.telekom.net.
telekom.de. 3600 IN NS dns1.telekom.de.
telekom.de. 3600 IN NS dns2.telekom.de.
telekom.de. 3600 IN NS pns.dtag.de.
This is the type of NS record 'tree' that I also had, that caused me
problems.
--
Bob Harold
On Fri, Sep 6, 2024 at 3:27 PM Ondřej Surý wrote:
> Ok, so
ertificate, LetEncrypt using Unbound was verifying every NS record and
sometimes gave up, with an error message "exceeded the maximum nameserver
nxdomains" even though there were no 'nxdomains' in the log. I simplified
my NS records and the problem went away.
--
Bob Harold
O
nk that dig should be adjusted to suppress cryptographic
> material from other records such as TLSA, SSHFP, CDNSKEY, CDS, etc, and
> the man page updated to reflect this?
>
> Regards,
> Anand Buddhdev
> --
>
> Just my opinion, but I would like it to apply to all crypto
e or more forwarders, and they are queried in turn until the list is
exhausted
or an answer is found." So the first one will get all the traffic, the
second is just a backup to be used if the first fails.
If you expect that to do load balancing, it will not. Try a real load
balancer, or &
DNS Authoritative servers?
(Granted, the actual answer size to the client could be large enough to
cause fall-back to TCP, but that is not because of DNSSEC.)
--
Bob Harold
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
Before answering this question, can you tell me the proper place where I
should be asking this question?
"We are researching DDoS protection, including DNS. What companies or
products or methods should I be looking at?"
--
Bob Harold
--
Visit https://lists.isc.org/mailman/listinfo/
RPZ should be able to do that. Read up on RPZ in the BIND manual, and
search online for more info.
--
Bob Harold
On Fri, Aug 19, 2022 at 2:56 AM Matthias Fechner wrote:
> Dear all,
>
> I'm not sure if bind can do this, but let me explain what I would like
> to do.
>
>
will cause an increase in DNS traffic, and I don't know how much of an
increase, but the 24-48 hour TTL of the DS record is the real down-side of
DNSSEC, and why it is taking me so long to try to develop a bullet-proof
process before signing my zones.
--
Bob Harold
University of Michigan
O
e meantime,
>> considering the recent
>> surge of cyber attacks since the recent war started, and our country
>> voted support for the
>> defending party.
>>
>> Frankly, I am not in deep with Microsoft DNS, and I guess there can be
>> some tweaking with
&
On Wed, May 11, 2022 at 4:34 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
> On 5/11/22 2:19 PM, Bob Harold wrote:
> > Not sure who set it up, but my DHCP servers have for some zones:
> >
> > zone x.y.z.in-addr.arpa
> > {
> > primar
sults with an RPZ overriding the
> MNAME with the local server's IP address.
>
> }:-)
>
>
>
> --
> Grant. . . .
> unix || die
>
>
Not sure who set it up, but my DHCP servers have for some zones:
zone x.y.z.in-addr.arpa
{
primary 10.2.3.4;
}
Which I believe overrides the MNAME l
On Wed, Apr 13, 2022 at 9:39 AM Bjørn Mork wrote:
> Timothe Litt writes:
>
> > Anyhow, it's not clear exactly what problem you're asking LOC (or
> > anything) to solve.
>
> Which problems do LOC solve?
>
> I remember adding LOC records for fun?() in the previous millennium when
> RFC 1876 was fr
ed to
copy the journal files. If there are any other secondary servers (and you
almost always want more than just the master), then change those to pull
from the new server, and make sure that is working, before starting the
steps you listed.
