Re: Stopping ddos

I've never actually used RRL, but from the manual, it appears to default to a /24 prefix length to determine whether IPv4 clients are "similar" enough to be lumped in the same bucket, for RRL purposes. That might need to be tweaked, depending on the profile of whoever is attacking/abusing you. T

Re: Resolve any query to same IP address

[ Classification Level: GENERAL BUSINESS ] Dot "." instead of asterisk "*" as the zone name. Remove the "hint" zone, since that doesn't apply when you host your own root zone. You need a proper MNAME for the SOA RR too. - Kevin On Wed, Jul 21, 2021 at 11:18 A

Re: query-source and listened interfaces

[ Classification Level: GENERAL BUSINESS ] I've done the match-destinations/query-source thing before, but in addition to that, it should theoretically be possible to also use a shared cache between the views, via attach-cache. I've never played with that directive myself, however.

Re: Managing localhost

[ Classification Level: GENERAL BUSINESS ] That chapter doesn't show any PTR records, for the reverse zones of any *public* address range, pointing back to a "localhost" name. It only shows a PTR record in the reverse zone for the 127.0.0/24 private range, which is what enables a reverse lookup f

Re: How to return REFUSED

[ Classification Level: GENERAL BUSINESS ] I just checked the ARM, and it denotes that "match-recursive-only" (boolean) still exists for views. So, you might be able to set up a special view with that, as well as a negated match-clients, specifying allow-query { none; }. Put it as the first view,

Re: Bind9 weighted load balancing

[ Classification Level: GENERAL BUSINESS ] Duplicate RRs are suppressed, as per the standards. RFC 2181, Section 5: Each DNS Resource Record (RR) has a label, class, type, and data. It is meaningless for two records to ever have label, class, type and data all equal - servers should suppr

Re: Configuring the location of named .jnl files

[ Classification Level: GENERAL BUSINESS ] Ivan, I've never done the Let's Encrypt thing myself, but from my skim of the documentation, it appears they want you to place a TXT record in a specific part of your domain's namespace hierarchy. I sincerely hope you're not trying to write th

Re: Preventing a particular type of nameserver abuse

[ Classification Level: GENERAL BUSINESS ] It's not a "BIND" solution, per se, but if you have a sufficiently-sophisticated IPS (Intrusion Prevention System) you could have it simply drop all queries of a particular QNAME, or any particular combination of QNAME, QTYPE, QCLASS, before those packet

Re: Logging on a Bind server

ad, a dynamic, reputation-based RPZ feed. See https://dnsrpz.info/ for more. - Kevin On Tue, Oct 20, 2020 at 10:45 AM Kevin Darcy wrote: > [ Classification Level: GENERAL BUSINESS ] > > According to securitytrails.com (for instan

Re: Logging on a Bind server

[ Classification Level: GENERAL BUSINESS ] According to securitytrails.com (for instance), there are over 3,000 domains hosted on ns2.honeybot.us (securitytrails only shows the first few domains hosted -- to see more, one presumably needs a subscription to their service). If one of your clients l

Re: "forward first" set on a master zone not working as expected

[ Classification Level: GENERAL BUSINESS ] Or, if you absolutely *must* use the same namespace internally and externally (oftentimes you can't talk the business out of that), your internal version should be a more-or-less a superset of your external version. How you keep those in sync is up to yo

Re: CNAME restrictions

[ Classification Level: GENERAL BUSINESS ] Offhand, it looks like the server side is configured to only allow authenticated updates, but you're sending an unauthenticated one. A more nuanced issue might be if the ID you're running the nsupdate as, can't read the key files, so even though you may

Re: Fun with nsudpate and ac1.nstld.com

[ Classification Level: GENERAL BUSINESS ] You didn't dot-terminate covisp.net in the "zone" statement, so it may be appending who-knows-what to one of its queries, and going awry. nsupdate -d (or -D) shows all :-) - Kevin On Mon, Jul 6,

Re: [Non-DoD Source] Re: BIND Masters and slaves

[ Classification Level: PUBLIC ] My 2 cents... The "master" nomenclature is appropriate from a *data*dependency* standpoint. The "master" holds the "master copy" of the zone contents ( https://www.collinsdictionary.com/us/dictionary/english/master-copy). All other copies are duplicates of that.

Re: How to get random subset of large rrset (30+ IPs for round robin)?

