Re: [External] strange queries incrementing letter by letter
Weird. Thoughts are: Bad software? What we call ratware. UDP/TCP Firewall issues? Regards, KAM On 5/7/2021 1:32 PM, Kevin Kretz wrote: I see occasional series of queries like this, from within my network and among disparate types of host (linux, windows): If there's a host called hostname.mynet.com I'll see a sequence of queries like hostname.m hostname.my hostname.myn hostname.myne hostname.mynet hostname.mynet.c hostname.mynet.co hostname.mynet.com Can anyone tell me what this is? thanks Kevin ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: Per server instance vs central / shared / redundant instances of BIND
For me, I run one locally per data center with forwarders, etc. defined but for a "How to spin up your own mail server", I would likely just keep it to one per mail server. For someone more advanced, DNS is lightweight and anti-spam is very heavy. So anything you can save on anti-spam processing will likely save more resources. On 4/27/2021 12:46 PM, Grant Taylor via bind-users wrote: E.g. if you had 29 mail servers, would you run BIND on each of their lo's? Or would you use a small number of central / shared / redundant servers? -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] OT: How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
On 4/27/2021 12:14 PM, Grant Taylor via bind-users wrote: and change resolve.conf to 127.0.0.1 for the best RBL performance. How much effective performance difference does the loopback interface (lo) vs the local LAN interface (eth0) make? Similarly, how much effective performance difference does an on host instance of BIND make vs across the LAN to another host in the same site make? I absolutely agree that a /local/ /to/ /the/ /network/ caching DNS server is a boon for email. -- Definitely avoid simply relying on big 3rd party resolvers across the Internet. Agreed on the OT and good subject change. For me, I wouldn't bind DNS to the eth0, just another attack surface hence I would use local loopback. Having a DNS on the lan is good too but caching on any mail server is good. There are a lot of DNS queries for email and anti-spam. But the key takeaway is don't use something like quad-8. Regards, KAM -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] [UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0
Very nice. This was also posted on Postfix's list but nice to hear firsthand reports as I just read it. Two minor notes to continue the project that you might consider: #1 bind for a local caching DNS query server and change resolve.conf to 127.0.0.1 for the best RBL performance. #2 add the KAM ruleset: https://mcgrail.com/template/projects#KAM1 Regards, KAM On 4/27/2021 9:47 AM, Turritopsis Dohrnii Teo En Ming wrote: Subject: [UPDATE 1] How to Easily Set Up a Full-Featured Linux Mail Server on Ubuntu 18.04.5 LTS with iRedMail 1.4.0 Good day from Singapore, I followed linuxbabe.com's Xiao Guoan's guide and successfully setup a full featured Linux mail server on Ubuntu 18.04.5 LTS with IRedMail 1.4.0. Author: Mr. Turritopsis Dohrnii Teo En Ming (TARGETED INDIVIDUAL) Country: Singapore Date: 25 April 2021 Sunday Type of Publication: PDF Manual Document Version: 20210425.01 (1st release) ***IMPORTANT NOTICE*** Please note that Turritopsis Dohrnii Teo En Ming’s guide is based on Xiao Guoan’s guide at linuxbabe.com. Reference Guide Used by Teo En Ming: How to Easily Set Up a Full-Featured Mail Server on Ubuntu 18.04 with iRedMail Link: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server Original Author: Xiao Guoan The following is a list of open-source software that will be automatically installed and configured by iRedMail. • Postfix SMTP server • Dovecot IMAP server • Nginx web server to serve the admin panel and webmail • OpenLDAP, MySQL/MariaDB, or PostgreSQL for storing user information • Amavised-new for DKIM signing and verification • SpamAssassin for anti-spam • ClamAV for anti-virus • Roundcube webmail • SOGo groupware, providing webmail, calendar (CalDAV), contacts (CardDAV), tasks and ActiveSync services. • Fail2ban for protecting SSH • mlmmj mailing list manager • Netdata server monitoring • iRedAPD Postfix policy server for greylisting In addition, you