--
Bob Harold
--
Visit https://lists.isc.org/ma
On Thu, Apr 15, 2021 at 12:44 PM Tony Finch wrote:
> Matthijs Mekking wrote:
> > On 15-04-2021 16:35, Bob Harold wrote:
> > >
> > > If BIND holds both the child and parent zone, will it add the DS record
> > > at the correct time? Or do I still need to
On Thu, Apr 15, 2021 at 8:50 AM Bob Harold wrote:
>
> On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking wrote:
>
>>
>>
>> On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
>> > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
>> >>
On Thu, Apr 15, 2021 at 2:57 AM Matthijs Mekking wrote:
>
>
> On 14-04-2021 22:30, Greg Rivers via bind-users wrote:
> > On Wednesday, 14 April 2021 15:00:38 CDT Bob Harold wrote:
> >> Does anyone have an automated KSK roll process, that checks for the DS
> >> re
EC if some other process does not update the DS
record at the right time. That's too big a risk for me, the process needs
to check the DS record before completing the KSK roll. Surely someone has
done this. I would rather not reinvent the wheel. But I have searched and
not found anything yet.
Pv4 only"
Perhaps you want "-6" to use IPv6 only ?
--
Bob Harold
>
> Normally you can do this via the file /etc/default/named (In the options
> variable). Unfortunately, this file is ignored. I also tried it with the
> "Environment" parameter in docker-comp
/etc/resolv.conf or the
"DNS servers" seen in windows client settings, will only be used by the
client if the first server does not respond. For that, you can use a
public resolver like Google 8.8.8.8 as the second choice for your users.
--
Bob Harold
That is certainly not obvious. How do I request improving the manual?
"in turn" would seem to imply "in order", and the order would logically be
the order I listed them.
--
Bob Harold
DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
rharo...@umic
based algorithm"
So which is correct?
And did it change at some point?
--
Bob Harold
DNS and DHCP Hostmaster - UMNet
Information and Technology Services (ITS)
rharo...@umich.edu 734-512-7038
___
Please visit https://lists.isc.org/mailman/li
I am told from my Splunk experts that the vendor supplied Splunk app for
isc-bind matches the BIND 9.8 version used in RHEL6, but not the BIND 9.11
version using in RHEL7. I have a mix now. Does anyone have a REGEX for
9.11, or better yet, a regex that matches both formats?
--
Bob Harold
ype static-stub;
> server-names {
>"10.n.n.n";
>"10.n.n.m";
> };
>};
> };
>
> This ALWAYS gives a SERVFAIL though regardless of whether the 10.n.n.n
> addresses are reachable or not...
>
"server-names" must
On Wed, May 13, 2020 at 3:49 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:
> On 5/13/20 6:29 AM, Bob Harold wrote:
> > Your ACL looks right. I think Ben has the key - Windows uses GSS-TSIG,
> > not regular TSIG. Not sure how or if that can be solved.
&g
the key - Windows uses GSS-TSIG, not
regular TSIG. Not sure how or if that can be solved.
--
Bob Harold
> On Tue, 12 May 2020 at 13:40, Bob Harold wrote:
>
>>
>> On Tue, May 12, 2020 at 5:57 AM Pete Fry via bind-users <
>> bind-users@lists.isc.org> wrote:
&g
and the other
> anycast instance being internal private accessible.
>
> I don't see another way to delegate the same zone to different (sets of)
> name servers without using anycast. Hence my email to the list asking
> if anyone had any suggestions.
>
>
>
> --
On Fri, Apr 17, 2020 at 12:45 PM Tim Daneliuk wrote:
> On 4/17/20 10:17 AM, julien soula wrote:
> > On Fri, Apr 17, 2020 at 09:56:21AM -0500, Tim Daneliuk wrote:
> >> On 4/17/20 9:50 AM, Bob Harold wrote:
> >>>
> >>> Agree, that's odd, and not what
On Fri, Apr 17, 2020 at 11:03 AM Konstantin Stefanov
wrote:
> On 17.04.2020 17:56, Tim Daneliuk wrote:
> > On 4/17/20 9:50 AM, Bob Harold wrote:
> >>
> >> Agree, that's odd, and not what the man page says. Any chance that
> there is some other DNS helper ru
On Fri, Apr 17, 2020 at 10:34 AM Tim Daneliuk wrote:
> On 4/17/20 7:26 AM, Bob Harold wrote:
> >
> > On Thu, Apr 16, 2020 at 7:17 PM Tim Daneliuk <mailto:tun...@tundraware.com>> wrote:
> >
> > We have split horizon setup and enable our internal and t
http://www.tundraware.com/PGP/
Is 127.0.0.1 in the 'trustedhosts' list?