[ Classification Level: GENERAL BUSINESS ] Only thing that comes to mind is a constantly-running dynamic update script that adds/deletes records to/from the RRset at random. A more sophisticated version of the script would look at what answers that have been given out in the recent past, and if s

Re: Using TSIG Keys Between Linux OS and Windows OS

[ Classification Level: PUBLIC ] To clarify, the OP didn't specify what DNS software they were using, only the OS (Windows 2016). If using Microsoft DNS, then as Mark pointed out, Microsoft has not implemented regular shared-key TSIG. They have, however, implemented GSS-TSIG, which, I believe, ca

Re: Zoneformat

r > pretty much *all* phone dialing ..." > > Except that that proved to be so onerous that people often use "speed > dialing" for commonly dialed numbers. (Not to mention the fact that > people usually address their friends and coworkers by short names.) > > > O

Re: Zoneformat

[ Classification Level: PUBLIC ] My opinion? It's better to wean your users away from shortnames than to try to cobble together kludges, on the client side or the BIND side, to support a bad habit. Shortnames introduce ambiguity, lead to nasty surprises, are inefficient and insecure. Just like we

Re: Bind-Efficientip

[ Classification Level: PUBLIC ] It's not clear to me from the marketing fluff whether EfficientIP is based on BIND or not. If it is, then consider that you have an open-source codebase, and the eternal debate is whether open source is inherently more secure or not. On the one side, is the "many

Re: Proper Way to Configure a Domain which never sends emails

keep recommending a null MX. I've concurred that a "-all" SPF will help. - Kevin On Mon, Aug 19, 2019 at 8:07 PM Reindl Harald wrote: > > > Am 19.08.19 um 23:31 schrieb Kevin Darcy: > > [ Classification Level: PUBLIC ] > > > > MXes are

Re: Proper Way to Configure a Domain which never sends emails

[ Classification Level: PUBLIC ] MXes are for *receiving* mail of course. The request is about *sending* mail. Setting the SPF record to "-all" is probably about the best you can do, since AFAIK there is no universally-recognized way to signal "domain X never sends mail". Ironically, in order to

Re: SERVFAIL when looking up TXT from particular domain

There's a huge amount of DNSSEC verbiage in the response to that query (4931-byte response from the authoritative nameservers), when querying with +dnssec. I'm guessing the resolver function of BIND might be having trouble with DNSSEC validation. At least, that's a hypothesis. I'm not familiar enou

Re: Change DNS records automatically when a link is DOWN

Publish all 3 NSes. Publish MX records with primary/failover preferencing. Use a load-balancer (free or commercial, software/hardware/cloud-based) to direct the web traffic. - Kevin On Wed, Jun 5, 2019 at 11:16 AM Roberto Carna w

Re: Forwarders with static-stub

TBH, I haven't worked specifically with "static-stub", but with the classic "stub", one would put a "null forwarders" statement in the zone definition to inhibit forwarding. I.e. forwarders { }; - Kevin On Wed, May 22, 2019 at 8:16 AM Ben Lavender

Re: Enable recursive query for only a particular zone

The simple answer is that you can do this with allow-recursion. Note that "recursion no" is a big (instance-wide or view-wide) "off" switch for recursion, so if you already have that set, you'll have to un-set it in order to apply your allow-recursion controls in a granular fashion. You may also wa

Re: Problem with zone delegation with private gTLD

If you're doing stuff at really small scale, you can just define your own root zone and put all of the records into it, including records in the "phishing" subdomain, and any reverse records you care about (in the "in-addr.arpa" and/or "ip6.arpa" subdomains). For that matter, if you only have 1 BIN

Re: Combining forward with master zone.

Delegate needs.example.com from example.com and you should be set. - Kevin On Wed, Feb 20, 2019 at 3:40 PM King, Harold Clyde (Hal) wrote: > Could I just define needs.example.com as a zone in a separate file so: > > > > zone "example.com" { type master; notify no; file "static/antip

Re: Combining forward with master zone.

As discussed in another thread, delegate the zone you want to forward, in addition to defining the zone as "type forward". If you already tried a "type forward" and it didn't work, it was probably because the delegation was missing. It's a non-obvious requirement, but named needs to see the zone cu

Re:

ate teamviewer.com from root. Define teamviewer.com as 'type >> forward'". >> >> > >> >> >An also what is the benefit in defining a root zone with the >> teamviewer.com >> >> >delegated into it??? Because I put to work this zone just

Re: DNS load balancing: UDP or TCP ?