need to add MX, A and TXT records to your ISC BIND DNS domain name server. Redundant Download Links for Teo En Ming's PDF Manual: [1] https://drive.google.com/file/d/1un8sLLmNSMIt7V6blWCvJEgwGvxMbd4B/view?usp=sharing [2] https://drive.google.com/file/d/1i0vY7kfYkobu563qoI3_qCZg7G7BFoYR/view?usp=sharing [3] https://drive.google.com/file/d/1U9MFN1EklLbA8TMweLV5ntiSJuBBVkpQ/view?usp=sharing [4] https://www.docdroid.net/dW70KtS/iredmail-setup-1st-release-pdf [5] https://www.mediafire.com/file/evar7j28knqyoj6/IRedMail+Setup+1st+Release.pdf/file [6] https://www.scribd.com/document/504932780/IRedMail-Setup-1st-Release Mr. Turritopsis Dohrnii Teo En Ming, 43 years old as of 27 April 2021, is a TARGETED INDIVIDUAL living in Singapore. He is an IT Consultant with a System Integrator (SI)/computer firm in Singapore. He is an IT enthusiast. -BEGIN EMAIL SIGNATURE- The Gospel for all Targeted Individuals (TIs): [The New York Times] Microwave Weapons Are Prime Suspect in Ills of U.S. Embassy Workers Link: https://www.nytimes.com/2018/09/01/science/sonic-attack-cuba-microwave.html Singaporean Targeted Individual Mr. Turritopsis Dohrnii Teo En Ming's Academic Qualifications as at 14 Feb 2019 and refugee seeking attempts at the United Nations Refugee Agency Bangkok (21 Mar 2017), in Taiwan (5 Aug 2019) and Australia (25 Dec 2019 to 9 Jan 2020): [1] https://tdtemcerts.wordpress.com/ [2] https://tdtemcerts.blogspot.sg/ [3] https://www.scribd.com/user/270125049/Teo-En-Ming -END EMAIL SIGNATURE- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- *Kevin A. McGrail* /CEO Emeritus/ *Peregrine Computer Consultants Corporation* +1.703.798.0171 kmcgr...@pccc.com https://pccc.com/ https://raptoremailsecurity.com 10311 Cascade Lane, Fairfax, Virginia 22032-2357 USA ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: How can I launch a private Internet DNS server?
On 11/7/2020 10:15 AM, Reindl Harald wrote: > > https://tools.ietf.org/html/rfc1537 > Common DNS Data File Configuration Errors > > 6. Missing secondary servers > > > It is required that there be a least 2 nameservers > > for a domain. > > - > > that above is common knowledge virtually forever and the difference of > "must" and "should" in IETF wordings is also very clear While I agree this is common knowledge as a best practice, this rfc is a memo NOT a standard from my reading: This memo provides information for the Internet community. It does not specify an Internet standard. Distribution of this memo is unlimited. Regards, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: How can I launch a private Internet DNS server?
On 11/7/2020 9:04 AM, Reindl Harald wrote: > first: there *is* a requirement of a secondary nameserver > https://www.iana.org/help/nameserver-requirements Does that requirement apply to the use-case? Based on the first sentence, "These are the technicals tests we perform for delegation changes in the zones we manage (root zone, .INT, .ARPA).", I would guess it's not applicable. Regards, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How can I launch a private Internet DNS server?
> Do a web search for "secondary dns provider" and "backup dns provider" > I just wanted to comment that there is no "requirement" to run a secondary DNS server. It's certainly best practice and should be considered. However, the goal of having two DNS servers is to promote redundancy if DNS fails but other services you need have not. They may or may not be the case here and merits consideration of the question, "what will redundant DNS gain this organization?" $0.02, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: How can I launch a private Internet DNS server?
On 10/15/2020 2:50 PM, Jason Long via bind-users wrote: > Yes. > In the panel of domain name registrar I can enter something like > "NS1.example.net" and an IP address. > I want to host the host t DNS server myself. Oh yes, you will also need a domain name register that let's you register the nameserver glue record. For example, ns.pccc.com is authoritative for pccc.com which creates a catch-22. The solution is a nameserver glue record which your registrar has to handle. Regards,KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: How can I launch a private Internet DNS server?