Are you telling 'dig' what server to use - dig @127.0.0.1
What servers are listed in /etc/resolv.conf? Do they resolve the reverse
zones?
Are local queries hitting the right 'view'
I would suggest:
tsig-keygen your-key-name
It does not need any options, the defaults are fine.
--
Bob Harold
On Fri, Apr 10, 2020 at 7:52 PM moo can via bind-users <
bind-users@lists.isc.org> wrote:
> Hello,
>
> For educational purpose I need to setup an DDNS be
don't see where that
handles updates.
--
Bob Harold
On Wed, Apr 1, 2020 at 9:39 AM Ondřej Surý wrote:
> I would recommend dnspython as a start. The API is very non-Python,
> but once you get hang of it, it’s not that bad.
>
> Ondrej
> --
> Ondřej Surý
> ond...@is
ique names just to be sure which queries you
are looking at.
That's the best that I can suggest.
--
Bob Harold
On Mon, Mar 30, 2020 at 1:07 PM Marc Chamberlin via bind-users <
bind-users@lists.isc.org> wrote:
> Hello - I am running the Bind server
>
> > named -v
> BIND
nfo/bind-users
>
>
>
> --
> I don't think the execution is relevant when it was obviously a bad
> idea in the first place.
> This is like putting rabid weasels in your pants, and later expressing
> regret at having chosen thos
ary.
--
Bob Harold
On Thu, Feb 27, 2020 at 3:23 PM Alistair Bayley <
alistair.bay...@kordia.co.nz> wrote:
> Hello,
>
> I didn't get any response to this. Is there some documentation that I
> haven't yet found that explains what these measurements mean? Has anyone
>
t;
>
Scott,
To directly give an opinion on your last question - client applications
can often be slow to recover from failed connections, so updating the A
records in the zone is a good idea - best to use nsupdate, do not edit zone
file and reload. DNS Recursive resolvers should failover in secon
.A 141.211.7.25
itd.umich.edu. A 141.211.7.25
*.itd.umich.edu.A 141.211.7.25
dns1.itd.umich.edu. A 192.12.80.214
--
Bob Harold
On Tue, Feb 11, 2020 at 11:16 AM Petr Bena wrote:
> Oh, that explains it, I did
s different in each view:
This zone is same in all views:
zone example.com
host1.example.com IN A 10.0.0.4
host2.example.com IN A 10.1.1.7
router.example.com CNAME router.splitview.example.com
Then in one view:
zone splitview.example.com
router.splitview.example.com IN A 10.0.0.1
And the other view:
zone splitvie
gt;
> > Looks like the file lan.master.nixcraft.com has no data.
> >
> >>
> >> Dec 05 17:51:54 sataradnsVM1 named[4038]: zone
> >> internal.nixcraft.com\032/IN/internal:
> has 0 SOA records
> >> Dec 05 17:51:54 sataradnsVM1 named[4038]: zone
> >&
th "A" records. Or both CNAME. But one RPZ entry cannot
point to another.
Use scripts to automate the process, if you don't want to enter 10.10.10.10
twice.
p.s. The decision not to re-lookup the results of RPZ lookups is probably
for speed and to avoid loops. Trying to patch aro
arate.
Do you want cname.domain.com to point to 10.10.10.10? Then use an A record
to 10.10.10.10.
Do you want cname.domain.com to point to some real domain name (probably a
name you control, like a walled garden, or error page)? Then CNAME to that
real name.
--
Bob Harold
>
> In this
418174157
> 20190411143657 26550 comcast.net.