If you go with Anycast via BGP, make sure your network infrastructure has "multipath" enabled, otherwise the traffic will be skewed to one node or the other. https://tools.ietf.org/id/draft-lapukhov-bgp-ecmp-considerations-01.html is one source which summarizes some of the literature and standards

Re: Malicious-DNS

Another approach is to define a "fake" vitaminc.pro domain, point it at an internal webserver (assuming you have a spare, or can spin one up for the purpose), and see what clients are hitting it. Of course, that assumes the communication is web-based. If it's some other protocol(s), you'd need to

Re:

I've already posted a solution for this. Basically, "Define root zone. Delegate teamviewer.com from root zone. Define teamviewer.com as 'type forward'". "Recursion yes" is implied. No views necessary. It doesn't make any sense anyway, to have the same match-clients list for all of one's views, sin

Re: Forward zone inside a view

answers are not helpful. Even though they are correct in > other contexts. > > > Timothe Litt > ACM Distinguished Engineer > -- > This communication may not represent the ACM or my employer's views, > if any, on the matters discussed. > >

Re: Forward zone inside a view

Define root zone. Delegate teamviewer.com from root zone. Define teamviewer.com as "type forward". "recursion no" is incompatible with *any* type of forwarding or iterative resolution. Should only be used if *everything* you resolve is from authoritative data, i.e. for a hosting-only BIND instan

Re: BIND DNS Enable audit logs - Authoritative

I don't believe there is any logging category for this, even when zones are enabled for Dynamic Update, in which case the versioning is done automatically. There used to be a "journalprint" utility that one could run against the .jnl files to show the update history. But, even if the journaling mec

Re: dns cache issue

Offhand, sounds like your LAN is saturated so the queries might not be getting to BIND in the first place. Or the replies aren't getting back. It's unlikely that QoS is going to help this, you indicated that QoS was on your "router", and that is typical -- usually QoS is found on WAN links. (Althou

Re: one-zone-only forwarding DNS

9.5.5 is old -- upgrade. But, to the architecture issue... sounds like you need an "internal root with forwarding exceptions" setup. - As per best practices, consider separating the recursive-resolver and hosting functions into separate views, separate named instances (listening on diffe

Re: Rewrite/Override QTYPE with RPZ

The only scenario in which I could see this being accepted by the client, is if the replacement is a CNAME, since that's a "universal" type. But it's still unclear what the ultimate intent would be. - Kevin On Thu, Nov 8, 2018

Re: 2 Questions - forward zone and DNS firewalling

My basic rule of thumb is: use forwarding when connectivity constraints require it. Those constraints may be architectural, e.g. a multi-tiered, multi-layer network for security purposes, or may be the result of screwups or unintended consequences, e.g. a routing blackhole. Use forwarding to get ar

Re: Strange DIG behavior on Windows 10:

To be honest, I don't have a lot of experience running dig on Windows, but I assume it would use the same resolvers as everything else, in which case they're either statically defined (typically through Control Panel) or assigned via DHCP. One thing to consider, though: on Windows, resolvers tend

Re: need two Domain in Named.local, but not resolv

Offhand, it looks like 192.168.201.92 is giving SERVFAIL for anything in the carag.local zone, but is fine for the olh.local zone. Did the zone load properly? Look in the logs at startup or reload time. But, the tools you're using, and how you're using them, makes troubleshooting very difficult

Re: Forward type "only" no longer working (possibly a regression)?

One of the most useful initial steps in troubleshooting is to establish your ability to reproduce the error. So, I'd look at getting to the command-line of the originating resolver, if possible, and using a command-line tool like "dig" to generate queries towards the intended target and see if you

Re: Forward type "only" no longer working (possibly a regression)?

You need to get to the root cause of what's causing the SERVFAIL. Removing "forward only" just masks the problem by telling the resolver algorithm to fail over to iterative resolution when it encounters the SERVFAIL. So, sure, the query resolves, but probably not from the correct server, and proba

Re: NTP through DNS?

