot why master to Slave IXFR/AXFR stopped? It was working before even my logs shows notifies..I can connect to my slave on customised port that NOTIFY messages are sent but then PULL from slave to master is not working. Master zone "block.now" { type master; file "/var/lib/bind/zones/block.now.db"; notify explicit; also-notify { 2.2.2.2 port 15455; }; allow-transfer { 2.2.2.2; }; ON SLAVE zone "block.now" { type slave; file "/var/lib/bind/zones/block.now.db"; masters { x.x.x.x; }; allow-transfer { none; }; allow-query { localhost;}; allow-notify { x.x.x.x; }; }; 06-Jul-2018 14:10:28.341 client x.x.x.x#10090: received notify for zone 'block.now' 06-Jul-2018 14:14:54.988 client x.x.x.x#10093: received notify for zone 'block.now' ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logrotate for bind9
Corrext I needed a settings like this; I was trying mulitple options but wasnt working. Let me try this!! Thanks for providing the same. On Thu, Jul 5, 2018 at 1:23 PM Browne, Stuart wrote: > How about a clear, direct example of using external service 'logrotate' > (this is from one of my redhat systems, but the same concept applies to > Ubuntu/Debian): > > > > [be...@dns-nomnom1.den ~]$ cat /etc/logrotate.d/named > > /var/log/named/*.log { > > compress > > create 0644 named named > > daily > > dateext > > missingok > > notifempty > > rotate 30 > > sharedscripts > > postrotate > > /usr/sbin/rndc reconfig > /dev/null 2>/dev/null || true > > endscript > > } > > > > We put our logs in the custom location of '/var/log/named/'; if you put > them somewhere else, you'll need to change that. The other settings are > direct references to Anand's email. Finally, you'll want to change the 30 > to 180 to keep 180 different days worth of logs. > > > > BIND internally doesn't have the concept based rotation, only size-based > rotation. In order to achieve per-day logs, you'll need to use the external > tool 'logrotate' (or similar) for your rotation. If you do that, you'll > want to disable BIND's rotation in the logs configuration (if you're using > that currently), so not this: > > > > logging { > > channel ns_log { > > file "/var/log/named/named.log" versions 3 size 256M; > > severity dynamic; > > print-time yes; > > print-severity yes; > > print-category yes; > > }; > > ... > > category default { ns_log; }; > > category general { ns_log; }; > > category config { ns_log; }; > > }; > > > > But this: > > > > logging { > > channel ns_log { > > file "/var/log/named/named.log"; > > severity dynamic; > > print-time yes; > > print-severity yes; > > print-category yes; > > }; > > ... > > category default { ns_log; }; > > category general { ns_log; }; > > category config { ns_log; }; > > }; > > > > Hope this clarifies the idea a little for you. > > > > Stuart > > > > *From:* bind-users [mailto:bind-users-boun...@lists.isc.org] *On Behalf > Of *Blason R > *Sent:* Thursday, 5 July 2018 4:44 PM > *To:* bicw...@gmail.com > *Cc:* bind-users > *Subject:* Re: Logrotate for bind9 > > > > What exactly are those? Well what I wated to achieve here is to rotate the > logs daily and start new file; then compress > > > > On Thu, Jul 5, 2018 at 6:21 AM Rohan Henry wrote: > > Why not use Bind logging option? > > > > On Jul 4, 2018 8:51 AM, "Blason R" wrote: > > Hi There, > > I am not getting appropriate results for my custom daily logrorate for > bind9 logs on Ubuntu. > > Can someone please help me with the settings which would include below > stuff > >1. Should rotate daily >2. Compress >3. create new file >4. keep last 180 entries > > > > Do I need stop bind9 while logs are being rotated? What is the correct > procedure to start logs in new file? > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_bind-2Dusers=DwMFaQ=MOptNlVtIETeDALC_lULrw=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8=x_efXEDdzrHXkr39lk-t7Ive0PUrBu39XyHVKIxYr-c=I6mnsNje8UKA-DWyQZnQG_y1ejr_e49gbkmN5JNAZrs=> > to unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > <https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.isc.org_mailman_listinfo_bind-2Dusers=DwMFaQ=MOptNlVtIETeDALC_lULrw=udvvbouEjrWNUMab5xo_vLbUE6LRGu5fmxLhrDvVJS8=x_efXEDdzrHXkr39lk-t7Ive0PUrBu39XyHVKIxYr-c=I6mnsNje8UKA-DWyQZnQG_y1ejr_e49gbkmN5JNAZrs=> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logrotate for bind9
What exactly are those? Well what I wated to achieve here is to rotate the logs daily and start new file; then compress On Thu, Jul 5, 2018 at 6:21 AM Rohan Henry wrote: > Why not use Bind logging option? > > On Jul 4, 2018 8:51 AM, "Blason R" wrote: > >> Hi There, >> >> I am not getting appropriate results for my custom daily logrorate for >> bind9 logs on Ubuntu. >> >> Can someone please help me with the settings which would include below >> stuff >> >> >>1. Should rotate daily >>2. Compress >>3. create new file >>4. keep last 180 entries >> >> >> >> Do I need stop bind9 while logs are being rotated? What is the correct >> procedure to start logs in new file? >> >> ___ >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to >> unsubscribe from this list >> >> bind-users mailing list >> bind-users@lists.isc.org >> https://lists.isc.org/mailman/listinfo/bind-users >> >> ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Logrotate for bind9
Hi There, I am not getting appropriate results for my custom daily logrorate for bind9 logs on Ubuntu. Can someone please help me with the settings which would include below stuff 1. Should rotate daily 2. Compress 3. create new file 4. keep last 180 entries Do I need stop bind9 while logs are being rotated? What is the correct procedure to start logs in new file? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What if the link is failed between master/slave
Excellent..Thanks! On Fri, Jun 29, 2018 at 10:52 PM wrote: > From: "Blason R" > > > OK - Got it so is there any settings available at master by which it > > will keep on probing slave and as soon it is contacted NOTIFY Message is > sent. > > No. The slave will try every REFRESH interval to see if it can contact > the master. > > > > Confidentiality Notice: > This electronic message and any attachments may contain confidential or > privileged information, and is intended only for the individual or entity > identified above as the addressee. If you are not the addressee (or the > employee or agent responsible to deliver it to the addressee), or if this > message has been addressed to you in error, you are hereby notified that > you may not copy, forward, disclose or use any part of this message or any > attachments. Please notify the sender immediately by return e-mail or > telephone and delete this message from your system. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What if the link is failed between master/slave
OK - Got it so is there any settings available at master by which it will keep on probing slave and as soon it is contacted NOTIFY Message is sent. On Fri, Jun 29, 2018 at 10:30 PM wrote: > -- > William Brown > Messaging Team > Technology Services, WNYRIC, Erie 1 BOCES > (716) 821-7285 > > "bind-users" wrote on 06/29/2018 > 12:53:07 PM: > > > From: "Blason R" > > > I have bind Master server with me and slave is at other remote > > location. My query is since I have opted for PUSH update from master > > to slave over random port. > > > > What if the link at slave is down and NOTFY message is not reached? > > When will slave then pull the update? > > Yes, according to the refresh interval in the SOA record. The pertinent > values are REFRESH, RETRY and EXPIRE. See section 3.3.13 of RFC1035 > https://tools.ietf.org/html/rfc1035#page-19 > > > > > Confidentiality Notice: > This electronic message and any attachments may contain confidential or > privileged information, and is intended only for the individual or entity > identified above as the addressee. If you are not the addressee (or the > employee or agent responsible to deliver it to the addressee), or if this > message has been addressed to you in error, you are hereby notified that > you may not copy, forward, disclose or use any part of this message or any > attachments. Please notify the sender immediately by return e-mail or > telephone and delete this message from your system. > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