On 10/15/2020 1:00 PM, Stephane Bortzmeyer wrote: > He said that the DNS server has a public IP address so port forwarding > is probably not necessary. Firewalls are cheap and the level of effort to run a bastion host are significant. I'd recommend port forwarding as a necessary task. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Re: How can I launch a private Internet DNS server?
On 10/15/2020 12:57 PM, Jason Long via bind-users wrote: > Yes, I have two static IP addresses. One is for DNS server and one is > for my website. > Excuse me, I just have one server for DNS and that tutorial is about > secondary DNS server too. Can you show me another tutorial with one > server and same goal? > The Internet DNS server for my goal is "Authoritative DNS" ? Recommend you setup a linux box with BIND or something installed behind a firewall. Port forward port 53 for protocols TCP AND UDP to your internal IP address. Set up bind to respond to queries for the internal IP address (it likely only responds to localhost by default) Limit it so it doesn't do recursion for the internet queries Setup a zone on the box for a domain. Point your domain registrar to the IP address of your DNS box. Voila, you now have an authoritative name server. Regards, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] How can I launch a private Internet DNS server?
On 10/15/2020 12:36 PM, Jason Long via bind-users wrote: > I have a question about launching a DNS server with CentOS for hosting > a web server. Excuse me, if my question is so basic and funny. I need > expert advice about it. > I registered a domain name for my web site and in the panel of it, I > can enter my DNS server IP addresses. I want to launch a CentOS DNS > server that my Web site using it and users can visit my website from > the Internet. These two servers (DNS and Web server) are in a local > network and connected to the Internet with a Gateway. Each server has > an internal and a public IP address. > I want to enter my DNS server IP address in my website panel and after > it, users can visit my website from the Internet. I'm thankful if > anyone show me a tutorial to launch my DNS server for this goal. > All tutorials that I found on the internet are about internal DNS > servers, but I want to launch a DNS server for hosting my website. > Is Internet DNS server just possible for providers? Do you have a hosting service with a static IP that doesn't block ports 53 for TCP and UDP? That's a hard and fast requirement to even consider this route. Regards, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] Block-domain
Mohammed, I think you might be unaware that .link is a TLD itself. Some thoughts: You can just create dummy unresolvable domains for these domains if you have centralized DNS. If you don't you'll have to block at a proxy. If you don't have that, perhaps you have a firewall with blocking capabilities. Regards, KAM On 9/28/2020 11:28 AM, MEjaz wrote: > > Dear all, > > > > We have received the request by our National cyber Security Center to > block below malicious domains from our resolvers. We are using latest > version of bind for resolver. > > Little Confusion is that these are the links not the static domains? > So is there any way we can do something for it at dns level > > > > Domains > > > > Hxxp://aramex.com.app-ar[.]link > > > > Hxxps://manage-app-le-com.session-validate-account-myapp.le-cloudid.com > > > > > > > > Thanks in advance for your ususal support. > > > > > > Thanks, > > Mohammed Ejaz > > Asst. Operation Director of Systems. > > Cyberia SAUDI ARABIA > > P.O.Box: 301079, Riyadh 11372 > > Phone: (+966) 11 464 7114 Ext. 140 > > Mobile: (+966) 562311787 > > Fax: (+966) 11 465 4735 > > Website: http://www.cyberia.net.sa > > > > > ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: [External] AW: Debian/Ubuntu: Why was the service renamed from bind9 to named?
