Re: glub or authauthority NS is cached and used at a cache dns server?
You might want to read my this blog; http://www.nsbeta.info/archives/115 HTH 于 2012-3-21 15:07, Felix New 写道: when i dumpdb from the cache dns, some domain's ns records are glue DNS, and others are authauthority. The TTL are different. which type is used in Cache DNS? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I set TTL served to users in bind?
于 2012-3-9 16:11, Drunkard Zhang 写道: I got some bind servers doing iteration resolution, and return the results to users. But I found that some names got too big TTLs, whose RRs can not be replaced correctly by new RRs in time. This leads to user‘s blame, we have to flush the caches by hand, and restart the SOHO router to resolve the dead site issue. So I wonder can bind set a (lower) TTL by force before response to users. If I can, which option? I digged ARM, but got nothing. Many ISP's caching DNS servers do this stuff. AFAIK there is not such an option for that, but you can do it from BIND's source. HTH. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can I set TTL served to users in bind?
于 2012-3-9 17:20, Cathy Almond 写道: Many ISP's caching DNS servers do this stuff. AFAIK there is not such an option for that, but you can do it from BIND's source. max-cache-ttl ? Thanks Cathy for pointing out that. From what googled: http://www.menandmice.com/knowledgehub/dnsqa/44/ max-cache-ttl does do this but I never know that. Regards. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
A question for the reference
Hello, Please see this case: $ dig funnygamesite.com @k.gtld-servers.net ; DiG 9.7.3 funnygamesite.com @k.gtld-servers.net ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 35540 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;funnygamesite.com. IN A ;; AUTHORITY SECTION: funnygamesite.com. 172800 IN NS ns1.dnsbed.com. funnygamesite.com. 172800 IN NS ns2.dnsbed.com. ;; ADDITIONAL SECTION: ns1.dnsbed.com. 172800 IN A 174.140.172.238 ns2.dnsbed.com. 172800 IN A 50.31.252.20 ;; Query time: 188 msec ;; SERVER: 192.52.178.30#53(192.52.178.30) ;; WHEN: Tue Mar 6 09:30:42 2012 ;; MSG SIZE rcvd: 110 When a resolver query funnygamesite.com from one of the gtld name servers, will the resolver use the reference (AUTHORITY SECTION and ADDITIONAL SECTION) directly? or it make another query for ns1.dnsbed.com and ns2.dnsbed.com and get the authorative answers for them? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about the MX and NS values
I was thinking why RFC requires the values of MX and NS must be hostname not IP. Any glue? Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: about the MX and NS values
于 2012-2-9 15:27, Mark Andrews 写道: When you serve 10 zones do you want to update 1 address record or 10 NS record on a address change? When you serve 10 mail domains do you want to update 1 address record or 10 MX records on a address change? Yup that's clean. thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Defense against a client?
于 2012-1-16 18:19, Tom Schmitt 写道: My question: Is there any possibility in Bind to give a quoata to a client? e.g. that from a given IP no more than houndred queries per second are allowed and the rest is to be blackholed. That way only the client causing the load would have a problem but not all other clients. Is there such a possibility? I found nothing in the documentation. Or are there other ways to achive this? How do you guys do this? I think if the ip is out of the limit you can disable its query by iptables for some time. You can get each ip's query count from the logfile. HTH. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: allow-query for a zone
于 2012-1-17 1:58, Warren Kumari 写道: Just out of interest, why wouldn't you just comment out the zone stanza? Would cut down on memory usage, load time, etc… I'm sure you have a use case, just a wondering… Well, my dns manage system (dnsbed.com) requires a zone pause feature. When user click the pause button, the zone should be stopped for resolving, but the config and records should be kept. Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
allow-query for a zone
Hi, If I just want to disable any client to query for a zone, but keep that zone in the config file (maybe later I will enable it to be accessable), can I just set: allow-query { none; }; in the zone section? zone example.com { type master; file example.com.db; allow-query { none; }; }; Thanks. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
about the reference
