RE: unable-resolve-bank=domain

2023-12-17 Thread MEjaz via bind-users 

Some additional information 

17-Dec-2023 11:14:20.737 queries: debug 3: client @0x7f2a1027d6f8 
88.213.90.92#64617 (www.services.online-banking.gslb.sabbnet.com): looking for 
relevant NSEC
17-Dec-2023 11:14:20.737 queries: debug 3: client @0x7f2a1027d6f8 
88.213.90.92#64617 (www.services.online-banking.gslb.sabbnet.com): ignoring 
nsec because name is past end of range

Ejaz 


-Original Message-
From: MEjaz [mailto:me...@cyberia.net.sa] 
Sent: Sunday, December 17, 2023 11:16 AM
To: 'Ondřej Surý' 
Cc: 'bind-users@lists.isc.org' 
Subject: RE: unable-resolve-bank=domain

My queries logs shows the below, 

[root@ns10 ~]# tail -f /var/log/querylog | grep 
www.services.online-banking.gslb.sabbnet.com. 
17-Dec-2023 11:06:03.438 queries: info: client @0x7f29940013a8 
167.86.165.83#64231 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN  +E(0)D (212.119.64.2)
17-Dec-2023 11:10:20.186 queries: info: client @0x7f294c64f3c8 
213.210.238.28#30304 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN HTTPS +E(0)D (212.119.64.2)
17-Dec-2023 11:13:55.798 queries: info: client @0x7f2970c9fe18 
212.119.64.2#53159 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN A +E(0)K (212.119.64.2)
17-Dec-2023 11:13:57.480 queries: info: client @0x7f295411def8 
46.152.39.165#15007 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN A +E(0)D (212.119.64.2)
17-Dec-2023 11:13:57.505 queries: info: client @0x7f2a0060db68 
46.152.39.165#25046 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN  +E(0)D (212.119.64.2)
17-Dec-2023 11:13:57.513 queries: info: client @0x7f29c419e0b8 
46.152.39.165#42489 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN A + (212.119.64.2)

Ejaz 

-Original Message-
From: Ondřej Surý [mailto:ond...@isc.org] 
Sent: Sunday, December 17, 2023 11:01 AM
To: MEjaz 
Cc: bind-users@lists.isc.org
Subject: Re: unable-resolve-bank=domain


> On 17. 12. 2023, at 8:20, MEjaz via bind-users  
> wrote:
> 
> Any hint would be highly appreciated..

Paraphrasing: Logs or it didn’t happen…

Always start with logs. The dig output is useless as we can’t possibly know 
what is happening inside named on that server.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: unable-resolve-bank=domain

2023-12-17 Thread MEjaz via bind-users 
My queries logs shows the below, 

[root@ns10 ~]# tail -f /var/log/querylog | grep 
www.services.online-banking.gslb.sabbnet.com. 
17-Dec-2023 11:06:03.438 queries: info: client @0x7f29940013a8 
167.86.165.83#64231 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN  +E(0)D (212.119.64.2)
17-Dec-2023 11:10:20.186 queries: info: client @0x7f294c64f3c8 
213.210.238.28#30304 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN HTTPS +E(0)D (212.119.64.2)
17-Dec-2023 11:13:55.798 queries: info: client @0x7f2970c9fe18 
212.119.64.2#53159 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN A +E(0)K (212.119.64.2)
17-Dec-2023 11:13:57.480 queries: info: client @0x7f295411def8 
46.152.39.165#15007 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN A +E(0)D (212.119.64.2)
17-Dec-2023 11:13:57.505 queries: info: client @0x7f2a0060db68 
46.152.39.165#25046 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN  +E(0)D (212.119.64.2)
17-Dec-2023 11:13:57.513 queries: info: client @0x7f29c419e0b8 
46.152.39.165#42489 (www.services.online-banking.gslb.sabbnet.com): query: 
www.services.online-banking.gslb.sabbnet.com IN A + (212.119.64.2)

Ejaz 

-Original Message-
From: Ondřej Surý [mailto:ond...@isc.org] 
Sent: Sunday, December 17, 2023 11:01 AM
To: MEjaz 
Cc: bind-users@lists.isc.org
Subject: Re: unable-resolve-bank=domain


> On 17. 12. 2023, at 8:20, MEjaz via bind-users  
> wrote:
> 
> Any hint would be highly appreciated..

Paraphrasing: Logs or it didn’t happen…

Always start with logs. The dig output is useless as we can’t possibly know 
what is happening inside named on that server.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel 
obligated to reply outside your normal working hours.


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

unable-resolve-bank=domain

2023-12-16 Thread MEjaz via bind-users 
 

 

 

Hi  all. 

 

One of the banking domain www.services.online-banking.gslb.sabbnet.com
  unable to  resolve
with  our primary namservers 212.119.64.2 whearas as my another server
212.119.64.3 is ok

 

In addition to that when I dig with +trace the query is responded. Without
the +trace. Connection timed out errro. 

 

Any hint would be highly appreciated.. 

 

[root@ns10 ~]# dig www.services.online-banking.gslb.sabbnet.com +trace, it
responded well.. 

 

 

; <<>> DiG 9.18.11 <<>> www.services.online-banking.gslb.sabbnet.com +trace

;; global options: +cmd

.   25332   IN  NS  b.root-servers.net.

.   25332   IN  NS  k.root-servers.net.

.   25332   IN  NS  c.root-servers.net.

.   25332   IN  NS  a.root-servers.net.

.   25332   IN  NS  e.root-servers.net.

.   25332   IN  NS  d.root-servers.net.

.   25332   IN  NS  j.root-servers.net.

.   25332   IN  NS  f.root-servers.net.

.   25332   IN  NS  h.root-servers.net.

.   25332   IN  NS  i.root-servers.net.

.   25332   IN  NS  g.root-servers.net.

.   25332   IN  NS  m.root-servers.net.

.   25332   IN  NS  l.root-servers.net.