What if the link is failed between master/slave
Hi There, I have bind Master server with me and slave is at other remote location. My query is since I have opted for PUSH update from master to slave over random port. What if the link at slave is down and NOTFY message is not reached? When will slave then pull the update? Lets take an example 12.05 I updated the zone and reload it 12.06 xfer.out shows the update is sent but Internet link at slave is down. Link is back at 12.20. When will then slave receive update? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Data exfiltration using DNS RPZ
Excellent Inputs guys and thanks a ton for your feedbacks. RPS is quite interesting and which one is commercial offering for the same? On Sun, Jun 17, 2018 at 10:56 PM Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 06/17/2018 11:18 AM, Vadim Pavlov via bind-users wrote: > > Just to be more clear. DNSSEC records can contain any content and can > > be used for infiltration/tunneling. > > Ah. I think I see. > > > E.g. If you request DNSKEY record (you can encode your request in fqdn) > > you will get it exactly "as is". Intermediate DNS servers do not > validate > > the records. > > You aren't talking about using the DNSSEC mechanisms to {in,ex}filtrate > data as much as you are talking about {ab}using the resource records > that DNSSEC uses as a vector to hide data. > > > So instead of "standard/usual" TXT records you can use DNSKEY to pass > > data from a DNS remote server. > > ACK > > Thank you for the explanation. > > > > -- > Grant. . . . > unix || die > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Data exfiltration using DNS RPZ
Hi Team, Can someone please guide if DNS exfiltration techniques can be identified using DNS RPZ? Or do I need to install any other third party tool like IDS to identify the the DNS beacon channels. Has anyone used DNS RPZ to block/detect data exfiltration? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Building Geo Map using Queries
Thanks! Any particular use case or configuration you would like to suggest? On Sun, Jun 10, 2018 at 10:25 AM Vadim Pavlov wrote: > Hi Blason, > > You can use MaxMind GeoIP DB and enrich logs with data you need. > > Vadim > > On 09 Jun 2018, at 17:33, Blason R wrote: > > > > Hi There, > > > > I have DNS RPZ server runnnig and have configured logstatsh on the same > to parse the DNS RPZ logs. > > > > My requirement is I need to build Geo Map basis on the DNS responses; > Any idea how can that be achieved? Or need to know the requests made from > which country and any other idea community can suggest? > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Building Geo Map using Queries
Hi There, I have DNS RPZ server runnnig and have configured logstatsh on the same to parse the DNS RPZ logs. My requirement is I need to build Geo Map basis on the DNS responses; Any idea how can that be achieved? Or need to know the requests made from which country and any other idea community can suggest? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to resolve the A records, not sure what is wrong
Yes that was the issue :) and got resolved. On Fri, Jun 1, 2018 at 11:29 PM, Blason R wrote: > I guess this could be the issue > > zone "malware.trap" { > type master; > file "/var/lib/bind/zones/malware.trap.db"; > allow-query { localhost;}; > > > On Fri, Jun 1, 2018 at 11:28 PM, Blason R wrote: > >> Well this is I am getting in network.log what could be the issue? >> >> 01-Jun-2018 23:27:42.274 client 192.168.5.103#58425 (wg.block.tld): query >> 'wg.block.tld/A/IN' denied >> >> >> On Fri, Jun 1, 2018 at 11:27 PM, Bob Harold wrote: >> >>> >>> On Fri, Jun 1, 2018 at 1:36 PM Blason R wrote: >>> >>>> Hi there, >>>> >>>> I am writing a RPZ zone and here is my zone file. RPZ is working fine >>>> but somehow A records are not getting resovled hence I am unable to do the >>>> wall-gardening. >>>> >>>> Can someone please help >>>> >>>> >>>> $TTL 3h >>>> @ IN SOA ns1.malware.trap. >>>> admin.malware.trap.( >>>> 2006060301 ; Serial >>>> 21600 ; Refresh >>>> 3600; Retry >>>> 604800 ; Expire >>>> 3600 ) ; Minimum TTL >>>> >>>> IN NSns1.malware.trap. >>>> ns1.malware.trap. A 172.16.3.48 >>>> wg.malware.trap.A 172.16.3.48 >>>> baddomain.co CNAME wg.malware.trap. >>>> block.thisCNAME wg.malware.trap. >>>> >>>> ### >>>> >>>> ;; ANSWER SECTION: >>>> block.this.5 IN CNAME wg.malware.trap. >>>> >>>> >>>> *** >>>> ;; QUESTION SECTION: >>>> ;wg.malware.trap. IN A >>>> >>>> Answer not getting what could be wrong?? >>>> >>> >>> Not sure what is a normal configuration, but on my servers users cannot >>> query the RPZ domain, it is only used for RPZ. >>> Try putting the A record in a normal zone, and CNAME to that, rather >>> than having the A record in the RPZ zone. >>> Or try doing a direct query for the A record and see if it resolves. >>> >>> -- >>> Bob Harold >>> >>> >> >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to resolve the A records, not sure what is wrong
I guess this could be the issue zone "malware.trap" { type master; file "/var/lib/bind/zones/malware.trap.db"; allow-query { localhost;}; On Fri, Jun 1, 2018 at 11:28 PM, Blason R wrote: > Well this is I am getting in network.log what could be the issue? > > 01-Jun-2018 23:27:42.274 client 192.168.5.103#58425 (wg.block.tld): query > 'wg.block.tld/A/IN' denied > > > On Fri, Jun 1, 2018 at 11:27 PM, Bob Harold wrote: > >> >> On Fri, Jun 1, 2018 at 1:36 PM Blason R wrote: >> >>> Hi there, >>> >>> I am writing a RPZ zone and here is my zone file. RPZ is working fine >>> but somehow A records are not getting resovled hence I am unable to do the >>> wall-gardening. >>> >>> Can someone please help >>> >>> >>> $TTL 3h >>> @ IN SOA ns1.malware.trap. admin.malware.trap. >>> ( >>> 2006060301 ; Serial >>> 21600 ; Refresh >>> 3600; Retry >>> 604800 ; Expire >>> 3600 ) ; Minimum TTL >>> >>> IN NSns1.malware.trap. >>> ns1.malware.trap. A 172.16.3.48 >>> wg.malware.trap.A 172.16.3.48 >>> baddomain.co CNAME wg.malware.trap. >>> block.thisCNAME wg.malware.trap. >>> >>> ### >>> >>> ;; ANSWER SECTION: >>> block.this.5 IN CNAME wg.malware.trap. >>> >>> >>> *** >>> ;; QUESTION SECTION: >>> ;wg.malware.trap. IN A >>> >>> Answer not getting what could be wrong?? >>> >> >> Not sure what is a normal configuration, but on my servers users cannot >> query the RPZ domain, it is only used for RPZ. >> Try putting the A record in a normal zone, and CNAME to that, rather than >> having the A record in the RPZ zone. >> Or try doing a direct query for the A record and see if it resolves. >> >> -- >> Bob Harold >> >> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Unable to resolve the A records, not sure what is wrong
