n fit to fix it or get back to me in
nearly a full business week I suspect they like it this way. However it
doesn't comport with the principle of least surprise. The City of Tacoma
doesn't seem to care that the licensee operating in a portion of their
/16 is impersonating them (although as a conseq
rather than the decision to stuff rabid weasels down your pants in the
first place.
--
Fred Morris
On Wed, 24 Apr 2024, tale wrote:
Hmm, I wonder if qname-minimisation is at issue here.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds
31
dig -x 131.191.85.31 +trace
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing
SOA record.
--
Fred Morris
On Fri, 5 Apr 2024, Fred Morris wrote:
When people think of "negative response caching" I suspect they're
thinking of NXDOMAIN, but there is another negative response: ANSWER:0.
To some extent this is indistiguishable from a referral, and I'm not
sure tha
r? NS? SOA?
Thanks in advance...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users ma
; emphasis is of course on "unused".
--
Fred Morris, internet plumber--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
love from here on out.
If shodohflo/agents/dnstap_agent.py or dnstap2json.py itself don't suit
your payload needs, you are of course welcome to subclass dnstap2json.py
yourself.
I couldn't do it without BIND! Cheers...
--
Fred Morris, internet plumber
http://consulting.m3047.net/pfs-why
There used to be an example in a directory in the BIND tarball, in
contrib/dnspriv/
Here's a link to it from 9.12.3: http://athena.m3047.net/pub/bind/dnspriv/
--
Fred Morris
On Sun, 11 Feb 2024, Andrew Latham wrote:
I have seen this question a few times so would a note or example in
https
:
> Are you really complaining about the lack of handholding because you
> want to build the documentation yourself and just can’t download it?
> Because it really seems like the case here.
I concerned you've lost control of your build. However it does look
correct in 9.19.19.
--
Fr
README.md 37785 11
m3047@sophia:/opt/downloads/bind-9.18.21> md5sum README.md
c4e08add5a135ce2573483eb0e5b1207 README.md
m3047@sophia:/opt/downloads/bind-9.18.21> sha256sum README.md
080e914decc2ed554d8887b0f719b82736c45380b987f23b3eba4ef7418f03f3 README.md
On 12/21/23 12:24 PM, Fred Morris w
No, I was correct the first time, but I had the wrong version. It is a
9.18.9 tarball, not 9.18.21. Checksums are correct for that README.md.
On 12/21/23 12:18 PM, Fred Morris wrote:
>
> I'm sorry 9.18.9 was the version where I discovered that the build
> didn't build the PDF, and al
nce Manual.
The checksums correct for that version of README.md.
I think I must have mistakenly cut & pasted from the source tree in
GitLab for 9.18.
On 12/21/23 10:50 AM, Fred Morris wrote:
> On 12/21/23 10:08 AM, Ondřej Surý wrote:
>
>> In the commit you referenced:
>>
>> htt
On 12/21/23 10:08 AM, Ondřej Surý wrote:
> In the commit you referenced:
>
> https://gitlab.isc.org/isc-projects/bind9/-/commit/561a83a29182b00bda9237ae30343d76a68dcdf4#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d_147_147
>> On 21. 12. 2023, at 18:59, Fred Morris wrote:
>>
>&
u went too far.
I looked for this just the other day in the KB. At the least you should
have a KB article. At least there's this post to the mailing list.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of thi
I welcome birds of a feather. Need to define / refine the problem
statement first.
On 12/7/23 12:30 AM, Petr Špaček wrote:
> On 07. 12. 23 1:05, Fred Morris wrote:
>> On Wed, 6 Dec 2023, Evan Hunt wrote:
>> I say go ahead, if nothing else consider it a "scream test". But
domain addressed by the DNS where that is more the case than name
to address mapping? (Counterexample: PTR records, now more than ever.)
I say go ahead, if nothing else consider it a "scream test". But can you
take a moment and tell us which stakeholder group(s) you think you're
opt
networking with TCP/IP, Volume 1_.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users ma
zone data, the server, the networking stack
and all of intermediating routers to twiddle. You can throw "buffer bloat"
in there too.
It's interesting that Dig automagically tries TCP first with ANY queries,
since that is not the default behavior with e.g. A queries.
--
Fred Morr
st as seen when BIND is queried.
Rear View RPZ (https://github.com/m3047/rear_view_rpz/) watches (BIND)
Dnstap telemetry for A/ queries and uses it to update PTR records in
an RPZ, as an example.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
ce DNS message sizes are already capped at the maximum
possible size of a UDP message.