.   85610   IN  RRSIG   NS 8 0 518400 2023122917
2023121616 46780 .
sDK0f7lk1v5XmWFCmt1oQkncqDxynmGxDCCC4PQLqabdE7B1HessWY8V
xQ8sZiUXjSN/XsgX6QBvx2c/raBu/am0EjRxmOB/cRl7Bz+gjyi21H1h
aUVZGTRFRmCYR9a51jSumpcmjRpPA6gXKynOUvXajB8v7K9zGB+dHoH9
UP6cv9O27h69MGFaIBdDBdLmnu7gMmafogy9ZiWMHzgLPTzL2DEY33bU
rGWLlVBC/7Ji1s1VNBlEo1Mn/gDinsH81ZX4/mNtOAXP0WO3GmAye+ZG
QbPX+C0ZA6JOD9GbKXsLbc/h85aqqEqJVma8TJBFifqdvy31wvShWeXv eMhGIg==

;; Received 1137 bytes from 212.119.64.2#53(212.119.64.2) in 0 ms

 

;; UDP setup with 2001:503:c27::2:30#53(2001:503:c27::2:30) for
www.services.online-banking.gslb.sabbnet.com failed: network unreachable.

;; UDP setup with 2001:503:c27::2:30#53(2001:503:c27::2:30) for
www.services.online-banking.gslb.sabbnet.com failed: network unreachable.

;; UDP setup with 2001:503:c27::2:30#53(2001:503:c27::2:30) for
www.services.online-banking.gslb.sabbnet.com failed: network unreachable.

com.172800  IN  NS  a.gtld-servers.net.

com.172800  IN  NS  i.gtld-servers.net.

com.172800  IN  NS  k.gtld-servers.net.

com.172800  IN  NS  e.gtld-servers.net.

com.172800  IN  NS  l.gtld-servers.net.

com.172800  IN  NS  b.gtld-servers.net.

com.172800  IN  NS  c.gtld-servers.net.

com.172800  IN  NS  f.gtld-servers.net.

com.172800  IN  NS  j.gtld-servers.net.

com.172800  IN  NS  m.gtld-servers.net.

com.172800  IN  NS  d.gtld-servers.net.

com.172800  IN  NS  h.gtld-servers.net.

com.172800  IN  NS  g.gtld-servers.net.

com.86400   IN  DS  19718 13 2
8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A

com.86400   IN  RRSIG   DS 8 1 86400 2023123005
2023121704 46780 .
oCKMOzci0SxP0NtxcQoWPw8xKZJy5R7XvSEB6cFiF/uZd/gUXieoQZHt
RqhjdA9pgAfyOm3iuxQMeuok9UPiHnKbR0Tbx4D3mZRFu0ojtb1QzIEm
7yT6+EauW19eMo1saBKJfpsbeppp4BhTaDVfiQYbayOWb4x43Rdq8mwY
iD9gzBsh7cBNk4yFNPlKDLq5SBAiEJhrwjV5VBpgB6/LoQN16XzE8HkJ
Fq9Imw1OOSxcHe+7dpQzjv5ggKEcQnkT0WxvZDoxhjEQJWFgcCZYTgNd
fPf54e4ZXnsZMclhaRgjceqTeKD+VJfsIucKxBASjhq2ftelB47kJ43e xNqgww==

;; Received 1207 bytes from 202.12.27.33#53(m.root-servers.net) in 106 ms

 

sabbnet.com.172800  IN  NS  ns3.hsbc.com.

sabbnet.com.172800  IN  NS  ns6.hsbc.com.

sabbnet.com.172800  IN  NS  ns21.hsbc.uk.

sabbnet.com.172800  IN  NS  ns20.hsbc.uk.

sabbnet.com.172800  IN  NS  ns20.hsbc.net.

sabbnet.com.172800  IN  NS  ns21.hsbc.net.

CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 -
CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM

CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 13 2 86400
20231224052607 20231217041607 46171 com.
pB279Lr3otMIFr2Xg+Kc4udD7htN99HAy2HzV2ona5Pho39yTNWyGE4a
hFT/PxA1hG5/cwNqncihQQPu62RdBg==

9LU5MRDONGV541FC71Q8HQEVDFI4PJDD.com. 86400 IN NSEC3 1 1 0 -
9LU615KEV2MT87CB7NJIFLF0T3L95JVI NS DS RRSIG

9LU5MRDONGV541FC71Q8HQEVDFI4PJDD.com. 86400 IN RRSIG NSEC3 13 2 86400
20231224063953 20231217052953 46171 com.
NshEyD2V0OpP08Ex/y5VoO5JYv8OpyIcR7GmK1NhQtYQZXqPMmcFS6We

Queries/day

2023-11-23 Thread MEjaz via bind-users 

Hello all, 


 
 How to get DNS SERVER Statistics ?
Total Queries per day and month. the Rndc statistics file is quite difficult
to read. Is there a simplest method? 


Nevertheless, I've attached my stats file, which I ran manually. After
examining this file, is there anyone who can tell? How many queries  each
day and month


 


Thanks a lot in advance for your reponse..


Ejaz 


 



named.stats
Description: Binary data
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Block-domain

2020-09-28 Thread MEjaz 
Dear all, 

 

We have received the request by our National cyber Security Center to block
below malicious domains from our resolvers. We are using latest version of
bind for resolver.  

Little Confusion is that these are the links not the static domains?  So is
there any way  we can do something for it at dns level 

 


Domains



Hxxp://aramex.com.app-ar[.]link



Hxxps://manage-app-le-com.session-validate-account-myapp.le-cloudid.com





Thanks in advance for your ususal support. 

 

 

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: scripts-to-block-domains

2020-07-14 Thread MEjaz 
Ok, I will take care next time will 

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
@lbutlr
Sent: Tuesday, July 14, 2020 10:28 AM
To: bind-users 
Subject: Re: scripts-to-block-domains

On 14 Jul 2020, at 00:31, MEjaz  wrote:
> 

Please do not post images. Copy and paste the text.