Well this is I am getting in network.log what could be the issue? 01-Jun-2018 23:27:42.274 client 192.168.5.103#58425 (wg.block.tld): query 'wg.block.tld/A/IN' denied On Fri, Jun 1, 2018 at 11:27 PM, Bob Harold wrote: > > On Fri, Jun 1, 2018 at 1:36 PM Blason R wrote: > >> Hi there, >> >> I am writing a RPZ zone and here is my zone file. RPZ is working fine but >> somehow A records are not getting resovled hence I am unable to do the >> wall-gardening. >> >> Can someone please help >> >> >> $TTL 3h >> @ IN SOA ns1.malware.trap. admin.malware.trap.( >> 2006060301 ; Serial >> 21600 ; Refresh >> 3600; Retry >> 604800 ; Expire >> 3600 ) ; Minimum TTL >> >> IN NSns1.malware.trap. >> ns1.malware.trap. A 172.16.3.48 >> wg.malware.trap.A 172.16.3.48 >> baddomain.co CNAME wg.malware.trap. >> block.thisCNAME wg.malware.trap. >> >> ### >> >> ;; ANSWER SECTION: >> block.this.5 IN CNAME wg.malware.trap. >> >> >> *** >> ;; QUESTION SECTION: >> ;wg.malware.trap. IN A >> >> Answer not getting what could be wrong?? >> > > Not sure what is a normal configuration, but on my servers users cannot > query the RPZ domain, it is only used for RPZ. > Try putting the A record in a normal zone, and CNAME to that, rather than > having the A record in the RPZ zone. > Or try doing a direct query for the A record and see if it resolves. > > -- > Bob Harold > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Unable to resolve the A records, not sure what is wrong
Hi there, I am writing a RPZ zone and here is my zone file. RPZ is working fine but somehow A records are not getting resovled hence I am unable to do the wall-gardening. Can someone please help $TTL 3h @ IN SOA ns1.malware.trap. admin.malware.trap.( 2006060301 ; Serial 21600 ; Refresh 3600; Retry 604800 ; Expire 3600 ) ; Minimum TTL IN NSns1.malware.trap. ns1.malware.trap. A 172.16.3.48 wg.malware.trap.A 172.16.3.48 baddomain.co CNAME wg.malware.trap. block.thisCNAME wg.malware.trap. ### ;; ANSWER SECTION: block.this.5 IN CNAME wg.malware.trap. *** ;; QUESTION SECTION: ;wg.malware.trap. IN A Answer not getting what could be wrong?? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: nsupdate with RPZ
Well, thanks for the update. Later I managed to resolve it but issue is; since this is RPZ a zone and RR are difference hence I dont think nsupdate would solve my purpose here? Like zone test.update while RR is block.this.domain CNAME wg.test.update. Please correct me if I am wrong. On Wed, May 23, 2018 at 8:43 PM, Chris Buxton <cli...@buxtonfamily.us> wrote: > On May 22, 2018, at 7:35 PM, Blason R <blaso...@gmail.com> wrote: > > > Wondering if anyone have a working How-To guide for implementing > nsupdate with RPZ? I mean do we need to configure any specific settings in > zone of Options? > > A response policy zone is a zone like any other. You would normally > restrict access to query it, but if you want to allow some system to manage > the content of that zone dynamically, go ahead and set up an allow-update > (or update-policy, if that's what you need) on that zone. Just make sure > the updater is also allowed to query the zone. > > If that's not your use case, tell us what your use case is in more detail > and perhaps the list can help. > > Chris Buxton ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we define masters as hostsname?
Hey, Thanks a lot for your crisp and short answer!! On Wed, May 23, 2018 at 6:31 PM, Matthew Pounsett <m...@conundrum.com> wrote: > > > On 23 May 2018 at 07:37, Blason R <blaso...@gmail.com> wrote: > >> Hi Guys, >> >> Can we define masters as hostname instead of IP address? I guess its not >> possible but wondering if community can shed come light on this? >> >> > The short answer.. no, you can't do that. The definition for the slave > zone statement's 'masters' option (BIND 9.11 ARM pp 139) is pretty clear > that you can only use IP addresses and named masters lists. You could fake > it by defining a named master list (pp. 70) but I suspect that isn't going > to do what you want. > > I think the rationale for not allowing hostnames there is that you can > easily put yourself in a unresolvable (pardon the pun) situation where your > slave can't reach the master until your slave reaches the master and gets a > copy of a key zone. I can also see the potential for complication even if > there weren't a catch-22 in the configuration, such as what to do if the > hostname referenced has multiple addresses associated with it; that would > have implications for things like how complex it is to track whether a > master is available or not. I'm sure there are other complexities I > haven't thought of. > > > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can we define masters as hostsname?
Hi Guys, Can we define masters as hostname instead of IP address? I guess its not possible but wondering if community can shed come light on this? zone "test.update" { type slave; masters { cloud.dns.net; }; file "/var/lib/bind/test.update.db"; allow-notify { cloud.dns.net; }; allow-query { localhost;}; allow-transfer { none; }; }; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
nsupdate with RPZ
Hi Team, Wondering if anyone have a working How-To guide for implementing nsupdate with RPZ? I mean do we need to configure any specific settings in zone of Options? Please advise TIA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: also-notify and allow-notify
Okies so zone xfer would happen on TCP/53 correct and notify would be sent on udp/53? On Fri, May 18, 2018, 7:31 PM Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > >> On 17.05.18 23:00, Blason R wrote: > >>> So here I am sending notification to 192.168.5.49 on port 4545; my > >>> queries > >>> are > >> > >> 1. How do I configure port on slave 4545 so that slave server can > start > >>> listening on that port. > > >On Fri, May 18, 2018 at 3:02 PM, Matus UHLAR - fantomas < > uh...@fantomas.sk> > >wrote: > >> why do you need to listen on port 4545 instead of default 53? > > On 18.05.18 19:20, Blason R wrote: > >Nah that is not my query; instead I wanted updates to be sent on other > >port and not TCP/53. Queries let it happen on UDP 53 > > notify is also a query. > try it on port 53, maybe your problem won't appear there. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95 > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ zone update how to sync
why? is there any logic in this? yeah management does not want to allow direct syncing with master as they dont want to expose any info to them. On Fri, May 18, 2018 at 7:32 PM, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 18.05.18 19:29, Blason R wrote: > >> I have this other query on RPZ; I have one master server [lets say >> masterns.test.com.] on cloud. One slave [slavens.test.com] in my >> organization and our partner would also want to sync with slave but not >> with master server. >> > > why? is there any logic in this? > > How can one slave can sync with other slave? Can someone please enlighten >> me? >> >> >> masterns.test.com <=>slavens.test.com <>partnerns.partner.com >> > > it possible without problems - just allos xfers from partner on your slave. > you can also configure your slave to notify your partner. > > However I would recommend your partner trying master - this way they can > fetch the zone even if your slave fails. > > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Linux is like a teepee: no Windows, no Gates and an apache inside... > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ zone update how to sync
Hi Guys, I have this other query on RPZ; I have one master server [lets say masterns.test.com.] on cloud. One slave [slavens.test.com] in my organization and our partner would also want to sync with slave but not with master server. How can one slave can sync with other slave? Can someone please enlighten me? masterns.test.com <=>slavens.test.com <>partnerns.partner.com ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: also-notify and allow-notify