> YegwZlzjBoJ+b9nWTHwRZQbce619UcOVdo6FUPG056Sod4MEchv/GCHu
> 7BpREAUm0CBoE4qbipTiS47wIk7QJYzz10B78wRgMGNwMTUXQ571YRyq
> P0I3I0Dzag28j607walJOZms3lAXDzSnyvv9wocaH2MJ7Z3j68Qf5pKh YpM=
> > ;; Received 227 bytes from 69.252.250.103#53(dns101.comc
y to everything included in that
scope, unless overridden."
Why have exceptions to this? This seems like expected behavior, and will
allow for simpler configurations in some cases.
No one is forced to use this, it is optional, but often convenient.
--
Bob Harold
_
-
> Grant. . . .
> unix || die
>
I use:
named-checkconf -p > named.conf.out
which I think is close enough, except for the comments.
You just need to know that view-level settings are at the end of the view,
not where you might expect.
It makes for a very lot of text to read through, but
on
as simple as possible. And it should be possible to override any setting
at a lower level, for the exceptions. It would be even better if I could
'group' zones and set configurations on the group. Repeating the same
configuration thousands of times seems like a waste. I
of records can be split off into its own
2.10.in-addr.arpa.
An if a /24 gets really busy, you can split it out 5.1.10.in-addr.arpa
There is no need to create all 256 /16's or all the /24's, just create them
as needed.
If having different sizes is too confusing, I suggest all /16'
+ 2~3 days depending on the situation.
>
> A "week" is a minimum of 10 days, because 5 works days plus two weekends
> in 9 days.
>
I also assume that either the Friday before their vacation week, or the
Monday after, might be a holiday, so I use 11 days. :)
--
Bob
on
> these forward only servers ?
>
> Any thoughts on this ?
>
> Thank you
>
The RPZ function only runs on the Recursive DNS servers.
The RPZ zone could be mastered on an Authoritative server, but it should
not be visible to the publ
t a "null" forwarder statement is, but your F5's
are acting as Authoritative DNS servers. Forwarding only applies to DNS
Resolvers, and is only used if you don't want the resolver to follow the NS
records (like when firewalls are in the way).
--
Bob Harold
___
to want
it. Otherwise, newname.newzone.domain.com will be a faster and more
reliable choice.
Definitely avoid forwarding when possible. It causes slower lookups and
more points of failure. (There will occasional be times when it has some
advantage, or requirement.)
--
Bob Harold
>
>
l command
'reload'
18-Oct-2018 12:55:29.975 general: info: loading configuration from
'/etc/named.conf'
And ends with:
18-Oct-2018 12:55:30.358 general: notice: all zones loaded
--
Bob Harold
>
> Below is the event timeline, I hope it is clear enough for everyone:
>
#x27;: TSIG
> 'ns1ns3_key'
>
Notice the "view external" in the line above, compared to ns5, which got
the notify on the internal view. That appears to be the issue.
Try adding the IP of NS1 to the "match" list for the internal view on NS3.
--
Bob Harold
>
internal view on 3, so the notify packet hits the wrong
view. Check the notify messages in the logs on 3, compared to 5. Here is
a typical notify log message:
30-Sep-2018 23:12:37.135 general: info: zone psych.lsa.umich.edu/IN/oncampus:
notify from 141.211.147.150#38695: z
hosting.com <http://sb1.principal.hosting.com>* y el
> *sb2.principal.hosting.com
><http://sb2.principal.hosting.com>*
>
> Having said that, in my vps I have defined the following:
>
>
>
>
>
>
> *; BIND reverse data file for empty rfc1918 zone ; ; D
skyblock.mc-game.us. IN SRV
;; ANSWER SECTION:
_minecraft._tcp.skyblock.mc-game.us. 299 IN SRV 0 5 25567
skyblock.mc-game.us.
;; Query time: 56 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Aug 17 13:38:35 EDT 2018
;; MSG SIZE rcvd: 103
--
Bob Harold
__
I don't know what else to check. If possible, I would avoid forwarding by
putting both functions on the same server. You could turn on BIND
debugging - Cricket's "DNS and BIND" book has a chapter on debugging - but
that could be a lot of work.