(Over 100 lines of quoted lines with no content deleted)



-- 
I WILL NOT BARF UNLESS I'M SICK Bart chalkboard Ep. 8F15

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: scripts-to-block-domains

2020-07-14 Thread MEjaz 
Thanks for your quick response, 

 

I did that here is the statement in  option section. 

 



 

 

 

-Original Message-
From: Daniel Stirnimann [mailto:daniel.stirnim...@switch.ch] 
Sent: Tuesday, July 14, 2020 9:25 AM
To: MEjaz ; bind-users@lists.isc.org
Subject: Re: scripts-to-block-domains

 

Hello Mohammed,

 

I don't see that you specified a "response-policy" [1] statement. You need
something like this as well:

 

response-policy {

zone "rpz.local" policy given;

}

// Apply RPZ policy to DNSSEC signed zones break-dnssec yes ;

 

[1]

 
<https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response
-policy-zone-rpz-rewriting>
https://ftp.isc.org/isc/bind9/cur/9.16/doc/arm/html/reference.html#response-
policy-zone-rpz-rewriting

 

Daniel

 

On 14.07.20 08:08, MEjaz wrote:

> Hello all,

> 

>  

> 

> Thanks for every one's  contribution.  I use RPZ and listed 5000  

> forged domain to block it in  a particular zone  without having 

> addiotnal zones, I hope that's the feature of  RPZ, Seems good.

> 

>  

> 

> Below is snippet for your review  for the zone and file  db.rpz.local 

> which was copied from the default named.empty.

> 

>  

> 

> zone "rpz.local" {

> 

> type master;

> 

> file "db.rpz.local";

> 

> allow-query { localhost; };

> 

> };

> 

>  

> 

>  

> 

>  

> 

>  

> 

>  

> 

> Once this configuration done I am expecting that whoever quarried to 

> our name server for a zone which Is listed in my dns server should not 

> allow users to fetch any records as recursive from outside servers, it 

> should server from the internal servers only?

> 

>  

> 

> When I test my configuration with one of the hosted domain in my list 

> i.e doubleclick.net, I got all the results rather than throwing an 

> error. please correct if I am wrong..

> 

>  

> 

>  

> 

>  

> 

>  

> 

>  

> 

> Here are the logs.

> 

>  

> 

> [root@ns20 ~]# tailf /var/log/named/rpz.log

> 

> 14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz 

> QNAME NXDOMAIN rewrite test.doubleclick.net via 

> test.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz 

> QNAME NXDOMAIN rewrite securepubads.g.doubleclick.net via 

> securepubads.g.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz 

> QNAME NXDOMAIN rewrite mail.doubleclick.net via 

> mail.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz 

> QNAME NXDOMAIN rewrite stats.g.doubleclick.net via 

> stats.g.doubleclick.net.rpz.local

> 

> c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz 

> QNAME NXDOMAIN rewrite stats.l.doubleclick.net via 

> stats.l.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz 

> QNAME NXDOMAIN rewrite pagead.l.doubleclick.net via 

> pagead.l.doubleclick.net.rpz.local

> 

> 14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz 

> QNAME NXDOMAIN rewrite googleads.g.doubleclick.net via 

> googleads.g.doubleclick.net.rpz.local

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: scripts-to-block-domains

2020-07-14 Thread MEjaz 
Hello all, 

 

Thanks for every one's  contribution.  I use RPZ and listed 5000  forged
domain to block it in  a particular zone  without having addiotnal zones, I
hope that's the feature of  RPZ, Seems good. 

 

Below is snippet for your review  for the zone and file  db.rpz.local which
was copied from the default named.empty. 

 

zone "rpz.local" {

type master;

file "db.rpz.local";

allow-query { localhost; };

};

 

 



 

 

 

Once this configuration done I am expecting that whoever quarried to our
name server for a zone which Is listed in my dns server should not allow
users to fetch any records as recursive from outside servers, it should
server from the internal servers only? 

 

When I test my configuration with one of the hosted domain in my list i.e
doubleclick.net, I got all the results rather than throwing an error. please
correct if I am wrong.. 

 

 

 



 

 

Here are the logs. 

 

[root@ns20 ~]# tailf /var/log/named/rpz.log

14-Jul-2020 06:49:53.582 rpz: info: client 212.71.32.20#38120: rpz QNAME
NXDOMAIN rewrite test.doubleclick.net via test.doubleclick.net.rpz.local

14-Jul-2020 06:49:55.370 rpz: info: client 213.210.231.227#26654: rpz QNAME
NXDOMAIN rewrite securepubads.g.doubleclick.net via
securepubads.g.doubleclick.net.rpz.local

14-Jul-2020 06:50:04.445 rpz: info: client 212.71.32.20#48178: rpz QNAME
NXDOMAIN rewrite mail.doubleclick.net via mail.doubleclick.net.rpz.local

14-Jul-2020 06:50:09.079 rpz: info: client 213.210.231.227#16492: rpz QNAME
NXDOMAIN rewrite stats.g.doubleclick.net via
stats.g.doubleclick.net.rpz.local

c14-Jul-2020 06:52:07.353 rpz: info: client 213.210.253.163#58635: rpz QNAME
NXDOMAIN rewrite stats.l.doubleclick.net via
stats.l.doubleclick.net.rpz.local

14-Jul-2020 06:52:25.272 rpz: info: client 213.210.253.163#57975: rpz QNAME
NXDOMAIN rewrite pagead.l.doubleclick.net via
pagead.l.doubleclick.net.rpz.local

14-Jul-2020 06:55:03.973 rpz: info: client 213.181.164.207#31366: rpz QNAME
NXDOMAIN rewrite googleads.g.doubleclick.net via
googleads.g.doubleclick.net.rpz.local

 

 

 

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Grant Taylor via bind-users
Sent: Monday, July 13, 2020 10:45 PM
To: bind-users@lists.isc.org
Subject: Re: scripts-to-block-domains

 

On 7/13/20 12:44 AM, MEjaz wrote:

> Hell  all,

 

Hi,

 

> I have an requirement from our  national Cyber security to block 

> several thousand forged domains from our recursive servers, Is there 

> any way we can add clause in named.conf to scan such bogus domain list 

> without impacting the performance of the servers.