Doing nothing is an option. ;-)
Thanks for all the work you do...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of thi
Hi Greg.
So somebody referenced this KB article because presumably it was
tangentially relevant, but I don't know that the OP is working with
standby infrastructure (good question!). All they say is that after an
upgrade all servers were masters.
The amount of direct relevance of the
me: if you store the data in a file, simply redefine
the zone type and change type primary; to type secondary;.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
"the usual" applies: set one of them to be a secondary and the master
to allow zone transfers from it. Configure Notify if desired.
Make sure it works, i.e. a zone transfer (AXFR / IXFR) occurs and the
correct serial number is represented in the SOA.
Pause for another scream te
was idempotence: the updaters would continue to attempt to
update whatever the master was until it conformed to their ideal image,
and their ideal image could change in consideration of what the zone held.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/
to access the data in
the zone, whether directly or via BIND.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more
option regardless of the recursive server (BIND, Unbound, etc.)?
Thanks in advance...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https
/ mitigate SERVFAIL
utilizing RPZ.
I'll try to pay more attention and see if I can isolate a test case if the
problem recurs. (I was kind of hoping someone would have a solution!)
--
Fred Morris
On Fri, 16 Jun 2023, Crist Clark wrote:
That should return a NXDOMAIN. Returning SERVFAIL is never
In terms of NXDOMAIN and SOA queries, both state.ak.us and
challenge.state.ak.us seem to do the right thing in terms of pretending to
be separate zones, e.g. in the first case returning the correct domain in
the AUTHORITY and in the second case returning the relevant SOA records
directly in the ANSWE
forward, what is anticipated to be the proper configuration for that
scenario?
Thanks...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https
s not
picking up the updated include file and *nagesh3.com <http://nagesh3.com>* rpz
rule is not working.
Are you incrementing the SOA serial number?
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC
I've found myself in situations in the past where NOTIFY has been
fetishized as "real time", and nobody ever ever asked which upstream
server was being queried as a result. So this has been an eye-opening
thread, and if I ever find myself in that situation again it'll give me
something else to
e that the CPU usage correlates, and that it's a problem?
What are the vendor's recommendations (for provisioning and operational
management), and are you following them?
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC f
Hello Petr:
On 12/5/22 4:35 AM, Petr Špaček wrote:
> On 05. 12. 22 3:49, Fred Morris wrote:
>> If the UDP query returns TC=1 DiG retries with TCP. I want to see the
>> UDP results and am unable to. Specifying +notcp makes no difference.
>> The correct option is +ig
G SIZE is also a clue.)
Searching the intertubes wasn't much help. When I tried to search the
list archives I got a Gateway Timeout. :-( Anyway, it's been a minor
personal annoyance for a while; hopefully this helps somebody else with
a problem they didn't know they had.
--
Fred Morris, internet
Errata..
On Thu, 1 Dec 2022, Fred Morris wrote:
"authoritative" zone served by an authoritative server configured to return
complete 1024/1025 responses look like?
1034/1035
--
FWM
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
not a server which is "authoritative"
should have an NS record in the zone, once you have something which
demonstrably works.
I don't have a lot of patience for "experts" who can't demonstrate a
working system, so I probably won't be back.
--
Fred Morris, intern
get ahead of it and bring ShoDoHFlo up to spec. I'll compile
from source.
(Although it would be nice if somebody from Fedora could speak to
support for Dnstap in the available BIND package...)
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
ested them.
From my vantage most PTR records are demonstrably garbage.
Caching exists because if you requested it once you might request it
again. Who knows, maybe you didn't believe it the first time. In any case,
that's why the aphorism "garbage in garbage out" is a thing.
--
Fred Mo
e case for resources
under in-addr.arpa. There are some things I would avoid as a courtesy to
others if I was so inclined: escape, completion and wildcard characters in
shells and SQL implementations...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fr
; I can also make arguments for outright lying. Hey, choose your
own adventure; other people will judge you accordingly.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid
a.rearview.m3047.net. 600 IN TXT
"depth=1,first=1665810308.1564665,last=1667535958.6280398,count=152,trend=11758.670145495724,update=1667540875.2953703,score=5.3302068902418895"
;; AUTHORITY SECTION:
REARVIEW.M3047.NET. 600 IN NS LOCALHOST.