On 4/15/2020 3:09 AM, Klaus Darilion wrote: > I do not complain about the version number, but of the name. > > And in my opinion it is not sane to call a service/package httpd if the name > of the software is Apache. For me, adding the version number can make sense if there is an intention to have both X and Y running on machines simultaneously. Or if there is a need / ability to choose one version with more than one being provided by the distro. Apache httpd 1 versus 2, was a real choice not many years ago. MySQL 5 versus 8 has a similar situation now. I'm sure I can point out others where the version number in the service is a pathway to upgrades. And with Apache HTTPD, you've picked a special naming case. It is the granddaddy of the entire Apache Software Foundation and has morphed from being called just "Apache" to "Apache httpd". Calling the service apachehttpd might be good and differentiate it from the ~383 Apache projects (https://projects.apache.org/) and other httpd daemons. But it's been just httpd in a lot of distros for over 20 years so a LOT of historical convention here. Unfortunately, the exact name is up to the distribution, not really the project. So this is really a discussion for an Ubuntu/Debian mailing list, not this one. Regards, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
IPv6 Nameserver Question with dig +trace
Hi All, On an older Bind server such as 9.3.6-p1, I can run dig +trace www.pccc.com. However, when I'm using 9.8.1-p1 and seeing a problem that stops the trace when it reaches our IPv6 nameserver, ns3.pccc.com. Examples follow. Am I doing something wrong with the newer dig? Regards, KAM dig +trace www.pccc.com @ns.pccc.com ; DiG 9.8.1-P1 +trace www.pccc.com @ns.pccc.com ;; global options: +cmd . 175250 IN NS g.root-servers.net. . 175250 IN NS h.root-servers.net. . 175250 IN NS i.root-servers.net. . 175250 IN NS j.root-servers.net. . 175250 IN NS k.root-servers.net. . 175250 IN NS l.root-servers.net. . 175250 IN NS m.root-servers.net. . 175250 IN NS a.root-servers.net. . 175250 IN NS b.root-servers.net. . 175250 IN NS c.root-servers.net. . 175250 IN NS d.root-servers.net. . 175250 IN NS e.root-servers.net. . 175250 IN NS f.root-servers.net. ;; Received 512 bytes from 38.100.17.53#53(38.100.17.53) in 155 ms com.172800 IN NS j.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. ;; Received 502 bytes from 192.36.148.17#53(192.36.148.17) in 201 ms pccc.com. 172800 IN NS ns.2rad.net. pccc.com. 172800 IN NS ns.pccc.com. pccc.com. 172800 IN NS ns2.pccc.com. pccc.com. 172800 IN NS ns3.pccc.com. dig: couldn't get address for 'ns3.pccc.com': not found Compared to: dig +trace www.pccc.com ; DiG 9.3.6-P1-RedHat-9.3.6-4.P1.el5 +trace www.pccc.com ;; global options: printcmd . 175333 IN NS a.root-servers.net. . 175333 IN NS b.root-servers.net. . 175333 IN NS c.root-servers.net. . 175333 IN NS d.root-servers.net. . 175333 IN NS e.root-servers.net. . 175333 IN NS f.root-servers.net. . 175333 IN NS g.root-servers.net. . 175333 IN NS h.root-servers.net. . 175333 IN NS i.root-servers.net. . 175333 IN NS j.root-servers.net. . 175333 IN NS k.root-servers.net. . 175333 IN NS l.root-servers.net. . 175333 IN NS m.root-servers.net. ;; Received 512 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms com.172800 IN NS d.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. com.172800 IN NS j.gtld-servers.net. ;; Received 502 bytes from 2001:503:ba3e::2:30#53(a.root-servers.net) in 9 ms pccc.com. 172800 IN NS ns.2rad.net. pccc.com. 172800 IN NS ns.pccc.com. pccc.com. 172800 IN NS ns2.pccc.com. pccc.com. 172800 IN NS ns3.pccc.com. ;; Received 184 bytes from 192.31.80.30#53(d.gtld-servers.net) in 24 ms www.pccc.com.
Re: IPv6 Nameserver Question with dig +trace
On 1/23/2012 11:54 PM, Noel Butler wrote: Likely because ns3 has only ipv6 address and no ipv4 address and the server you are checking from has no ipv6 capability. You are asking for big problems using this method. You should give all NS records an IPv4 address, and then add in IPv6 on the ones you can eg: ns2 A ip.v.4.add ns2 ip:6:addr Ns3 only has an ipv6 address on purpose but that shouldn't stop dig from finding out the address. It's not trying to query via ipv6, it's saying no address exists. This is correct since not all registrars accept an nameserver with ipv4 and ipv6 glue, ns3 only has address. Regards, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: IPv6 Nameserver Question with dig +trace
On 1/24/2012 12:12 AM, Mark Andrews wrote: It's a known bug. Thanks for the update. If you need a tester for a patch, just let me know. Best, KAM ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users