 

$RPZ++

 

If you can't use RPZ, then you /can/ create skeleton zones to make your
server authoritative for the zones in question.  However, there are
drawbacks to this regarding performance based on the number and size of all
the additional zones.

 

I would strongly recommend RPZ, or the new Response Policy Service, which
there are a few commercial implementations of.  RPS is for DNS what milters
are for mail servers.

 

   RPZ is a ""static list.

   RPS is an active / dynamic service.

 

Note:  Response Policy Zones can be updated via normal dynamic DNS methods.

 

 

 

--

Grant. . . .

unix || die

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

scripts-to-block-domains

2020-07-13 Thread MEjaz 
Hell  all, 

 

 

I have an requirement from our  national Cyber security to block several
thousand forged domains from our recursive servers, Is there any way we can
add clause in named.conf to scan such bogus domain list without impacting
the performance of the servers. 

 

Thanks in advance.. for the usual contribution.

 

 

Thanks,

Mohammed Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zones-unable-update

2020-01-06 Thread MEjaz 
 

1. My  primary name server,  /etc/named.conf,  and here am forcing transfer to 
only few trusted servers, as mentioned in the below clause.  

 

 

transfers-out 2000;

 

allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};

 

2. secondary/slave  name server

 

allow-transfer {"none";};

 

 

I can't run this dig command from both dns server  " dig soa kalam.com.sa 
@ns1.cyberia.net.sa axfr" since Secondary is not allowed to transfer any data, 

 

No. my mean is that the servers are not testing, these are live authoritative   
only that particular zone kalam.com.sa is a test zone. 

 

Just now again I noticed at 11:03 GMT+3,  secondary server attempt to fetch the 
data from master but no luck. same error as denied. 

 

Jan  6 08:38:43 ns2 named[24436]: zone kalam.com.sa/IN: notify from 
212.119.92.5#37487: zone is up to date

Jan  6 08:41:58 ns2 named[24436]: zone kalam.com.sa/IN: notify from 
212.119.92.5#52519: serial 2019434249

Jan  6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied

Jan  6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied

Jan  6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: Transfer started.

Jan  6 10:40:38 ns2 named[24436]: zone kalam.com.sa/IN: transferred serial 
2019434249

Jan  6 11:03:14 ns2 named[24436]: client @0x7f1228138510 212.119.92.5#33050 
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied

 

Do you advise simulate the setup on testing environment. Without the firewall.

 

Thanks a lot. 

 

Ejaz 

 

-Original Message-
From: Fajar A. Nugraha [mailto:fa...@fajar.net] 
Sent: Monday, January 6, 2020 10:59 AM
To: MEjaz 
Cc: bind-users@lists.isc.org
Subject: Re: Zones-unable-update

 

On Mon, Jan 6, 2020 at 2:03 PM MEjaz < <mailto:me...@cyberia.net.sa> 
me...@cyberia.net.sa> wrote:

> 

> Thank you for your emai.

> 

> 

> 

> I am not cutting any logs,  I am capturing only for that particular zone 
> which I have chooses for the test, as I can't do the test on live zones.

> 

> This time I have noticed "denied"  in my slave server logs as below,  this is 
> something very strange sometimes zone transferred perfect after two hours.

> 

> However this time I need to wait and see whether this zone would transfer 
> after few hours as seen before.

> 

> Jan  6 09:15:33 ns2 named[24436]: client @0x7f1228224460 

> 212.119.92.5#42430 (kal am.com.sa): zone transfer 

> 'kalam.com.sa/AXFR/IN' denied Jan  6 09:15:43 ns2 named[24436]: client 

> @0x7f1228272ed0 212.119.93.5#36083 (kalam.com.sa): zone transfer 

> 'kalam.com.sa/AXFR/IN' denied

 

Well, fix that.

 

Something is causing the transfer to fail. Is 212.119.92.5 and

212.119.93.5 both allowed to transfer data (e.g. allow-transfer configuration)?

 

> [root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr,  "with this I 
> can fetch all the correct update records"

 

Did you run this on both 212.119.92.5 and 212.119.93.5?

 

> Thanks in advance for your assistance.  Do you think that should I take look 
> from our network side for the MTU size??

 

It's somewhat harder to check for temporary errors.

 

The easiest way, since you say that this is a "test", is to replicate (i.e. 
same OS/distro, software versions, configs) your setup on test VMs (or servers, 
if you have that), on the same network (e.g. VMs with private network 10.x.x.x 
is fine), and see if it always works there.

 

If yes, then most likely the problem is somewhere in your network (e.g. 
firewall).

If no, then the problem is somewhere in your bind configuration.

 

--

Fajar

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zones-unable-update

2020-01-05 Thread MEjaz 
Thank you for your emai. 



I am not cutting any logs,  I am capturing only for that particular zone which 
I have chooses for the test, as I can't do the test on live zones.  

This time I have noticed "denied"  in my slave server logs as below,  this is 
something very strange sometimes zone transferred perfect after two hours. 

However this time I need to wait and see whether this zone would transfer after 
few hours as seen before.