--
Bob Harold
On Mon, Aug
--
Bob Harold
hostmaster, UMnet, ITcom
Information and Technology Services (ITS)
rharo...@umich.edu
734-647-6524 desk
On Sun, Aug 12, 2018 at 2:38 AM Blason R wrote:
> Hi Bob,
>
> I guess my scenario is not exactly understood I believe. Before that if I
> have set forwarder in G
te server to get it to forward. If it is
running Microsoft DNS, then I don't know enough to help you with that.
I would suggest that you have the RPZ server be a 'slave' for the 'test.com'
zone (and all the zones that the AUTH server has). Then point users
direct
name is looked up normally first, and only if there is an
answer, is RPZ invoked. If it gets NXDOMAIN or some error, it returns that
and does not use RPZ.
If that is not what you want, then you probably want to set the option:
qname-wait-recurse no;
--
Bob Harold
>
> On Thu, Aug 9
ord expires.
So I think the TTL on NS records needs to match the parent zone, whether I
like that ttl or not.
In your case, removing the NS records from both your zone and the parent
zone, two days (or whatever the ttl) before you turn off the server, should
be fine.
--
Bob Harold
advice would be greatly appreciated.
>
>
> Regards,
> Hotta
>
Just guessing, but it sounds like " [global IPv6 address]" is either
malformed, or it is expecting an IPv4 address.
--
Bob Harold
___
Please visit https://lists.isc.or
On Fri, Jun 1, 2018 at 2:01 PM Blason R wrote:
> Yes that was the issue :) and got resolved.
>
Glad it was an easy fix.
--
Bob Harold
> On Fri, Jun 1, 2018 at 11:29 PM, Blason R wrote:
>
>> I guess this could be the issue
>>
>> zone "malware.trap" {
could be wrong??
>
Not sure what is a normal configuration, but on my servers users cannot
query the RPZ domain, it is only used for RPZ.
Try putting the A record in a normal zone, and CNAME to that, rather than
having the A record in the RPZ zone.
Or try doing a direct query for the A record a
;
};
};
You might want less versions and/or a smaller size - my values allow rpz
logs to fill 1gb of disk.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
NS e.root-servers.net.
> . 2972IN NS k.root-servers.net.
> . 2972IN NS f.root-servers.net.
> . 2972IN NS d.root-servers.net.
> . 2972
If there was a "-c" option, it would tell you the name of the config file.
If not, like this example, the default is "/etc/named.conf".
Note the "-t" option, which says we are doing chroot to
/replicated/jail/named
So my config file is at:
/replicated/jail/named/etc/named
net to make effective
> use of my secondaries.
>
> Tony.
> --
Likewise. My resolvers are stealth slaves for all my zones. Mainly
because they get updates faster - users do not have to wait for the old
data to expire its ttl before the resolver gets the new data. Also, there
is no
ssion is really two issues: 1) Does the capability
> to override published values and 2) should I use said capability. They
> really are two different questions. I personally would like to see BIND
> have the option to do #1, even if I never use it.
>
>
+1
>
> --
> Grant. .
r8h
> punycode
> Irish Sea: Southeast 5 to 7, becoming cyclonic 4 or 5 later. Moderate or
> rough, becoming slight or moderate. Occasional rain. Good, occasionally
> poor.
>
Tony,
That's a good test, with the default window of 15 seconds, but could you
please repeat it wi
On Wed, Jan 3, 2018 at 5:58 PM, Mik J wrote:
> Thank you Bob for your answer.
> I continued to search and saw rfc1912 page 4
> It's much higher than I first thought
>
>
>
> Le mercredi 3 janvier 2018 à 20:05:57 UTC+1, Bob Harold <
> rharo...@umich.edu> a écrit
et notified that zone transfers are failing.
The refresh and retry are ok, but personally I would set them lower because
they don't generate a lot of traffic, and a notify could get lost. It
depends on how sensitive you are to extra traffic.