Nah that is not my query; instead I wanted updates to be sent on other port and not TCP/53. Queries let it happen on UDP 53 On Fri, May 18, 2018 at 3:02 PM, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 17.05.18 23:00, Blason R wrote: > >> I have RPZ installed on server and its acting as a master server but >> somehow port setting is not working on master >> > > # Slave configuration >> >> response-policy { zone "malware.trap"; }; >> >> zone "malware.trap" { >> type slave; >> masters { 192.168.5.48; }; >> file "/var/lib/bind/malware.trap.db"; >> allow-notify { 192.168.5.48; }; >> > > this is superflous. The default is to accept notifies from master. > > allow-query {localhost; }; >> }; >> >> >> So here I am sending notification to 192.168.5.49 on port 4545; my >> queries >> are >> > > 1. How do I configure port on slave 4545 so that slave server can start >> listening on that port. >> > > why do you need to listen on port 4545 instead of default 53? > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > We are but packets in the Internet of life (userfriendly.org) > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: also-notify and allow-notify
Thats correct taht worked for me and checking further now. On Fri, May 18, 2018 at 1:23 PM, Warren Kumari <war...@kumari.net> wrote: > On Fri, May 18, 2018 at 9:41 AM Blason R <blaso...@gmail.com> wrote: > > > Hi there, > > > Thanks for the update and here is my config and error I am getting. Can > you please suggest correct method that should be implemented? > > > I believe (but don't have a machine to confirm on) that the syntax should > be: > > also-notify { 192.168.5.49 port ;}; > > (note the lack of semicolon between the IP and "port ") > > W > > > > ** > > zone "malware.trap" { > > type master; > > file "/var/lib/bind/zones/malware.trap.db"; > > notify explicit; > > also-notify { 192.168.5.49; port ;}; > > allow-transfer {192.168.5.49; }; > > allow-query { localhost;}; > > }; > > > zone "whitelist.allow" { > > type master; > > file "/var/lib/bind/zones/whitelist.allow"; > > notify explicit; > > also-notify { 192.168.5.49; port ;}; > > allow-transfer {192.168.5.49; }; > > allow-query { localhost;}; > > }; > > > zone "block.tld" { > > type master; > > file "/var/lib/bind/zones/block.tld.db"; > > notify explicit; > > also-notify { 192.168.5.49; port ;}; > > allow-transfer {192.168.5.49; }; > > allow-query { localhost;}; > > }; > > > ** > > > > > May 18 13:04:42 dnsfw named[1134]: using up to 4096 sockets > > May 18 13:04:45 dnsfw named[1134]: loading configuration from > '/etc/bind/named.conf' > > May 18 13:04:46 dnsfw named[1134]: /etc/bind/named.conf.default- > zones:34: > missing ';' before '' > > May 18 13:04:46 dnsfw named[1134]: /etc/bind/named.conf.default- > zones:43: > missing ';' before '' > > May 18 13:04:46 dnsfw named[1134]: /etc/bind/named.conf.default- > zones:52: > missing ';' before '' > > May 18 13:04:46 dnsfw systemd[1]: bind9.service: Main process exited, > code=exited, status=1/FAILURE > > May 18 13:04:46 dnsfw rndc[1313]: rndc: connect failed: 127.0.0.1#953: > connection refused > > May 18 13:04:46 dnsfw systemd[1]: bind9.service: Control process exited, > code=exited status=1 > > > > On Fri, May 18, 2018 at 12:08 AM, Matthew Pounsett <m...@conundrum.com> > wrote: > > > > >> On 17 May 2018 at 13:30, Blason R <blaso...@gmail.com> wrote: > > >>> Hi, > > >>> I have RPZ installed on server and its acting as a master server but > somehow port setting is not working on master > > >> [...] > > > >>> So here I am sending notification to 192.168.5.49 on port 4545; my > queries are > > >>> How do I configure port on slave 4545 so that slave server can start > listening on that port. > > > >> Your slave needs to be listening on the correct IP/port to receive the > NOTIFY. In the current BIND Administrator's Reference Manual[0], the > discussion on Interfaces starts at page 98. > > > >>> And my master is failing after restarting the services due to > notify-them statement. > > > >> You don't indicate what the error is, but I'm willing to bet it's the > fact that you're trying to specify a masters list by name as well as a > port. If you look at the 'also-notify' statement definition, you can see > that you're able to use a 'masters' list OR an IP address and port > combination, but not both (ARM pp. 71). You should specify the port number > as part of the definition of the masters list, not where you use the > masters list. > > >> [0]: <https://www.isc.org/bind-9-11-arm/> > > > > > ___ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > > bind-users mailing list > > bind-users@lists.isc.org > > https://lists.isc.org/mailman/listinfo/bind-users > > > > -- > I don't think the execution is relevant when it was obviously a bad idea in > the first place. > This is like putting rabid weasels in your pants, and later expressing > regret at having chosen those particular rabid weasels and that pair of > pants. > ---maf > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: also-notify and allow-notify
Hi there, Thanks for the update and here is my config and error I am getting. Can you please suggest correct method that should be implemented? ** zone "malware.trap" { type master; file "/var/lib/bind/zones/malware.trap.db"; notify explicit; also-notify { 192.168.5.49; port ;}; allow-transfer {192.168.5.49; }; allow-query { localhost;}; }; zone "whitelist.allow" { type master; file "/var/lib/bind/zones/whitelist.allow"; notify explicit; also-notify { 192.168.5.49; port ;}; allow-transfer {192.168.5.49; }; allow-query { localhost;}; }; zone "block.tld" { type master; file "/var/lib/bind/zones/block.tld.db"; notify explicit; also-notify { 192.168.5.49; port ;}; allow-transfer {192.168.5.49; }; allow-query { localhost;}; }; ** May 18 13:04:42 dnsfw named[1134]: using up to 4096 sockets May 18 13:04:45 dnsfw named[1134]: loading configuration from '/etc/bind/named.conf' *May 18 13:04:46 dnsfw named[1134]: /etc/bind/named.conf.default-zones:34: missing ';' before ''* *May 18 13:04:46 dnsfw named[1134]: /etc/bind/named.conf.default-zones:43: missing ';' before ''* *May 18 13:04:46 dnsfw named[1134]: /etc/bind/named.conf.default-zones:52: missing ';' before ''* May 18 13:04:46 dnsfw systemd[1]: bind9.service: Main process exited, code=exited, status=1/FAILURE May 18 13:04:46 dnsfw rndc[1313]: rndc: connect failed: 127.0.0.1#953: connection refused May 18 13:04:46 dnsfw systemd[1]: bind9.service: Control process exited, code=exited status=1 On Fri, May 18, 2018 at 12:08 AM, Matthew Pounsett <m...@conundrum.com> wrote: > > > On 17 May 2018 at 13:30, Blason R <blaso...@gmail.com> wrote: > >> Hi, >> >> I have RPZ installed on server and its acting as a master server but >> somehow port setting is not working on master >> >> [...] > >> >> So here I am sending notification to 192.168.5.49 on port 4545; my >> queries are >> >> How do I configure port on slave 4545 so that slave server can start >> listening on that port. >> > > Your slave needs to be listening on the correct IP/port to receive the > NOTIFY. In the current BIND Administrator's Reference Manual[0], the > discussion on Interfaces starts at page 98. > > >> And my master is failing after restarting the services due to >> notify-them statement. >> > > You don't indicate what the error is, but I'm willing to bet it's the fact > that you're trying to specify a masters list by name as well as a port. If > you look at the 'also-notify' statement definition, you can see that you're > able to use a 'masters' list OR an IP address and port combination, but not > both (ARM pp. 71). You should specify the port number as part of the > definition of the masters list, not where you use the masters list. > > [0]: <https://www.isc.org/bind-9-11-arm/> > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
also-notify and allow-notify