Jan  6 09:15:33 ns2 named[24436]: client @0x7f1228224460 212.119.92.5#42430 
(kal am.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied
Jan  6 09:15:43 ns2 named[24436]: client @0x7f1228272ed0 212.119.93.5#36083 
(kalam.com.sa): zone transfer 'kalam.com.sa/AXFR/IN' denied


>> test whether you can manually request all records. Something like running 
>> this on the slave: "dig kalam.com.sa @ns1.cyberia.net.sa axfr"

[root@ns2 ~]# dig soa kalam.com.sa @ns1.cyberia.net.sa axfr,  "with this I can 
fetch all the correct update records" 
;; Warning, extra type option

; <<>> DiG 9.14.9 <<>> soa kalam.com.sa @ns1.cyberia.net.sa axfr
;; global options: +cmd
kalam.com.sa.   600 IN  SOA ns1.kalam.com.sa. 
root.kalam.net.sa. 2019434249 43200 4320 1209600 21600
kalam.com.sa.   600 IN  NS  ns1.cyberia.net.sa.
kalam.com.sa.   600 IN  NS  ns2.cyberia.net.sa.
kalam.com.sa.   600 IN  MX  10 mailborder.cyberia.net.sa.
kalam.com.sa.   600 IN  MX  20 ingate.cyberia.net.sa.
kalam.com.sa.   600 IN  TXT "v=spf1 mx ip4:212.119.65.150 
~all"
cargo.kalam.com.sa. 600 IN  A   212.71.42.152
ejaz4.kalam.com.sa. 600 IN  A   1.2.3.5
localhost.kalam.com.sa. 600 IN  A   127.0.0.1
mail.kalam.com.sa.  600 IN  A   212.119.64.134
ser12.kalam.com.sa. 600 IN  A   212.119.64.141
shivin.kalam.com.sa.600 IN  A   1.1.1.1
test55.kalam.com.sa.600 IN  A   212.119.65.20
kalam.com.sa.   600 IN  SOA ns1.kalam.com.sa. 
root.kalam.net.sa. 2019434249 43200 4320 1209600 21600
;; Query time: 1 msec
;; SERVER: 212.119.92.5#53(212.119.92.5)
;; WHEN: Mon Jan 06 10:00:26 AST 2020
;; XFR size: 14 records (messages 1, bytes 459)

Thanks in advance for your assistance.  Do you think that should I take look 
from our network side for the MTU size?? 

Ejaz 
-Original Message-
From: Fajar A. Nugraha [mailto:fa...@fajar.net] 
Sent: Monday, January 6, 2020 9:23 AM
To: MEjaz 
Cc: bind-users@lists.isc.org
Subject: Re: Zones-unable-update

On Thu, Jan 2, 2020 at 7:58 PM MEjaz  wrote:
>
> Hello all.
>
> My setup which has one primary and slave server was working fine since years.
>
> All of sudden I started  getting the  problem of zones updates on slaves. 
> Which are not happening on time. it takes two hours to take the updates.
>
>
>
> Below logs for the reference, when I do required changes on masters, the 
> slave getting notified but without transferring the updated zone.
>
>
>
> Jan  2 09:17:50 ns2 named[25563]: zone kalam.com.sa/IN: notify from 
> 212.119.92.5#34424: serial 2019434243
>
> Jan  2 09:24:45 ns2 named[25563]: zone kalam.com.sa/IN: notify from 
> 212.119.92.5#54651: serial 2019434245: refresh in progress, refresh 
> check queued
>
> Jan  2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: Transfer started.
>
> Jan  2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: transferred 
> serial 2019434245


Are you cutting out some logs?
If yes, please include all logs for the zone (kalam.com.sa) and the master 
(212.119.92.5)

>
> Therefore, I wanted to know. How to force secondary/slave Name server 
> to update/refresh dns zones from primary DNS server? Just I  want a 
> slave name server to initiate a zone transfer immediately


>From https://kb.isc.org/docs/aa-00726:

notify from 192.0.2.1#62160: refresh in progress, refresh check queued

A notify was received, but the zone being notified was already in the process 
of being refreshed or is waiting to be refreshed, so the check is queued and 
will be processed later.


You can try:
- check your logs for what previously triggered the refresh process (another 
notify?), and when did it happen
- check your logs on WHY the previous transfer took a long time (and check what 
the log means on the KB). e.g does it show "connection reset"? something else?
- are there lots of other slaves or zones currently transferring data from the 
master at the same time?
- test whether you can manually request all records. Something like running 
this on the slave: "dig kalam.com.sa @ns1.cyberia.net.sa axfr"

Some possible problems which comes to mind:
- there's something in the middle (e.g. IPS) that's sending TCP resets, that 
might cause your t

RE: Zones-unable-update

2020-01-05 Thread MEjaz 
Thank you for your reply. 

 

 

On both server.

 

* Bind version 

 

[root@ns1 ~]# named -v

BIND 9.14.9 (Stable Release) 

 

* O/S  version 

 

[root@ns1 named]# more /etc/redhat-release

Red Hat Enterprise Linux Server release 7.2 (Maipo

 

 

* Total number of zones,=  2500 

 

[root@ns1 named]# grep zone /etc/named.conf | wc -l

1903

[root@ns1 named]# grep zone /etc/nesmabind.conf  | wc -l

451

 

CPU always less than 20% which is very normal. 

 

I have corrected the  name server filed for kalam.com.sa where as I removed 
additional NS which was ns3.kalam.com.sa, hope it should be ok, it was testing 
zone/domain only. 

 

But all others live zones are having the same behavior when I do the changes in 
primary It takes two hours to update on secondary servers. 

 

Thanks in advance. 

 

Ejaz 

[root@ns1 named]# more /etc/redhat-release

Red Hat Enterprise Linux Server release 7.2 (Maipo)

 

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Anders 
Löwinger
Sent: Sunday, January 5, 2020 8:26 PM
To: bind-users@lists.isc.org
Subject: Re: Zones-unable-update

 

On 2020-01-03 18:12, Ejaz Ahmed wrote:

 

Note: Please include email list in your responses.

 

> All of sudden I started  getting the  problem of zones updates on slaves.

> Which are not happening on time. it takes two hours to take the updates.

 

You have not given that much information so it is hard to help. Operating 
system, bind version? number of zones?

 

> CPU is ok.

 

On both primary and secondaries?

 

 

> do you think would it be problems if I try to transfer all zones at once with 
> rndc reload,

 

rndc reload can only retransfer one zone at a time.