I'll just toss in the factoid that NTP can be run on multicast or anycast, which may negate some of the motivation for using a DNS name to access the service. - Kevin On Wed, Sep 19, 2018 at 11:38 AM Andrew Latham wrote: > On Wed, Sep 19, 2018 at 10:19 AM Ray Bel

Re: Net::DNS::Update when Something Goes Wrong

On 9/18/2014 12:33 PM, Martin G. McCormick wrote: This is a perl module but my question is pure bind. Is anyone familiar enough with this perl module to say whether the packets are sent as TCP or udp? If udp, one would think that if a packet was sent to do a job and the DNS failed to rece

Re: How to block part of a zone

You have multiple choices here. Loopback is sometimes a bad choice, since the client may try to connect to itself, and in pathological cases this could cause an infinite loop. You could consider an A record with RDATA 0.0.0.0, the "null" or "unspecified" address. It is not legal for that ever

Re: A record of domain name must be name server ?

On 9/11/2014 11:51 AM, Mark Elkins wrote: On Thu, 2014-09-11 at 11:27 -0400, Kevin Darcy wrote: Mark, Depending on implementation, a PTR RRset with multiple records either -- only ever gets answered with the "first" record of the set (in which case the second and

Re: A record of domain name must be name server ?

On 9/11/2014 12:08 PM, Matus UHLAR - fantomas wrote: On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote: On 10.09.14 18:13, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where

Re: A record of domain name must be name server ?

/11/2014 3:45 AM, Mark Elkins wrote: On Wed, 2014-09-10 at 18:13 -0400, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where does 48.113.0.203.in-addr.arpa point? Some people will point it

Re: A record of domain name must be name server ?

On 9/11/2014 3:47 AM, Matus UHLAR - fantomas wrote: On 10.09.14 18:13, Kevin Darcy wrote: No, what I'm saying is that if example.com owns an A record 203.0.113.48, and www.example.com owns an A record 203.0.113.48, then where does 48.113.0.203.in-addr.arpa point? Completely your dec

Re: A record of domain name must be name server ?

e same PTR. Can we even use a CNAME as a PTR??? Eliezer On 09/11/2014 12:37 AM, Kevin Darcy wrote: Also, have you considered the forward/reverse ambiguity that arises when multiple owner names resolve to the same address? To which of those names does the PTR

Re: A record of domain name must be name server ?

On 9/10/2014 5:20 PM, Alan Clegg wrote: On 9/10/14, 2:13 PM, Kevin Darcy wrote: On 9/10/2014 11:58 AM, Alan Clegg wrote: On 9/10/14, 8:42 AM, Sam Wilson wrote: And you could reduce maintenance very slightly by replacing www in A 75.100.245.133 with www

Re: A record of domain name must be name server ?

On 9/10/2014 11:58 AM, Alan Clegg wrote: On 9/10/14, 8:42 AM, Sam Wilson wrote: And you could reduce maintenance very slightly by replacing www in A 75.100.245.133 with www in CNAME @ And now you have an MX record, 3 NS records and a bunch of other

Re: A record of domain name must be name server ?

Based on the zone contents below, you shouldn't have any problem changing the 192.168.1.100 address to anything you want. But, of course, the zone is illegal because it only has 1 NS record published at the apex (there is a strict minimum of at least 2), and, as it stands now, if it is an Inte

Re: recursive lookups for UNSECURE names fail if dlv.isc.org is unreachable and dnssec-lookaside is 'auto'

So you care enough about security to implement DNSSEC, but you run your forwarder on port 80. Interesting... - Kevin On 8/26/2014 8:19 AM, Tomas Hozza wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello. I found out that when

Re: rndc (and now nsupdate too)

On 7/31/2014 3:08 PM, /dev/rob0 wrote: On Thu, Jul 31, 2014 at 05:56:08PM +0200, Reindl Harald wrote: Am 31.07.2014 um 17:41 schrieb /dev/rob0: On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: i am doing reloads of named with "killall -HUP named" just because i disabled rndc comp

Re: rndc

On 7/31/2014 11:56 AM, Reindl Harald wrote: Am 31.07.2014 um 17:41 schrieb /dev/rob0: On Thu, Jul 31, 2014 at 01:32:03PM +0200, Reindl Harald wrote: i am doing reloads of named with "killall -HUP named" just because i disabled rndc completly for security reasons and configurations are generate

Re: One question about 'Stealth servers'

I know of no way to do this within BIND itself, but if you Anycast your nameservers, and carefully tweak route preferences and whatnot, you could ensure that some instances (call it set A) only get used if all of the members of another set of instances (call it set B) stop advertising the route