Hi, I have RPZ installed on server and its acting as a master server but somehow port setting is not working on master ## Master Server configuration response-policy { zone "malware.trap"; }; zone "malware.trap" { type master; file "/var/lib/bind/malware.trap.db"; notify explicit; also-notify { 192.168.5.49; "notify-them" port 4545; }; allow-transfer {192.168.5.49; }; allow-query {localhost; }; }; # Slave configuration response-policy { zone "malware.trap"; }; zone "malware.trap" { type slave; masters { 192.168.5.48; }; file "/var/lib/bind/malware.trap.db"; allow-notify { 192.168.5.48; }; allow-query {localhost; }; }; So here I am sending notification to 192.168.5.49 on port 4545; my queries are 1. How do I configure port on slave 4545 so that slave server can start listening on that port. 2. And my master is failing after restarting the services due to notify-them statement. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding Master/Slave
Sure thanks for the help On Sun, May 6, 2018 at 10:34 PM, Anand Buddhdev <ana...@ripe.net> wrote: > I could answer this, but I think you need to read the documentation > first, and *then* ask questions if you don't understand, so here's a > link to the relevant documentation: > > https://ftp.isc.org/isc/bind9/9.12.1/doc/arm/Bv9ARM.ch05.html > > Regards, > Anand > > On 06/05/2018 18:15, Blason R wrote: > > > This needs to be configured on Master or slave or both? > > > > On Sun, May 6, 2018 at 2:29 AM, Grant Taylor via bind-users < > > bind-users@lists.isc.org> wrote: > > > >> On 05/05/2018 11:35 AM, Blason R wrote: > >>> BTW on the slave dumped zones are not in a readable format I believe > >>> those are kinda of mapping? > >> > >> There is a config option for the zone file format. I believe you want > >> what's below. Try it and / or check the man page to confirm / refine to > >> your preferences. > >> > >> masterfile-format text; > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding Master/Slave
This needs to be configured on Master or slave or both? On Sun, May 6, 2018 at 2:29 AM, Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 05/05/2018 11:35 AM, Blason R wrote: > > BTW on the slave dumped zones are not in a readable format I believe > > those are kinda of mapping? > > There is a config option for the zone file format. I believe you want > what's below. Try it and / or check the man page to confirm / refine to > your preferences. > > masterfile-format text; > > > > -- > Grant. . . . > unix || die > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Queries regarding Master/Slave
Oh I am sorry will give you the ixfr statement soon since I do not have access to that server right now. BTW on the slave dumped zones are not in a readable format I believe those are kinda of mapping? This is Ubuntu machine; never have tried with any other flavor. On Sat, May 5, 2018 at 9:13 PM, /dev/rob0 <r...@gmx.co.uk> wrote: > On Sat, May 05, 2018 at 03:52:16PM +0530, Blason R wrote: > > Since I am building Master/slave RPZ for my organization I do have > > couple of queries. > > > > > >1. My ixfr is not working as soon as I remove the statement it > >works fine > > Remove WHAT statement? No data, no useful answer. > > >2. Do I need to create files at secondary server? or will those > >be created automatically? > > Assuming the EUID/EGID running named (see if you're using -u) has > write privilege in the specified file location, they will be created. > Offer void where taxed or prohibited, or where you have shot yourself > in the foot using SELinux or similar. > > >3. I guess I always need to change the serial number whenever I > >am performing changes; is there any automated way to do that? > > You can use dynamic updates with nsupdate(8) or other RFC 2136 > updating client. See "Dynamic updates" section of ARM chapter 4; > also look for articles at the ISC KB: https://kb.isc.org/ > > >4. And is there any authentication method between master/slave? > > TSIG signatures can be used. This is also covered in ARM chapter 4, > and I recommend using the HTML version, because it hyperlinks to > relevant syntax documentation in chapter 6. And again, see the KB. > > TSIG can be used for any form of query, including the notify sent > from master to slave[s]. See the section in ARM chapter 6, on > "server Statement Grammar". > -- > http://rob0.nodns4.us/ > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: notify explicit and also-notify
Absolutely that is TCP/53 required for Zone Xfer right? On Sat, May 5, 2018 at 10:34 PM, Matus UHLAR - fantomas <uh...@fantomas.sk> wrote: > On 05.05.18 09:52, Blason R wrote: > >> OK So wondering if I have master in cloud wanted to know which port should >> I open for slave which is behind corporate firewall and if I set as below >> then my slaves will start listening on port 2034? I am bit confused on >> port >> numbers for NOTIFY messages and NOTIFY-UPDATED [i.e. AXFR/IXFR] >> > > source port: random. > destination port: 53 (standard DNS port). > > you don't need to enable different ports unless you can't do stateful > firewall > > -- > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ > Warning: I wish NOT to receive e-mail advertising to this address. > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. > Honk if you love peace and quiet. __ > _ > > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Queries regarding Master/Slave
Hi Team, Since I am building Master/slave RPZ for my organization I do have couple of queries. 1. My ixfr is not working as soon as I remove the statement it works fine 2. Do I need to create files at secondary server? or will those be created automatically? 3. I guess I always need to change the serial number whenever I am performing changes; is there any automated way to do that? 4. And is there any authentication method between master/slave? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: notify explicit and also-notify
OK So wondering if I have master in cloud wanted to know which port should I open for slave which is behind corporate firewall and if I set as below then my slaves will start listening on port 2034? I am bit confused on port numbers for NOTIFY messages and NOTIFY-UPDATED [i.e. AXFR/IXFR] also-notify {10.0.1.2; "notify-them" port 2034;}; On Fri, May 4, 2018 at 5:00 PM, Bob McDonaldwrote: > This gets much more involved the further downstream you go. > > For example, when a downstream slave (true or stealth) provides transfers > to a further downstream slave (true or stealth), the notify options can get > a bit messy. > > Bottom line is it requires some detailed analysis and probably some > pictures. > > Regards, > > Bob > > On Fri, May 4, 2018 at 6:21 AM, Bob McDonald > wrote: > >> This is my understanding of how Current (ver. 9.8 and above) ISC Bind >> works. It may or may not apply to older versions of ISC Bind and/or DNS >> resolver programs from other sources. This is only MY understanding. You >> are welcome to disagree and point out the folly of my understanding. >> >> There are several types of zones: >> >> 1) True Master - Defined in the zone block in the named.conf as a master >> AND appearing in the MNAME field in the SOA record of the zone. >> >> 2) Stealth Master - Defined in the zone block in the named.conf as a >> master AND NOT appearing in the MNAME field in the SOA record of the zone. >> NOT visible to clients. Requires update forwarding for DDNS updates. >> >> 3) Apparent Master - defined in the zone block in the named.conf as a >> slave AND appearing in the MNAME field in the SOA record of the zone. >> Although visible to clients, not really the master. Think of it as >> masquerading as the True Master in place of a Stealth Master. >> >> 4) True Slaves - Defined in the zone block in the named.conf as a slave >> AND appearing in the zone as part of the NS RRset.. >> >> 5) Stealth Slaves - Defined in the zone block in named.conf as a slave >> AND NOT appearing in the zone as part of the NS RRset. (e.g. authoritative >> for the zone yet not in the NS RRset) >> >> notify=no - Notifies are not sent. Updating is done via the zone refresh >> timers. (now there's something to