 

How many zones do you have?

 

 

Some other issues:

 

The domain kalam.com.sa is not 100% correct, your nameservers includes one 
additional NS record ns3.kalam.com.sa, compared to the delegation.

 

 

 

Check warnings and errors here  
 
https://zonemaster.net/result/367781fc8cc487bf

 

 

 

--

MVH/Regards

Anders Löwinger, Abundo AB, 072-206 0322 
___

Please visit   
https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

 

bind-users mailing list

  bind-users@lists.isc.org

  
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Zones-unable-update

2020-01-02 Thread MEjaz 
Hello all. 

My setup which has one primary and slave server was working fine since
years. 

All of sudden I started  getting the  problem of zones updates on slaves.
Which are not happening on time. it takes two hours to take the updates.  

 

Below logs for the reference, when I do required changes on masters, the
slave getting notified but without transferring the updated zone.

 

Jan  2 09:17:50 ns2 named[25563]: zone kalam.com.sa/IN: notify from
212.119.92.5#34424: serial 2019434243

Jan  2 09:24:45 ns2 named[25563]: zone kalam.com.sa/IN: notify from
212.119.92.5#54651: serial 2019434245: refresh in progress, refresh check
queued

Jan  2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: Transfer started.

Jan  2 11:12:53 ns2 named[25563]: zone kalam.com.sa/IN: transferred serial
2019434245

 

 

Therefore, I wanted to know. How to force secondary/slave Name server to
update/refresh dns zones from primary DNS server? Just I  want a slave name
server to initiate a zone transfer immediately

 

Here is my /etc/named.conf, of the primary name server.

 

 

[root@ns1 ~]# head -60 /etc/named.conf

// named.conf

 

options {

listen-on port 53 { 127.0.0.1; 212.119.92.5; 212.119.92.10;};

listen-on-v6 port 53 { ::1; };

directory   "/var/named";

dump-file   "/var/named/data/cache_dump.db";

#   statistics-file "/var/named/ej.stats";

memstatistics-file "/var/named/data/named_mem_stats.txt";

masterfile-format text;

version "Have a nice day!, Good Bye";

//  allow-query { localhost; };

transfers-out 2000;

allow-transfer {212.119.93.5;213.230.0.10; 212.119.93.10; 212.119.92.6;};

#allow-notify { 212.119.64.3;212.119.93.5;212.119.93.4;213.230.0.10; };

also-notify {213.230.0.10;};

allow-query {127.0.0.0/8;212.119.65.0/25; 212.119.66.52;};

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

zone-transferr-issue

2019-12-23 Thread MEjaz 
Hello, 

 

named is running fine in both master and slave, with no errors but the
zones have not been transferred and the transfers logs shows below 

 

 

here is the log snippet 

 

Dec 23 09:53:12 ns2 named[84587]: zone xxx /IN: zone transfer deferred due
to quota

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

named-service-stopped

2019-12-15 Thread MEjaz 
 

We are an ISP, All of sudden during the midnight our named service was down,
please find the below snippet of the logs  when we checked the logs  of
"dmesg" and "/var/log/messages"

 

Our bind name version is =  BIND 9.12.3-P1 item_out
== 1) failed, back trace

Dec 14 12:39:55 ns10 named[29435]: #0 0x4254fd in assertion_failed()+0x4d

Dec 14 12:39:55 ns10 named[29435]: #1 0x601c7a in isc_assertion_failed()+0xa

Dec 14 12:39:55 ns10 named[29435]: #2 0x4a0d15 in
dns_dispatch_getnext()+0x315

Dec 14 12:39:55 ns10 named[29435]: #3 0x5673fa in rctx_done()+0x17a

Dec 14 12:39:55 ns10 named[29435]: #4 0x567839 in resquery_response()+0x1b9

Dec 14 12:39:55 ns10 named[29435]: #5 0x62402b in run()+0x2bb

Dec 14 12:39:55 ns10 named[29435]: #6 0x7f0941fb5e25 in
__do_global_dtors_aux_fini_array_entry()+0x7f09416c1cd5

Dec 14 12:39:55 ns10 named[29435]: #7 0x7f0941cdfbad in
__do_global_dtors_aux_fini_array_entry()+0x7f09413eba5d

Dec 14 12:39:55 ns10 named[29435]: exiting (due to assertion failure)

Dec 14 12:39:55 ns10 abrt-hook-ccpp: Process 29435 (named) of user 0 killed
by SIGABRT - dumping core

Dec 14 12:40:01 ns10 systemd: Started Session 629619 of user root.

Dec 14 12:40:01 ns10 systemd: Started Session 629620 of user root.

Dec 14 12:40:01 ns10 journal: Suppressed 2795 messages from
/user.slice/user-0.slice

Dec 14 12:40:16 ns10 systemd-logind: Removed session 606944.

Dec 14 12:40:16 ns10 abrt-server: Executable '/usr/local/sbin/named' doesn't
belong to any package and ProcessUnpackaged is set to 'no'

Dec 14 12:40:16 ns10 abrt-server: 'post-create' on
'/var/spool/abrt/ccpp-2019-12-14-12:39:55-29435' exited with 1

Dec 14 12:40:16 ns10 abrt-server: Deleting problem directory
'/var/spool/abrt/ccpp-2019-12-14-12:39:55-29435'

Dec 14 12:41:01 ns10 systemd: Started Session 629621 of user root.

Dec 14 12:42:01 ns10 systemd: Started Session 629622 of user root.

Dec 14 12:43:01 ns10 systemd: Started Session 629623 of user root.

Dec 14 12:44:01 ns10 systemd: Started Session 629624 of user root.