Re: Checking proper SPF record

http://www.kitterman.com/spf/validate.html - Kevin On 7/8/2014 12:43 PM, Alex wrote: Hi, I have a mail server that manages mail for about ten domains, using bind-9.9.4-12.P2 on fedora20. I'd like to make sure my SPF record in my SOA is set up correctly, a

Re: Name-server redundancy

You're right: I misinterpreted "no name-server" as "no such host" (aka NXDOMAIN), but actually your explanation makes more sense. - Kevin On 6/9/2014 6:07 PM, Barry Margolin wrote: In article , Kevin Darc

Re: Name-server redundancy

m <mailto:sid_shap...@bio-rad.com> Bio-Rad Corporate IT - Desk: (510) 741-6846 Mobile: (510) 224-4343 On Mon, Jun 9, 2014 at 2:32 PM, Kevin Darcy <mailto:k...@chrysler.com>> wrote: Well, you shouldn't be getting an NXDOMAIN just because some of your auth serve

Re: Name-server redundancy

Well, you shouldn't be getting an NXDOMAIN just because some of your auth servers are off-line, but you could get some query timeouts if performance to your failover servers is really bad (or blocked, due to firewall rules, bad routes, etc.), or, if your expire times are *really* low, and the m

Re: slave: WARNING: recursion requested but not available

On 6/6/2014 7:35 AM, Reindl Harald wrote: Am 06.06.2014 13:28, schrieb Matus UHLAR - fantomas: On 06.06.14 13:13, Reindl Harald wrote: why does in case of asking the slave always come a "WARNING: recursion requested but not available" even if you dig a A-record he is authoritative? because you

Re: SPF RR type

On 6/5/2014 10:34 AM, Mike Hoskins (michoski) wrote: -Original Message- From: Nicholas F Miller Date: Thursday, June 5, 2014 at 10:25 AM To: "bind-users@lists.isc.org" Subject: SPF RR type Are SPF RR types finally dead or not? I¹ve read through rfc7208 it appears that they are: "S

Re: stub zones

The typical use case for a stub zone is where the delegation chain is broken, or incorrect, but you don't want to incur the overhead of slaving the zone (or some other sort of bureaucratic snafu like the owner/admin of the zone not letting you do zone transfers). As a general rule, stub zones

Re: Reply Code 0x8083 vs 0x8080

Why the different RCODES? See RFC 2308. Short version: the "NODATA" response occurs when the QNAME exists, but no records match QTYPE. It will also occur if the QNAME is merely a "branch" to something further down in the hierarchy (a so-called "empty non-terminal"), and owns no records of its o

Re: Default BIND query timeouts

, our test queries are non-recursive and we expect the name server should have answers. We are sending test host with very high query rate so BIND may be too busy to respond to all the queries. On Monday, May 19, 2014 4:25 PM, Kevin Darcy wrote: If a client sends a recursive query t

Re: Default BIND query timeouts

If a client sends a recursive query to the BIND instance, and that instance needs to fetch the answer from one or more other upstream sources, then my understanding is that the "resolver-query-timeout" global option (see the BIND docs) controls the timeout for each one of those upstream transac

Re: Some GUI for zone updates.

On 5/10/2014 3:00 AM, Mimiko wrote: Hello. I know there are WEB GUIs for bind, which uses a DB to store its information and need read/write access to bind's config files and zones files. Is there a GUI utility which will user zone transfers with keys and dynamic updates? In windows I create

Re: Point domain name of my zone to name in somebody else's zone?

On 5/8/2014 5:13 PM, John Levine wrote: DNSMadeEasy calls this an "ANAME" record, internally they just lookup the destination's IP and cache it, updating it as needed. It works, but it would be nice if this could be done in DNS. Sadly, it can't, and probably won't in our lifetimes. I do a simil

Re: Multi-master (HA)

On 5/9/2014 3:01 PM, John Wobus wrote: ...if anyone has specific thoughts on how to make this sort of thing easier in BIND -- even just at the level of "boy, it irritates me that I can't make BIND do " -- such comments will fall on welcoming ears. I agree that it would be nice if effort were

Re: Point domain name of my zone to name in somebody else's zone?

On 5/9/2014 6:59 AM, Tony Finch wrote: Dave Warren wrote: On 2014-05-08 15:09, Mark Andrews wrote: But that does not help when you want a MX record at the apex or some other record at the apex. I'd argue that it does -- Since the record is now CNAME'd, the MX record is now under the control o

Re: Point domain name of my zone to name in somebody else's zone?