explain to management...) >> >> notify=yes - notifies are sent to all servers appearing in the NS RRset >> (except the server identified in the MNAME field of the SOA record) and to >> the also-notify list >> >> notify=master-only - notifies are only sent to master servers. (still >> getting my head wrapped around this one) >> >> notify=explicit - notifies are ONLY sent to servers listed in the >> also-notify list. >> >> To complicate things further... The notify option may also be specified >> in the zone statement, in which case it overrides the options notify >> statement. It would only be necessary to turn off this option if it caused >> slaves to crash. >> >> There is also an option: >> >> notify-to-soa - If yes do not check the nameservers in the NS RRset >> against the SOA MNAME. Normally a NOTIFY message is not sent to the SOA >> MNAME (SOA ORIGIN) as it is supposed to contain the name of the ultimate >> master. Sometimes, however, a slave is listed as the SOA MNAME in hidden >> master configurations and in that case you would want the ultimate master >> to still send NOTIFY messages to all the nameservers listed in the NS RRset. >> >> So, the bottom line is that there are SEVERAL ways to make notifies (and >> therefore updates) flow through the environment. >> >> Once you get this figured out, add in allow-notify, allow-updates, and >> update-forwarding (just say no...). There are also other use cases for >> dial-up. etc. >> >> Also, authoritative means serving a valid copy of a specific zone. (e.g. >> the server has a copy of the zone file and has a valid definition in it's >> named.conf that matches one of the above defined types) >> >> Hope that helps. >> >> Regards, >> >> Bob >> > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: notify explicit and also-notify
Ok -My question was about port number if not explicitly defined then it sends update on port TCP/53 On Fri, May 4, 2018, 12:15 PM Dns Admin <dnsadm...@gmail.com> wrote: > Hi Blason, > > My understanding is that if there is no "notify no;" statement, then bind > will send notifies to all name servers for a given zone. > > Also notify pertains too the notification of name servers not included in > zone data. > > Kind Regards Peter > > On 04/05/2018 05:51, Blason R wrote: > > Hi, > > So I was playing with these two statements and wanted to know something on > also-notify. > > also-notify by default will update slaves about delta changes on port > TCP/53 if not explicitly set right? > > e.g. > > also-notify {10.0.1.2; "notify-them" port 2034;}; > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing > listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
notify explicit and also-notify
Hi, So I was playing with these two statements and wanted to know something on also-notify. also-notify by default will update slaves about delta changes on port TCP/53 if not explicitly set right? e.g. also-notify {10.0.1.2; "notify-them" port 2034;}; ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS RPZ Master/Slave configuration
Again unicast could be any IP address or normal IP address given on server? There is no such specification like multicast On Thu, May 3, 2018 at 7:46 PM, Blason R <blaso...@gmail.com> wrote: > Thanks I got it, Below link helped me understand. > > https://deepthought.isc.org/article/AA-00518/0/How-can-I- > synchronize-DNS-RPZ-firewall-policies-across-multiple-DNS-servers.html > > The one thing I didnt understand is how to assign unicast address from DNS > perspective? > > On Thu, May 3, 2018 at 7:36 PM, Blason R <blaso...@gmail.com> wrote: > >> Hi there, >> >> Can someone please guide me on working configuration of Mater/Slave zone >> in DNS RPZ for reference? >> >> Is that available with someone? And does it work exactly as master/slave >> like any other zone? >> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS RPZ Master/Slave configuration
Thanks I got it, Below link helped me understand. https://deepthought.isc.org/article/AA-00518/0/How-can-I-synchronize-DNS-RPZ-firewall-policies-across-multiple-DNS-servers.html The one thing I didnt understand is how to assign unicast address from DNS perspective? On Thu, May 3, 2018 at 7:36 PM, Blason R <blaso...@gmail.com> wrote: > Hi there, > > Can someone please guide me on working configuration of Mater/Slave zone > in DNS RPZ for reference? > > Is that available with someone? And does it work exactly as master/slave > like any other zone? > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS RPZ Master/Slave configuration
Hi there, Can someone please guide me on working configuration of Mater/Slave zone in DNS RPZ for reference? Is that available with someone? And does it work exactly as master/slave like any other zone? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we block/detect DNS beacon channels?
Well, challenge is not implementing RPZ that part is done but now wondering as a advanced part if such attacks can be detected as well blocked by using RPZ? I guess one option I see if to deploy HIDS on BIND server like suricata which will detect such attacks. But that will consume lot of resources hence wondering if natively can we configure anything like that? On Thu, May 3, 2018 at 12:20 AM, Grant Taylor via bind-users < bind-users@lists.isc.org> wrote: > On 05/02/2018 12:23 PM, Blason R wrote: > >> I would really appreciate if someone can shed light; if DNS based >> advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels or >> Data Exfiltration through DNS queries. >> > > If you know fixed aspects of the queries / responses, you can very likely > filter them with Response Policy Zone. > > However I think you will need Response Policy Service to be able to do > more instrumentation / trending / tracking and filtering of unknown ahead > of time aspects. > > I think of RPS for DNS much like I think of milters for Sendmail. > > It's my understanding that RPS support is in BIND. However I'm not aware > of any free RPS filters. I think there is at least one commercial > implementation. > > > > -- > Grant. . . . > unix || die > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Can we block/detect DNS beacon channels?
Hi, I would really appreciate if someone can shed light; if DNS based advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels or Data Exfiltration through DNS queries. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: policy-ip-trigger
Oh I overlooked the statement.. Yep we need to use prefix *IPv4 IP Trigger Name Format* The keyword label of rpz-ip invokes this trigger type. The IPv4 address is written in the form *prefix.a4.a3.a2.a1.rpz-ip* Does anyone have any better idea to reverse it? On Wed, May 2, 2018 at 5:00 PM, Blason R <blaso...@gmail.com> wrote: > Hi, > > I am trying to write a zone for policy-ip-trigger and trying to reverse > the IP which I have done with below command > > cat test | awk -F. '{print $4"."$3"."$2"."$1".rpz-ip"}' > > Does any one have any other idea? > > Also with policy-ip-trigger is it mandatory to provide subnet mask in > reverse manner? > As single IP address will be blocked with > 123.226.68.21 > > 21.68.226.123.rpz-ip OR > 32.21.68.226.123.rpz-ip > > Can someone please confirm? > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
policy-ip-trigger
Hi, I am trying to write a zone for policy-ip-trigger and trying to reverse the IP which I have done with below command cat test | awk -F. '{print $4"."$3"."$2"."$1".rpz-ip"}' Does any one have any other idea? Also with policy-ip-trigger is it mandatory to provide subnet mask in reverse manner? As single IP address will be blocked with 123.226.68.21 21.68.226.123.rpz-ip OR 32.21.68.226.123.rpz-ip Can someone please confirm? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
what is mapping and how to achieve it?