 

 

 

 

 

Also, one of the domain very popular  www.akamail.com
  , is  unable to resolve from our slave server, 

 

Dec 15 09:46:28 ns20 named[16169]: validating control.akamai.com/CNAME: bad
cach e hit (control.akamai.com/DS)

Dec 15 09:46:52 ns20 named[16169]:   validating akamai.com/SOA: got insecure
res ponse; parent indicates it
should be secure

Dec 15 09:47:28 ns20 named[16169]: validating www.akamai.com/CNAME: bad
cache hi t (www.akamai.com/DS)

Dec 15 09:47:29 ns20 named[16169]: validating www.akamai.com/CNAME: bad
cache hi t (www.akamai.com/DS)

Dec 15 09:51:34 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 09:52:30 ns20 named[16169]: validating etpcas.akamai.com/CNAME: bad
cache  hit
(etpcas.akamai.com/DS)

Dec 15 09:56:16 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 09:58:17 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 10:00:41 ns20 named[16169]: validating etpcas.akamai.com/CNAME: bad
cache  hit
(etpcas.akamai.com/DS)

Dec 15 10:00:58 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 10:02:10 ns20 named[16169]: validating time.akamai.com/CNAME: bad
cache h it (time.akamai.com/DS)

Dec 15 10:02:59 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 10:04:59 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 10:06:29 ns20 named[16169]: validating time.akamai.com/CNAME: bad
cache h it (time.akamai.com/DS)

Dec 15 10:07:04 ns20 named[16169]: validating weblogin.akamai.com/CNAME: bad
cac he hit
(weblogin.akamai.com/DS)

Dec 15 10:07:40 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 10:09:41 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba
d cache hit (etp.akamai.com/DS)

Dec 15 10:10:59 ns20 named[16169]: client @0x7f43e0e77ef0
37.224.15.122#61457 (t
ime.akamai.com): query (cache) 'time.akamai.com/A/IN' denied

Dec 15 10:12:22 ns20 named[16169]: validating
dnsclient.etp.akamai.com/CNAME: ba

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zoneformat

2019-10-28 Thread MEjaz 
Noxexistent domain error . 

Here is my configuration. 
===

zone "crm365app" {
type master;
file "crm365app.cyberia.net.sa.hosts";
allow-query {any;};
};


File 


[root@ns1 ~]# cat  /var/named/crm365app.cyberia.net.sa.hosts
$TTL 3600
;   Addresses and other host information
;
;

@   IN  SOA ns1.cyberia.net.sa. root.cyberia.net.sa. (
2015034459 ; serial
43200   ; refresh every 12 hours
4320; retry after 1 hour
1209600  ; expire after 2 weeks
21600 )  ; minimum

; Define the name servers and mail servers

IN  NS  ns1.cyberia.net.sa.
IN  NS  ns2.cyberia.net.sa.

IN  MX  10 smtp.cyberia.net.sa.

; Define localhost
*INA   127.0.0.1

; Define hosts in this zone


www IN  CNAME   webhost.cyberia.net.sa.
crm365app   IN  A   212.71.33.252

=zone file
end=

[root@ns1 named]# host crm365app
Host crm365app not found: 3(NXDOMAIN)
 [root@ns1 named]# named-checkzone crm365app crm365app.cyberia.net.sa.hosts
zone crm365app/IN: loaded serial 2015034459
OK

-Original Message-
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of
Reindl Harald
Sent: Monday, October 28, 2019 1:46 PM
To: bind-users@lists.isc.org
Subject: Re: Zoneformat



Am 28.10.19 um 11:01 schrieb MEjaz:
> *From:* MEjaz [mailto:me...@cyberia.net.sa]
> *Sent:* Monday, October 28, 2019 10:27 AM
> *To:* 'bind-users-boun...@lists.isc.org' 
> 
> *Subject:* Zoneformat
> 
> Is ther any way I can create the zone without the (.) I mean non fully 
> qualified domain name just as "example" instead "example.com"'


what is the problem you try to solve?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Zoneformat

2019-10-28 Thread MEjaz 
 

 

From: MEjaz [mailto:me...@cyberia.net.sa] 
Sent: Monday, October 28, 2019 10:27 AM
To: 'bind-users-boun...@lists.isc.org' 
Subject: Zoneformat

 

Hi all, 

 

Is ther any way I can create the zone without the (.) I mean non fully
qualified domain name just as "example" instead "example.com"'

 

Thanks in advance  for your assistance 

 

Ejaz 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Bind-Efficientip

2019-10-20 Thread MEjaz 
 

Hello all, 

 

 

We are an leading ISP CYBERIA (www.cyberia.net.sa
 ),  we are using bind since several years, and
1000  of zones are hosted in it. quite ok.  

 

As you know these days  there has been several security threats, So deciding
to go with  Efficient iP DDI and DNS Security Solution
https://www.efficientip.com/

 

Therefore just wanted to know if anyone have any experience with
EfficientDNS, and at the same time wanted to know the major difference
between the both.. 

 

Please advise, Thanks in advance 

 

Thanks,

Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 

 

 

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Bind-Efficientip

2019-10-20 Thread MEjaz 
Hello all, 

 

 

We are an leading ISP CYBERIA (www.cyberia.net.sa
 ),  we are using bind since several years, and
1000  of zones are hosted in it. quite ok.  

 

As you know these days  there has been several security threats, So deciding
to go with  Efficient iP DDI and DNS Security Solution
https://www.efficientip.com/

 

Therefore just wanted to know if anyone have any experience with
EfficientDNS, and at the same time wanted to know the major difference
between the both.. 

 

Please advise, Thanks in advance 

 

Thanks,

Ejaz

Asst. Operation Director of Systems.

Cyberia SAUDI ARABIA

P.O.Box: 301079, Riyadh 11372

Phone:  (+966) 11 464 7114 Ext. 140

Mobile:  (+966) 562311787

Fax:  (+966) 11 465 4735

Website: http://www.cyberia.net.sa

 

 

 

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Malicious-DNS

2019-02-17 Thread MEjaz 
 

Dear bind-users.

 

 

Our NSC, has time to time complaining for such malicious DNS request for few
malicious domains. 