The apex name of a zone can't own a CNAME, if that's what you're asking. E.g. the name "example.com" can't be a CNAME pointing at "otherexample.com". But, of course, you can certainly put A and/or records at the apex, that resolve to one or more addresses in one or more ranges you don't

Re: How to setup a backup NameServer?

Forwarder selection has been based on RTTs for quite a while now. So, if what you're trying to protect against is your "primary" forwarders being DoS'ed, why not just define your "primary" and "backup" forwarders in the same forwarder list? Due to RTT calculations, the "backup" forwarders would

Re: Forwarding request to another DNS server but the same domain

with any record from both zones. Thanks again On Wed, Apr 30, 2014 at 5:54 PM, Kevin Darcy <mailto:k...@chrysler.com>> wrote: Oh, I thought this was an external-versus-internal scenario. But, this is even easier. A) One of the nameservers (pick DNS1 or DNS2) becomes a sla

Re: Forwarding request to another DNS server but the same domain

Oh, I thought this was an external-versus-internal scenario. But, this is even easier. A) One of the nameservers (pick DNS1 or DNS2) becomes a slave (of the "stealth" variety, if you want) of the other B) People use nsupdate to maintain the zone For security, TSIG-sign the updates. For fast c

Re: Forwarding request to another DNS server but the same domain

Being authoritative means that you know everything about the zone. If you know everything about a zone, why ask anyone else? Split DNS does not follow the DNS paradigm, so there is no "standard" way to implement it, and despite many people asking over the years, there is no "NXDOMAIN failover

Re: BIND transfers records to Windows DNS server

On 4/29/2014 3:12 PM, Roberto Carna wrote: Dear, I have this scenario: 1) Windows DNS with dynamic update zone (Windows clients) 2) BIND with manually update zone (Linux and Cisco clients) Is there any way to transfer all BIND zone records to the Windows DNS in order to have just one and compl

Re: Enterprise IPAM/DNS Solutions

port out of the box. Thanks, Josh -Original Message- From: bind-users-boun...@lists.isc.org [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy Sent: Monday, April 28, 2014 12:50 PM To: bind-users@lists.isc.org Subject: Re: Enterprise IPAM/DNS Solutions Are you running

Re: Enterprise IPAM/DNS Solutions

Are you running *other*, non-network-service functions on these boxes besides BIND/M&M? If not, then you might find an appliance-based solution like Bluecat or Infoblox might be more cost-effective than adding a DNS-management layer to a generic server. Your security folks should love you too,

Re: How to setup a backup NameServer?

I'm not sure this makes sense from an architectural standpoint. If all of the authoritative NSes are down, where is this "backup nameserver" getting its data from, and how current is that data? If slightly *stale* data is acceptable, in the absence of all authoritative NSes, then why not just

Re: Zone transfer doesn't work when I set allow-update statement

allow-update + manual editing of zone file = bad. Use nsupdate. - Kevin On 4/25/2014 4:03 PM, Jeronimo L. Cabral wrote: Dear, I'm using Bind 9.8.4 with a master / slave scenario. Zone transfer works OK when I have this config in named.conf.local from master server, add some A records and e

Re: Help with DKIM record

What isn't clear so far is whether the TXT record you're looking up is in the "myserver.org" zone or some other zone. If you're authoritative for myserver.org, you're authoritative for *all* of myserver.org. named isn't going to do "failover forwarding" just because you neglected to add a TXT

Re: Help with DKIM record

On 4/14/2014 2:58 PM, Steven Carr wrote: On 14 April 2014 18:53, Felix Rubio Dalmau wrote: it is not actually a pure caching server (at least I didn't wanted it to be :S). I have server at home, and the DNS is properly configured at the internet. The problem is that my router is not

Re: Clients Matching Multiple Views

When you say "alternate zone", do you mean *schizophrenic* (i.e. some leaf-node names resolve to different RDATA between the versions), or do you mean only that the versions bear a subset/superset relation to each other, at least with respect to leaf nodes (SOA/NS records being a different matt

Re: Private & separate DNS domains

Regardless of what you've been told, the resolvers ("nameserver"s) in /etc/resolv.conf are tried *in*sequence*, and if a valid response (where NXDOMAIN _is_ a valid response) is received from one resolver, none of the others are tried. So, I'm surprised that your mix-and-match-resolvers hack ac