;; SERVER: 10.0.0.220#53(10.
Ok. This is public address space. Delegation for reverse zones is separate
from forward zones.
Kind of depends on where the connectivity failure is, as to whether or not
clients can walk the delegation tree (or need to). Then there's the effect
of TTLs expiring.
--
Fred Morris, internet
.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
eried as well as the
types of allowed queries.
Here is my contribution to ensuring employment for DNS subject matter
experts:
* https://github.com/m3047/rkvdns -- DNS proxy for Redis
* https://github.com/m3047/rkvdns_examples -- examples
--
Fred Morris, internet plumber
--
Visit https://
Why are you forwarding at all?
On Fri, 23 Sep 2022, Philip Prindeville wrote:
I've changed locations (moved houses) and consequently ISPs (now on
Sparklight, used to have CTC) and I'm seeing a slew of DNS issues I
didn't have before [...]
As you can see, a LOT of noise.
[...]
// If
Nearly identical to what was posted to the unbound list. -- FWM6
On Fri, 23 Sep 2022, JAHANZAIB SYED wrote:
I am trying to get some basic ideas on dns/hosting.
[...]
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
give a better
answer.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind
Self explanatory? Maybe it's the nomenclature but I can't spot this in
the manpage; search engines haven't been much help. I might have to read
code! :-o
Thanks in advance, whoever you are; I owe you a beer.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
If you need something for POC / smoke:
https://github.com/m3047/shodohflo/blob/master/examples/dnstap2json.py
Assuming you can figure out how to get Splunk to consume log oriented json
over UDP...
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind
LE cert for the
website and catch flak at least monthly. Honey badger don't care.
They're very clear about postconf output. If you pasted postconf output
from the manual (or Stack Overflow) I think the response would literally
be "you are, most def joking".
But you be y
the realm of what's possible (which is seldom actually technical);
this includes your means and ability to analyze the DNS traffic. If you
want to discuss further feel free to email me.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
information you seek to be available via Dnstap.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
should turn it off.
--
Fred Morris, internet plumber--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users
they
shouldn't) and I block them (e.g. *.com.com) to prevent information
leakage and garbage traffic.
HTH...
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support
/
operators.
(I think the RFC has a number of biases towards server implementers /
operators, some plain, some more along the lines of moral hazard.)
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development
I should have included this in the first message, and I apologize.
What I'm looking at is trying to build a BIND kernel, like a nanokernel.
Socat won't work in this case, because because there's no "IPC" layer,
because there is only one process in the kernel.
One process. No users. I need to
s to another address, presumably
via TCP... socat? Too bad about the handshake, any best practices for
forwarding there?
Thanks in advance...
(Pure Python implementation of fstrm:
https://github.com/m3047/shodohflo/blob/master/shodohflo/fstrm.py)
--
Fred Mor
's
configuration and behavior, probably to convert it from forwarding to
caching... although grizzled veterans may tell you horror stories about
hotels and other public wifi.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/b
I posted just such a thing a few weeks ago on the dnsrpz list at
redbarn. Hrm, seems to be down at the moment.
On 12/2/21 11:00 AM, Grant Taylor via bind-users wrote:
> On 12/2/21 9:59 AM, Fred Morris wrote:
>> Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
>
ships BIND compiled with Dnstap support, please let me know!
Cheers...
--
Fred Morris
This is being posted to the Dnstap, RPZ and BIND Users mailing lists.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
er to live
on a different machine.
https://github.com/m3047/rear_view_rpz/blob/main/install/Optional_DNS_Service.md
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the d
the second view.
and the "lie" is that the "unused" RPZ is dynamically updated in the
first view (that's where update requests are sent); I suppose I could
jigger that so that the updates happen in the second view. But the
stopper is that error message, and that RPZ is common t
way to do this or should I bite the bullet and run two copies
of BIND?
Thanks in advance...
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with pa
Grant Taylor's reply is good, but you might also look at the check-names
option. As he says, underscores are frowned on in hostnames but that's
about it in theory if not in practice.
You could also contemplate changing the logging destination and level...
or not.
--
Fred Morris
On Thu, 4
c. Doesn't bother the media devices, but 1980s stub resolver logic
isn't up to competing with 100,000:1 packet contention and doesn't provide
any way to do traffic shaping.
--
Fred
On Fri, 1 Oct 2021, Fred Morris wrote:
On Thu, 30 Sep 2021, Carl Byington wrote:
On Thu, 2021-09-30 at 16:30 -
Exactly!