Hi Team, Just been looking around about using mapping in my DNS RPZ server but didnt find any relevant documentation. Can somone please help me understanding mapping in RPZ and how that can be beneficial? performance wise/storage wise/faster loading of zones? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ logging
Yep; thanks that worked!! On Sun, Apr 29, 2018 at 10:38 AM, Blason R <blaso...@gmail.com> wrote: > hmm..ok let me try. Since I am also wrting parsers in logstash wondering > what exactly would be the log setting I need to pick up. > > On Sun, Apr 29, 2018 at 9:12 AM, Bob Harold <rharo...@umich.edu> wrote: > >> >> On Sat, Apr 28, 2018 at 11:29 PM, Blason R <blaso...@gmail.com> wrote: >> >>> Hi Folks, >>> >>> I have been struggligng with exact RPZ/Bind option/statement which >>> enables the logging for RPZ and shows if the query matches RPZ zone. >>> >>> Can someone please help me? >>> >>> >> I think the required rpz logging related lines in my named.conf are: >> >> logging { >> >> channel "rpz_file" { >> file "/var/log/named/rpz.log" versions 10 size 104857600; >> severity dynamic; >> print-time yes; >> print-severity yes; >> print-category yes; >> }; >> >> category "rpz" { >> "rpz_file"; >> }; >> }; >> >> You might want less versions and/or a smaller size - my values allow rpz >> logs to fill 1gb of disk. >> >> -- >> Bob Harold >> >> >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPZ logging
hmm..ok let me try. Since I am also wrting parsers in logstash wondering what exactly would be the log setting I need to pick up. On Sun, Apr 29, 2018 at 9:12 AM, Bob Harold <rharo...@umich.edu> wrote: > > On Sat, Apr 28, 2018 at 11:29 PM, Blason R <blaso...@gmail.com> wrote: > >> Hi Folks, >> >> I have been struggligng with exact RPZ/Bind option/statement which >> enables the logging for RPZ and shows if the query matches RPZ zone. >> >> Can someone please help me? >> >> > I think the required rpz logging related lines in my named.conf are: > > logging { > > channel "rpz_file" { > file "/var/log/named/rpz.log" versions 10 size 104857600; > severity dynamic; > print-time yes; > print-severity yes; > print-category yes; > }; > > category "rpz" { > "rpz_file"; > }; > }; > > You might want less versions and/or a smaller size - my values allow rpz > logs to fill 1gb of disk. > > -- > Bob Harold > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RPZ logging
Hi Folks, I have been struggligng with exact RPZ/Bind option/statement which enables the logging for RPZ and shows if the query matches RPZ zone. Can someone please help me? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to implement DNS RPZ with Domain Based Reputation Data
Oh I see.. I thought this a kind of feature of BIND. I got it now. On Sun, Apr 29, 2018 at 8:38 AM, Mukund Sivaraman <m...@isc.org> wrote: > On Sun, Apr 29, 2018 at 08:27:34AM +0530, Blason R wrote: > > Hi Team, > > Can someone please confirm if below stuff I found pertaining to BIND can > be > > implemented with DNS RPZ? If yes can someone please point me to the > > appropriate document? > > Domain Based Reputational Data > > > > With the release of BIND 9.8.1 a *new* reputational mechanism is > available, > > this time for use by DNS resolvers. An organisation is able to receive a > > reputational data feed describing internet domains that have a 'poor' > > reputation. A poor reputation is usually based on the delivery of > malware, > > or other forms of nefarious internet activity. > > > > The ISC have provided an efficient standardised mechanism for the use of > > reputational data by recursive DNS resolvers and have left the provision > of > > the reputational data itself to professional organisations that > specialize > > in this type of information. Additionally, the response that shall be > given > > to a client attempting to resolve a domain which is listed amongst those > > with a 'poor' reputation is left to the local organisation to decide. > > This is basically RPZ. "reputational data feed" is basically a response > policy zone. There are feed providers such as Spamhaus, Farsight > Security, etc. E.g., see this: > > https://www.spamhaus.org/news/article/669 > > Mukund > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
How to implement DNS RPZ with Domain Based Reputation Data
Hi Team, Can someone please confirm if below stuff I found pertaining to BIND can be implemented with DNS RPZ? If yes can someone please point me to the appropriate document? Domain Based Reputational Data With the release of BIND 9.8.1 a *new* reputational mechanism is available, this time for use by DNS resolvers. An organisation is able to receive a reputational data feed describing internet domains that have a 'poor' reputation. A poor reputation is usually based on the delivery of malware, or other forms of nefarious internet activity. The ISC have provided an efficient standardised mechanism for the use of reputational data by recursive DNS resolvers and have left the provision of the reputational data itself to professional organisations that specialize in this type of information. Additionally, the response that shall be given to a client attempting to resolve a domain which is listed amongst those with a 'poor' reputation is left to the local organisation to decide. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
9.12 is not yet stable; i believe? On Thu, Apr 26, 2018 at 1:23 PM, Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > On 26.04.18 09:46, Blason R wrote: > > Oh thats great...in that case general practice would be always whitelist > > the zones first then blacklist? > > I'm using: > > whitelist with "policy passthru log no" > test zones with "policy passthru" > blacklists with "policy cname LANDINGPAGE" > > Note, "[ log yes_or_no ]" has been added in BIND 9.12. > > Daniel > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Whitelisting sites using RPZ
Oh thats great...in that case general practice would be always whitelist the zones first then blacklist? On Thu, Apr 26, 2018 at 11:53 AM, Daniel Stirnimann < daniel.stirnim...@switch.ch> wrote: > > response-policy { zone "malware.trap"; zone "whitelist.allow" policy > > passthru; }; > > ... > > > So which one will take precendence in this case? > > Policy processing will search the zone files in the order in which they > appear in the response-policy statement. > > So, you need to change the order in your example to achieve the desired > result. > > Daniel > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Whitelisting sites using RPZ
Hi team, In RPZ since we can build up to 32 zones can I create blacklist and whitelist policies like this? response-policy { zone "malware.trap"; zone "whitelist.allow" policy passthru; }; zone "malware.trap" { type master; file "/etc/bind/malware.trap.db"; }; zone "whitelist.allow" { type master; file "/etc/bind/whitelist.allow.db"; }; So which one will take precendence in this case? let say www.google.com mistakenly entered in malware.trap zone and *.google.com is allowed in whitelist.allow as rpz-passthru? BTW first not sure if such configuration can be possible? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Facing weird issue with DNS-RPZ
I do not have IPv6 disable its just a plain CentOS where I am compiling. Thanks for the info though. On Thu, Apr 26, 2018 at 2:32 AM, Carl Byington <c...@byington.org> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > On Wed, 2018-04-25 at 19:30 +0530, Blason R wrote: > > I tried that couple of times on CentOS and it fails :(. > > http://www.five-ten-sg.com/mapper/bind > > I just updated the instructions. It looks like the built-in tests (that > are normally run as part of the build) require some IPv6. If you > disabled IPv6, you should be able to build with "--define 'test 0'" > > Was there any other failure? > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlrgzpYACgkQL6j7milTFsGMiQCgijHwoOI9VMhatAhuI/sOarmy > izcAoIssuYMdqgGbsTit5crgq8SrKSWf > =jvJE > -END PGP SIGNATURE- > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Facing weird issue with DNS-RPZ