 

Whereas my DNS  servers are up-to-date (BIND 9.12.3-P1)  and only our own
network is allowed to access. 

 

 

 

Complain from NCSA, Nation cyber security Agency. 

 



 

 

 

Up on checking the logs. I found several entries. And you know based on the
below logs I cannot find  the source IP unless I enable the  query logs. If
I enabled the system performs will slow down? Please any ones advice would
be highly appreciated. 

 

::1#53

/var/log/messages-20190203:Feb  1 21:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:d1::1#53

/var/log/messages-20190203:Feb  1 21:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:c1::1#53

/var/log/messages-20190203:Feb  1 21:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:d0::1#53

/var/log/messages-20190203:Feb  1 21:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:c0::1#53

/var/log/messages-20190203:Feb  1 21:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:e0::1#53

/var/log/messages-20190203:Feb  1 21:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:e1::1#53

/var/log/messages-20190203:Feb  1 21:43:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:c0::1#53

/var/log/messages-20190203:Feb  1 21:43:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:d1::1#53

/var/log/messages-20190203:Feb  1 21:43:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:d0::1#53

/var/log/messages-20190203:Feb  1 21:43:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:e1::1#53

/var/log/messages-20190203:Feb  1 21:43:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:e0::1#53

/var/log/messages-20190203:Feb  1 21:43:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:c1::1#53

/var/log/messages-20190203:Feb  1 22:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:c1::1#53

/var/log/messages-20190203:Feb  1 22:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:d0::1#53

/var/log/messages-20190203:Feb  1 22:13:27 ns10 named[19579]: network
unreachable resolving 'vitaminc.pro/DS/IN': 2001:500:e0::1#53

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Radius-profile

2019-02-10 Thread MEjaz 
Here is the profile 

 

bash-3.2# cat radius.cfg

LogStdout

LogDir /opt1/log

LogFile %L/logfile-%Y-%m-%d

DictionaryFile /etc/radiator/dictionary

#DbDir   .

DbDir /etc/radiator

#WINCHHook file:"%D/dump"

# User a lower trace level in production systems:

Trace 4

 

AuthPort 1816

 

AcctPort 1817

 

BindAddress 212.119.64.103

 

RewriteUsername tr/A-Z/a-z/

 

# You will probably want to add other Clients to suit your site,

# one for each NAS you want to work with

 

 

 



Secret JuiI76Tgy



 

 

 

 

# Handler for Accounting Stops

 



 



  DBSourcedbi:Sybase:Myejaz78k

  DBUsername  nbauthuser

  DBAuth  nbauthuserpass

 

 

HandleAcctStatusTypes Stop

 

AcctSQLStatement exec ISPBilling.dbo.[CM_WriteCDRnew] \

 

'%{Acct-Session-Id}','%{User-Name}','%G',%{Acct-Session-Time},'%{Called-Stat
ion-Id}',%{Acct-Input-Octets},%{Acct-Output-Octets},'%{NAS-IP-Address}','%{F
ramed-IP-Address}','%{Calling-Station-Id}','%{Acct-Terminate-Cause}','%{Tunn
el-Client-Endpoint}','%{Tunnel-Client-Auth-ID}','%{Acct-Status-Type}'

 

 



 



 

# Default Handler (For New-billing Server)

 



PreProcessingHook file:"/etc/radiator/changeUserName"



  DBSourcedbi:Sybase:Myejaz78k

  DBUsername  nbauthuser

  DBAuth  nbauthuserpass

 

  DefaultSimultaneousUse 1

  CaseInsensitivePasswords

 

 

 AuthSelect select password, replyattr, checkattr  from
NB_Authentication \

 where username=%0

 AuthColumnDef 0, User-Password, check

 AuthColumnDef 1, GENERIC, reply

 AuthColumnDef 2, GENERIC, check

# Modification End



 



 

#SessionDatabases



DBSourcedbi:Oracle:ejrsun

DBUsername  radonline

DBAuth  radonline

 

# An entry for each user _currently_ on line

AddQueryinsert into RADONLINE
(USERNAME,NASIDENTIFIER,NASPORT,\

 
ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,\

SERVICETYPE,CALLERID) values \

 

 
(%0,'%{NAS-IP-Address}',%{NAS-Port},'%{Acct-Session-Id}',\

 to_date('%G','Mon dd, 
hh24:mi:ss'),'%{Framed-IP-Address}','%{NAS-Port-Type}',\

'%{Framed-Protocol}','%{Calling-Station-Id}')

 

DeleteQuery delete from RADONLINE where USERNAME=lower(%0) and \

NASIDENTIFIER='%N' and NASPORT=%{NAS-Port}

 

   # ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'

  #  CountQuery  select NASIDENTIFIER, NASPORT,
ACCTSESSIONID from \

  #   RADONLINE where USERNAME=%0



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

DNS-FLAG-Day

2019-01-27 Thread MEjaz 
Hello sir, 

 

For the upcoming DNS Flag Day on February 1st, 2019. Is there any impact on
the user whose using bind name servers.  

 

As per the infoblox DNS service, they  will not be impacted on DNS Flag day.
So Do I need configure support for EDNS0 standards? In bind if yes how to do
that. 

 

Thanks in advance..

 

Ejaz 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: concurrent-session

2018-11-04 Thread mejaz 


Yes  it is for incoming queries, my name server is authoritative not
designed for recursive quires.

Now my plan is to plot the graph where i can see number of concurrent
session for incoming queries, 
and  the total number of sessions, also i get to know  any sudden increase
will generate alert.

Is there systems do you recommend. i believe we can achieve this cacti. 

thanks in advance. 




--
Sent from: http://bind-users-forum.2342410.n4.nabble.com/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

concurrent-session

2018-11-01 Thread MEjaz 
Hello 

 

How many concurrent session By default bind supports. It is restricted the
O/S and hardware resources? 

 

Your advice would be highly appreciated thanks in advance. 

 

Ejaz 

 

 

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users