Negative TTL depends partly on how fast
guessing here, but I see a TXT record beside each A record, and am
told that Windows clients check the TXT record to see if they "own" the A
record. The TXT record is hex encoded data, maybe the client identifier.
So if you created a TXT record for each A record
gt; allow-query { ip addresses; };
>
----- You might also need to add:
allow-recursion { ip addresses; };
--
Bob Harold
> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside
: query:
> graph.instagram.com IN A + (192.168.200.1)
>
> I could count the queries by parsing the logs though this seems to be
> somehow inefficient.
> Is there any way that bind9 could be queries otherwise to provide such
> info?
>
>
Read up on the statistics channel in the BI
On Thu, Jul 13, 2017 at 8:39 PM, wrote:
> Hi Bob:
>
> These examples help! Thank you.
>
> On Thu 7/13/17 15:53 -0400 Bob Harold wrote:
> > Let's illustrate one NS record, for each of the cases:
> > (I think your case is #2)
> >
> >
.x.x.x
otherdomain.com zone:
otherdomain.com IN NS ns.example.com
ns.otherdomain.com IN A x.x.x.x
TLD com zone:
example.com IN NS ns.otherdomain.com
ns.example.com IN A x.x.x.x (glue record?)
ns.otherdomain.com IN A x.x.x.x (glue record?)
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
?
>
> Cheers,
> Matthias
>
We use RPZ in two views. In one view the RPZ zones are active (policy
given), and in the other view they are logging-only (policy disabled).
Departments opt-in to RPZ and we add their subnets to the first view. The
second view gives us logs and we can tell depart
s
> Marc
>
I tend to distrust "CPU(30%)" if it is averaged over more than one cpu.
Could you run "top" and hit the number "1" so that it shows each cpu
separately? With 8 cpu's, "30%" could be one cpu at 100% and others lower,
where the one cpu at 1
ctual DNS name is the combination of the ORIGIN and the entry:
bad.domain.com.rpz.example.com.
which exceeds 255 characters including the trailing dot, most likely.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
17 at 5:56 AM, Tony Finch wrote:
>>
>>> Mine don't :-)
>>>
>>
> On 18.05.17 16:38, Bob Harold wrote:
>
>> My authoritative servers are non-recursive. They use the same DNS
>> resolvers that any other server uses, and not themselves.
>>
;
My authoritative servers are non-recursive. They use the same DNS
resolvers that any other server uses, and not themselves.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
r named.conf.
So the records if listed in full would be something like:
hr16038.somedomain.tld. IN A 10.57.48.209
hr16038.somedomain.tld. INTXT "
00f8e5793e94da14990f27763448c54a00"
nsupdate is probably the best tool for removing the old records.
v6
> hosts that actually need them for some reason, or to use dynamic DNS to
> add/replace/delete them as addresses are used/discarded by dynamic clients.
>
Note that there is future work being done to solve the 'too many entries'
is
3600IN PTR alpha.archaxis.net.
> 82 3600IN PTR bravo.archaxis.net.
> 87 3600IN PTR broadcast.archaxis.net.
>
> What is wrong? Is this my problem, or with AT&T?
>
--
Bob Harold
___
On Wed, Jan 18, 2017 at 9:16 AM, Welisson Tomé
wrote:
> Hi All,
>
> I'd like to know what kind of tools are you using to graphing queries on
> Bind as Recursion Server?
>
> BestRegards,
>
> --
>
> Welisson Tomébr.linkedin.com/in/welissontome/
>
>
>
VSERVER { print $1 }'
>
> --
> Mark Andrews, ISC
>
> I think this is a very interesting solution because:
- named-checkconf and dig format in a standard way, so it is easy to parse
- since DNS holds the data in ram, this avoids reading the files from disk,
so it could be much fast
nce slaving AD zones with BIND servers:
Ignore "failed while receiving responses: not exact " errors. I think that
just means that the serial number changed during the transfer.
I had them turn off 'notify' and we use the 'refresh' timer (15 minutes) to
t;
Looks to me like "othername1.example.com" is not in the zone "
zone1.example.com" and is not below that zone, so it is not proper glue,
and should not be in that zone at all. The name server should ignore it.