Hello, Please see this reference: $ dig mydots.net @j.gtld-servers.net ; DiG 9.4.2-P2.1 mydots.net @j.gtld-servers.net ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41902 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;mydots.net.IN A ;; AUTHORITY SECTION: mydots.net. 172800 IN NS ns1.dnsbed.com. mydots.net. 172800 IN NS ns2.dnsbed.com. ;; ADDITIONAL SECTION: ns1.dnsbed.com. 172800 IN A 74.117.233.4 ns2.dnsbed.com. 172800 IN A 204.152.196.108 ;; Query time: 196 msec ;; SERVER: 192.48.79.30#53(192.48.79.30) ;; WHEN: Fri Jul 1 16:23:05 2011 ;; MSG SIZE rcvd: 106 j.gtld-servers.net gives the reference info about the domain mydots.net. It says the dns servers for mydots.net is ns[1-2].dnsbed.com, following with two NS's IP addresses. My question is, when other BIND Cache get this reference, will it use the IP addresses directly? Or will it use the IP addresses get from the authoritative server? I ask this because, when the IP addresses get from reference, are different from the ones get from the authoritative server, what will be happened? Thanks for your kind helps. Receive Notifications of Incoming Messages Easily monitor multiple email accounts access them with a click. Visit http://www.inbox.com/notifier and check it out! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: tell BIND the nameservers have been changed
I remember there is a rndc option, but not sure. -Original Message- From: bortzme...@nic.fr Sent: Wed, 15 Jun 2011 09:06:54 +0200 To: pen...@inbox.com Subject: Re: tell BIND the nameservers have been changed On Tue, Jun 14, 2011 at 08:41:50PM -0800, Jeff Peng pen...@inbox.com wrote a message of 18 lines which said: I changed ns[1-2].myzone.com to new IPs in myzone.com's DNS, then how to let BIND for example.com to know the NS has been changed? Wait for the TTL to expire seems the most reasonable course of action. Share photos screenshots in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if1 Works in all emails, instant messengers, blogs, forums and social networks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
tell BIND the nameservers have been changed
Hello, Once I changed the IP address for NS records, for example, example.com. IN NS ns1.myzone.com. example.com. IN NS ns2.myzone.com. I changed ns[1-2].myzone.com to new IPs in myzone.com's DNS, then how to let BIND for example.com to know the NS has been changed? Thanks. Publish your photos in seconds for FREE TRY IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if4 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
second nameserver with two IPs
Hello, My second nameserver has tow IPs, for example, 61.144.56.1 61.144.57.1 (They are in different CIDRs.) and my ns2.example.com was pointed to these two IPs. Will this cause problems, for example, the duplicated notification or zone-transfer? Thanks in advance. Receive Notifications of Incoming Messages Easily monitor multiple email accounts access them with a click. Visit http://www.inbox.com/notifier and check it out! ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
DNS is tainted
Hello, From the dig info below: C:\digdig +nocmd www.nsbeta.info +noall +answer @ns1.google.com www.nsbeta.info.3497IN CNAME nsbeta.info. nsbeta.info.2434IN A 74.117.232.204 C:\digdig +nocmd www.nsbeta.info +noall +answer @ns1.google.com www.nsbeta.info.3492IN CNAME nsbeta.info. nsbeta.info.2429IN A 74.117.232.204 C:\digdig +nocmd www.nsbeta.info +noall +answer @ns1.google.com www.nsbeta.info.3486IN CNAME nsbeta.info. nsbeta.info.2423IN A 74.117.232.204 I think my office network's DNS is tainted. because: 1) ns1.google.com is authoritative nameserver only, which shouldn't answer this query. 2) the TTL is decreased each time, if it's a real authority answer, the TTL should be all the same. And this is the full output of dig: C:\digdig www.nsbeta.info @ns1.google.com ; DiG 9.3.2 www.nsbeta.info @ns1.google.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 1183 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.nsbeta.info. IN A ;; ANSWER SECTION: www.nsbeta.info.3111IN CNAME nsbeta.info. nsbeta.info.2048IN A 74.117.232.204 ;; Query time: 15 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Wed Jun 08 11:09:09 2011 ;; MSG SIZE rcvd: 74 How to deal with this case? Thanks. Regards. FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
querylog format
Hello, The querylog of BIND in my hosts is like: client 58.240.56.18#16768: query: s18.mhxx.game.yy.com IN A -EDC For the last part, I know the '-' means non-recursion,'E' means EDNS. But what are the 'D' and 'C' flags? thanks. Send your photos by email in seconds... TRY FREE IM TOOLPACK at http://www.imtoolpack.com/default.aspx?rc=if3 Works in all emails, instant messengers, blogs, forums and social networks. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: querylog format
Thanks michael. That's right for me. -Original Message- From: mich...@rancid.berkeley.edu Sent: Mon, 06 Jun 2011 20:41:03 -0700 To: pen...@inbox.com Subject: Re: querylog format On 6/6/11 8:09 PM, Jeff Peng wrote: Hello, The querylog of BIND in my hosts is like: client 58.240.56.18#16768: query: s18.mhxx.game.yy.com IN A -EDC For the last part, I know the '-' means non-recursion,'E' means EDNS. But what are the 'D' and 'C' flags? D = DO (DNSSEC Okay), client is requesting DNSSEC records and AD bit set if server is doing validation and can validate the zone C = CD (Checking Disabled), client does not want the server to do validation on the response, but to return it regardless. Although setting both flags sounds contradictory, it makes some sense where a validating forwarding resolver wants to do its own validation and enforce its own policy for dealing with valid/insecure/bogus zones. michael FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users