Re: Delegation of part of a zone to a global server load balancer

I'm assuming you have forwarding set up. Make sure to set "forwarders { };" in the aelabad.net zone definition. Failure to do so means that your recursive queries for names in subzones forward out towards the Internet, instead of following the delegations down to the austin-energy.net nameserve

Re: socket error on ipv6 link local

My guess would be that some miscreant out there created a glue record with an RDATA of "fe80::" and your network stack balks at connecting to such an abomination. - Kevin On 4/1/2014 2:31 PM, Paul A wrote: Hi, I have been using bin

Re: CNAME to an external domain

On 3/25/2014 9:01 AM, Ian Braun wrote: Hello, We have a bind server (v9.6) that's hosts mydomain.com . I'm trying to create a CNAME for host.mydomain.com to point to host.otherdomain.com . I don't host otherdomain

Re: localhoast A record?

On 3/21/2014 9:03 AM, Casey Deccio wrote: On Fri, Mar 21, 2014 at 8:50 AM, Mitchell Kuch > wrote: Hello - I've adopted a number of zones and most of them contain "localhost in a 127.0.0.1" records. I'm curious what current RFC standards state and what th

Re: Audit the consistency of zone files on DNS servers

On 3/15/2014 6:09 AM, Maren S. Leizaola wrote: On 3/15/2014 1:53 AM, Kevin Darcy wrote: On 3/14/2014 8:28 AM, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host the

Re: Audit the consistency of zone files on DNS servers

On 3/14/2014 2:39 PM, Maren S. Leizaola wrote: On 3/14/2014 9:20 PM, Stephane Bortzmeyer wrote: On Fri, Mar 14, 2014 at 12:33:47PM +, Phil Mayers wrote a message of 25 lines which said: dig @server zone axfr >file diff file file.real If you're really paranoid, it may not be sufficien

Re: Audit the consistency of zone files on DNS servers

On 3/14/2014 8:28 AM, Maren S. Leizaola wrote: Hello, What do you guys recommend to audit every resource record in a zone file against all the records in all the DNS servers that host the zone file. I want something that I feed the master zone file and then goes to each NS serv

Re: How to create a fake root server?

t. . 3600 NS another.example.net. server.example.net. 3600 A 1.2.3.4 another.example.net. 3600 A 1.2.3.5 It's for a school project. Regards, Peter On 12/03/14 19:56, Kevin Darcy wrote: First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN f

Re: How to create a fake root server?

First of all, don't use .loc as an internal TLD. There are *many* proposals in process with ICANN for establishing new TLDs, and for all you know, .loc might be one of them. If .loc gets established on the Internet, and you're using it internally, that presents abundant opportunities for confus

Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?

On 3/10/2014 6:05 PM, Andreas Ntaflos wrote: On 2014-03-10 22:23, Kevin Darcy wrote: Options: First, thanks a lot for the reply! So it seems what I described is indeed the expected behaviour for the type of DNS we operate? 1) Change nameservice-switch order (e.g. /etc/nsswitch.conf) on

Re: Internal clients' queries for "myhostname." get sent to forwarders. Why?

Options: 1) Change nameservice-switch order (e.g. /etc/nsswitch.conf) on your hosts to prefer another source of name resolution (e.g. /etc/hosts) which can resolve the shortname. Thus DNS is never used for these lookups 2) Simply :-) change your DNS architecture fundamentally, from one which f

Re: how to hidden the salve

ic NSs are out of service. Thanks! Guanghua > Date: Mon, 24 Feb 2014 13:41:03 -0500 > From: Kevin Darcy > To: bind-users@lists.isc.org > Subject: Re: how to hidden the salve > Message-ID: <530b923f.8070...@chrysler.com> > Content-Type: text/plain; charset="iso-8859-

Re: how to hidden the salve

records. Also-notify directive. Either in an options stanza or a zone stanza. > > thanks, > Guanghua -- Daniel J McDonald, CISSP # 78281 > Date: Thu, 20 Feb 2014 10:48:36 -0500 > From: Kevin Darcy > To: bind-users@lists.isc.org > Subject: Re: how to hidden the salve >

Re: how to hidden the salve

uired by local DNS server only when all name servers in the NS records are out of service ( maybe in case of ddos attack). Guanghua -- On 2/19/2014 11:54 AM, Kevin wrote: Date: Wed, 19 Feb 2014 11:54:44 -0500 From: Kevin Darcy To: bind-users@lists.isc.org Subject

  1   2   3   4   5   6   >