It is in zone "example.com <http://othername1.exampl
gt; Anand
>>
>
>
I don't have a solution, but some debugging options:
I would suggest running packet traces with the same steps, with and without
the firewall, and compare the traces.
Also, if possible, turn on logging in the firewall and see what is being
blocked.
You could also turn
and
> resolver here. That's to much work...
>
> Is there another way to get this measure?
>
> --
> Regards
>
> Thomas
>
>
I suspect that "DSC" collects the data you want, but you might need to
configure a graph to show it.
https://www.dns-oarc.net/
ed, enabling authoritative servers
> to give different answers to the same resolver for different resolver
> clients.
> An ACL containing an element of the form ecs prefix will match
> if a request arrives in containing an ECS option encoding an address
> within that prefix.
> If the request has no ECS option, then "ecs" elements are simply ignored.
> Addresses in ACLs that are not prefixed with "ecs" are matched only
> against the source address.
>
> Above section was from ARM page 176, when i careful check my config file
> I don't know where i was wrong
>
>
>
>
>
> Client subnet information will store in which log
>
>
> --
> 本信件可能包含工研院機密資訊,非指定之收件者,請勿使用或揭露本信件內容,並請銷毀此信件。 This email may contain
> confidential information. Please do not use or disclose it in any way and
> delete it if you are not the intended recipient.
>
>
The first three dig commands look correct.
1. No ecs, so it does not match.
2. No ecs, matches "no-ecs-area01"
3. ecs matches
4. and 5. use "@dns2.example.com." instead of "@dns2.sub.example.com." - is
that a different server?
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
View
>
> view "deafult" { // Default
> match-clients { any; };
> zone "sub.mydomain.idv" in {
> type slave;
> allow-query { any; };
> file "sub/default.mydomain.idv.ca";
> masters { a.b.c.d key default.mydo
on branch is OK.
>
>
Is RPZ in BIND 9.8 ok to use? (Using RedHat 9.8.2 plus they backport
security patches.)
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bin
versions.
See "dnssec-keygen" in the appendix.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
o reset
them at the end of the file since they cease to exist at that point. They
apply "from this line down until changed" and are merely a convenience to
shorten the size of the file.
--
Bob Harold
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
actual link local IP so I am not sure where/how that is
> being generated. My actual link local is
> fe80::f21f:afff:fedd:6a26/64
>
>
I have the "server ... bogus ..." statement in each view, so try it there.
> Any help is greatly appreciated.
>
> On Thu, Sep 8,
automatically got
the "empty zones" created, so any queries in those zones did not get
forwarded. I am fixing it by adding to that view the line:
empty-zones-enable no;
--
Bob Harold
On Thu, Sep 8, 2016 at 9:41 AM, Bob Harold wrote:
>
> On Thu, Sep 8, 2016 at 9:13 AM, project722
ot;any', then you would want to include the
external key and 127.0.0.1.
> On Wed, Sep 7, 2016 at 10:48 AM, Bob Harold wrote:
>
>>
>> On Wed, Sep 7, 2016 at 11:37 AM, project722 wrote:
>>
>>> Thanks Bob, I will look into this. Do you know if the forwarders fea
On Wed, Sep 7, 2016 at 12:34 PM, /dev/rob0 wrote:
> On Wed, Sep 07, 2016 at 11:48:54AM -0400, Bob Harold wrote:
> > On Wed, Sep 7, 2016 at 11:37 AM, project722
> wrote:
> >
> > > Thanks Bob, I will look into this. Do you know if the forwarders
> > >
On Wed, Sep 7, 2016 at 11:37 AM, project722 wrote:
> Thanks Bob, I will look into this. Do you know if the forwarders feature
> is supported in Bind 9.8.2?
>
>
Yes, forwarders is an old and stable feature.
("in-view" is new and experimental)
--
Bob Harold
> On We
1 - 100 of 136 matches
Mail list logo