On Thu, 30 Sep 2021, Carl Byington wrote:
On Thu, 2021-09-30 at 16:30 -0700, Fred Morris wrote:
https://github.com/m3047/tcp_only_forwarder
So what exactly are the media devices doing to screw up dns resolution
between the osx laptop and the local dns server?
Dropping UDP replies
the (UDP) response, they'll never try TCP. (1980s logic)
What you can do is force the clients to use TCP... or TLS.
https://github.com/m3047/tcp_only_forwarder
Good luck...
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind
I suggest changing it to "953".
Correction: 853.
--
FWM
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
story.
I suggest changing it to "953".
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
.
--
Fred Morris
--
#!/usr/bin/python3
# Copyright (c) 2021 by Fred Morris Tacoma WA
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#http://www.apache.or
ps better
handled in the mail filtering pipeline, which is where it really seems to
matter.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software w
problem with the pipe). But my grepping the strace
didn't catch anything opening the "dnstap.sock" pipe.
The way they did framestream initialization it requires the "optional"
handshake. I documented it (pydoc) here:
https://github.com/m30
Check your clock. Have you got NTP turned on? Is it working? If it's not,
flush cache/restart before you test again.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds
and I want to create a DNS record so that the world can
find my web server. How do I do that? (answer #1)
* Hi I'm Jason and I want to run my own nameservers for a bunch of
irrelevant reasons such as CentOS, web servers and stuff. How do I do
that? (answer #2)
--
Fred Morris
On Mon, 14 Sep 2020, Mark Andrews wrote:
[...] All
the queries to the recursive server with this configuration not answered by
the server will leak. The configuration needs “forward only;” to be added
to prevent the leak. We see this all the time.
zone “non-existant-tld” {
type
way to make it happen, I just can't imagine it making
it sanely into production even by accident. (This applies to DLV.ISC.ORG
too, which returns an SOA, but they could make it NX if it suited their
purposes.)
Quizzically...
--
Fred Morris
On 9/10/20 10:57 PM, Rob McEwen wrote:
> Mark,
>
Carl Byington wrote:
> On Wed, 2020-09-02 at 17:47 -0700, Fred Morris wrote:
> > how do I disable the (useless) resolution directed at upstream
> > servers?
>
> Isn't that just "qname-wait-recurse no;"
>
You are correct! I got confused and the doc didn't help.
thouse-example.com" is NXDOMAIN.
In this case:
* "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!)
* There should be /no/ upstream (pointless) query for
my-outhouse-example.com.example.com. (oops!)
Let's stop the leaks.
--
Fred Morris
__
a large installed
base is exactly what they're aiming to prevent.
Disclosure: I've heckled their CTO in a friendly fashion for making better
idiots, but I paid for my own Old Fashioned.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman
Perhaps slightly OT, but here's a company which has a whole business model
based on one nonobvious (?) reason to compile from source:
https://polyverse.com/
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
now running on Alpine (because super
lightweight), that blurs the lines a bit.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support
-TCP (DoPT) forwarder
(see the README for why), but it was trivial to add TLS support.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software
for gateways, things like
that.
This is not a DNS problem, it's a problem in what commonly used programs
aid and abet in the name of "freedom of commerce" or something.
--
Fred Morris
--
[0]
https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-rem
it
reports "Temporary failure in name resolution" in the ping example.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support sub
It's incredibly hacky, but what about setting different nameservers
with different sets of addresses for the FQDN in question?
--
Fred
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users
rios such as someone intentionally interfering in path
with port 53 traffic.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
is something to do with NSCD.
There is a tension between the protocol ("any octet") vs what you can
register ("valid hostnames") vs what's sent to the public DNS ("case
insensitive").
--
Fred Morris
___
Please visit
Look in the BIND ARM for dump-file:
dump-file
The pathname of the file the server dumps the database to when
instructed to do so with rndc dumpdb. If not specified, the default is
named_dump.db.
Regards...
--
Fred Morris
On Wed, 27 Nov 2019, isc-bind-us...@ics-il.net wrote
by the
modules above (dnspython).
If the output of the sample program and the protobuf implementation
itself look a bit Scapy-like, that's because I originally implemented it
as a Scapy dissector several years ago. Unlike Scapy, this software is
released under an Apache license.
--
Fred Morris
89 matches
Mail list logo