Hey, I tried that couple of times on CentOS and it fails :(. I would really appreciate if someone has already compiled RPM and can share it? On Wed, Apr 25, 2018 at 11:52 AM, G.W. Haywood via bind-users < bind-users@lists.isc.org> wrote: > Hi there, > > On Wed, 25 Apr 2018, Blason R wrote: > > Unfortunately neither RHEL nor CentOS gives RPM for 9.10+ and really >> compiling and building is really pain and time consuming. >> Hence I decided to give a try with Ubuntu 16.04 and any ways within few >> days 18.04 is coming out with 9.11. >> > > Date: Wed, 17 Jan 2018 08:52:30 -0800 > From: Carl Byington <c...@byington.org> > To: bind-users@lists.isc.org > Subject: RHEL, Centos, Fedora rpm 9.11.2-P1 > Message-ID: <1516207950.16446.8.ca...@ns.five-ten-sg.com> > Content-Type: text/plain; charset="UTF-8" > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > http://www.five-ten-sg.com/mapper/bind contains links to the source > rpms, and build instructions. > > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2.0.14 (GNU/Linux) > > iEYEAREKAAYFAlnS18UACgkQL6j7milTFsGZfgCbBIUaYjY+AbTUz6X6xHJN4m1M > tXgAniEvP2Nd/1IW+PBUXRSnJq716Whe > =ILkA > -END PGP SIGNATURE- > > -- > > 73, > Ged. > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Facing weird issue with DNS-RPZ
Ok got the issue and fixed it was long zone which was causing issue. On Wed, Apr 25, 2018 at 10:28 AM, Blason R <blaso...@gmail.com> wrote: > Whoo..what is this all about guys? Is there any limit for zones? > >Active: active (running) since Wed 2018-04-25 10:25:27 IST; 2s ago > Docs: man:named(8) > Process: 4085 ExecStop=/usr/sbin/rndc stop (code=exited, > status=0/SUCCESS) > Main PID: 4091 (named) > Tasks: 7 >Memory: 146.1M > CPU: 1.527s >CGroup: /system.slice/bind9.service >└─4091 /usr/sbin/named -f -u bind > > Apr 25 10:25:27 dnsfw named[4091]: managed-keys-zone: loaded serial 13 > Apr 25 10:25:27 dnsfw named[4091]: zone 0.in-addr.arpa/IN: loaded serial 1 > Apr 25 10:25:27 dnsfw named[4091]: zone localhost/IN: loaded serial 2 > Apr 25 10:25:27 dnsfw named[4091]: zone 255.in-addr.arpa/IN: loaded serial > 1 > Apr 25 10:25:27 dnsfw named[4091]: zone 127.in-addr.arpa/IN: loaded serial > 1 > *Apr 25 10:25:28 dnsfw named[4091]: dns_master_load: > /etc/bind/isnlab.in.db:345703: ran out of space* > *Apr 25 10:25:28 dnsfw named[4091]: zone isnlab.in/IN > <http://isnlab.in/IN>: loading from master file /etc/bind/isnlab.in.db > failed: ran out of space* > *Apr 25 10:25:28 dnsfw named[4091]: zone isnlab.in/IN > <http://isnlab.in/IN>: not loaded due to errors.* > > *I have around 300+ zones* > > *root@dnsfw:/etc/bind# named -v* > *BIND 9.10.3-P4-Ubuntu * > > > On Wed, Apr 25, 2018 at 8:52 AM, Blason R <blaso...@gmail.com> wrote: > >> Unfortunately neither RHEL nor CentOS gives RPM for 9.10+ and really >> compiling and building is really pain and time consuming. >> Hence I decided to give a try with Ubuntu 16.04 and any ways within few >> days 18.04 is coming out with 9.11. >> >> BTW is 9.11 branch stable? >> >> On Wed, Apr 25, 2018 at 8:03 AM, Mukund Sivaraman <m...@isc.org> wrote: >> >>> On Tue, Apr 24, 2018 at 07:25:45PM -0700, Ray Van Dolson wrote: >>> > On Tue, Apr 24, 2018 at 07:21:34PM -0700, Mukund Sivaraman wrote: >>> > > On Tue, Apr 24, 2018 at 06:03:43PM +0530, Blason R wrote: >>> > > > I am building DNS RPZ on named BIND 9.9.4-RedHat-9.9.4-51.el7_4.2 >>> > > > (Extended Support Version). >>> > > >>> > > RPZ in BIND 9.9 is experimental and unsupported (except for the >>> > > subscription branch). Please use at least BIND 9.10 for RPZ. >>> > > >>> > >>> > We've been using RPZ in RHEL6-provided BIND (based on BIND 9.8.2) >>> > (based on BIND 9.8.2). >>> > >>> > No issues. Unsure if Red Hat backports the "more stable" code? >>> >>> I doubt it. But speaking for ISC BIND, 9.10+ is the only RPZ code we >>> bugfix and there have been a lot of bugs fixed. >>> >>> Mukund >>> >> >> > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Facing weird issue with DNS-RPZ
Whoo..what is this all about guys? Is there any limit for zones? Active: active (running) since Wed 2018-04-25 10:25:27 IST; 2s ago Docs: man:named(8) Process: 4085 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS) Main PID: 4091 (named) Tasks: 7 Memory: 146.1M CPU: 1.527s CGroup: /system.slice/bind9.service └─4091 /usr/sbin/named -f -u bind Apr 25 10:25:27 dnsfw named[4091]: managed-keys-zone: loaded serial 13 Apr 25 10:25:27 dnsfw named[4091]: zone 0.in-addr.arpa/IN: loaded serial 1 Apr 25 10:25:27 dnsfw named[4091]: zone localhost/IN: loaded serial 2 Apr 25 10:25:27 dnsfw named[4091]: zone 255.in-addr.arpa/IN: loaded serial 1 Apr 25 10:25:27 dnsfw named[4091]: zone 127.in-addr.arpa/IN: loaded serial 1 *Apr 25 10:25:28 dnsfw named[4091]: dns_master_load: /etc/bind/isnlab.in.db:345703: ran out of space* *Apr 25 10:25:28 dnsfw named[4091]: zone isnlab.in/IN <http://isnlab.in/IN>: loading from master file /etc/bind/isnlab.in.db failed: ran out of space* *Apr 25 10:25:28 dnsfw named[4091]: zone isnlab.in/IN <http://isnlab.in/IN>: not loaded due to errors.* *I have around 300+ zones* *root@dnsfw:/etc/bind# named -v* *BIND 9.10.3-P4-Ubuntu * On Wed, Apr 25, 2018 at 8:52 AM, Blason R <blaso...@gmail.com> wrote: > Unfortunately neither RHEL nor CentOS gives RPM for 9.10+ and really > compiling and building is really pain and time consuming. > Hence I decided to give a try with Ubuntu 16.04 and any ways within few > days 18.04 is coming out with 9.11. > > BTW is 9.11 branch stable? > > On Wed, Apr 25, 2018 at 8:03 AM, Mukund Sivaraman <m...@isc.org> wrote: > >> On Tue, Apr 24, 2018 at 07:25:45PM -0700, Ray Van Dolson wrote: >> > On Tue, Apr 24, 2018 at 07:21:34PM -0700, Mukund Sivaraman wrote: >> > > On Tue, Apr 24, 2018 at 06:03:43PM +0530, Blason R wrote: >> > > > I am building DNS RPZ on named BIND 9.9.4-RedHat-9.9.4-51.el7_4.2 >> > > > (Extended Support Version). >> > > >> > > RPZ in BIND 9.9 is experimental and unsupported (except for the >> > > subscription branch). Please use at least BIND 9.10 for RPZ. >> > > >> > >> > We've been using RPZ in RHEL6-provided BIND (based on BIND 9.8.2) >> > (based on BIND 9.8.2). >> > >> > No issues. Unsure if Red Hat backports the "more stable" code? >> >> I doubt it. But speaking for ISC BIND, 9.10+ is the only RPZ code we >> bugfix and there have been a lot of bugs fixed. >> >> Mukund >> > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Fwd: Facing weird issue with DNS-RPZ
Unfortunately neither RHEL nor CentOS gives RPM for 9.10+ and really compiling and building is really pain and time consuming. Hence I decided to give a try with Ubuntu 16.04 and any ways within few days 18.04 is coming out with 9.11. BTW is 9.11 branch stable? On Wed, Apr 25, 2018 at 8:03 AM, Mukund Sivaraman <m...@isc.org> wrote: > On Tue, Apr 24, 2018 at 07:25:45PM -0700, Ray Van Dolson wrote: > > On Tue, Apr 24, 2018 at 07:21:34PM -0700, Mukund Sivaraman wrote: > > > On Tue, Apr 24, 2018 at 06:03:43PM +0530, Blason R wrote: > > > > I am building DNS RPZ on named BIND 9.9.4-RedHat-9.9.4-51.el7_4.2 > > > > (Extended Support Version). > > > > > > RPZ in BIND 9.9 is experimental and unsupported (except for the > > > subscription branch). Please use at least BIND 9.10 for RPZ. > > > > > > > We've been using RPZ in RHEL6-provided BIND (based on BIND 9.8.2) > > (based on BIND 9.8.2). > > > > No issues. Unsure if Red Hat backports the "more stable" code? > > I doubt it. But speaking for ISC BIND, 9.10+ is the only RPZ code we > bugfix and there have been a lot of bugs fixed. > > Mukund > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users