Re: Bind failures following update/reboot w/ 9.18.1

2022-05-14 Thread Matus UHLAR - fantomas

On 13.05.22 10:06, Philip Prindeville wrote:

After rebooting my OpenWRT router with Bind 9.18.1 yesterday, I started seeing 
a lot of:


May 12 19:24:06 OpenWrt named[11061]: validating ./NS: no valid signature found
May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature 
found
May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving './NS/IN': 
192.203.230.10#53
May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'net/DS/IN': 
8.8.4.4#53
May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid signature 
found
May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'com/DS/IN': 
8.8.4.4#53
May 12 19:24:06 OpenWrt named[11061]: validating net/DS: no valid signature 
found
May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'net/DS/IN': 
66.232.64.10#53
May 12 19:24:06 OpenWrt named[11061]: validating com/DS: no valid signature 
found
May 12 19:24:06 OpenWrt named[11061]: no valid RRSIG resolving 'com/DS/IN': 
66.232.64.10#53


doesn't your ISP block or intercept DNS queries?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watkins.  -- Daffy Duck & Porky Pig
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: DNS traffic tracking

2022-05-09 Thread Matus UHLAR - fantomas

On 09. 05. 22 10:34, Alex K wrote:
The initial and current approach is to provide DNS free of charge, 
which simplified things for me. Though the traffic in question is 
satellite traffic with monthly allowances of roughly 4 to 8GB, thus 
every MB counts.
The problem now is that I see sometime 700MB of DNS traffic for 2GB 
of Internet browsing within one month.


On 09.05.22 10:47, Petr Špaček wrote:

Sounds like either:
- Broken caching or,
- Random subdomain attack
to me.


maybe someone uses VPN over DNS...
in such case, rate limiting of client comes to mind...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Is anyone here forwarding your bind-users messages to gmail or a google-hosted domain?

2022-04-20 Thread Matus UHLAR - fantomas

Dan Mahoney  writes:

We've seen a number of messages reported to us as having an isc.org "from"
address, and as having our dkim signatures, but the signatures failing to
verify, perhaps because a forwarder may have added a subject tag or
rewritten some other header.  Of course, SPF also fails because those
servers aren't in our SPF record.


On 20.04.22 10:55, Bjørn Mork wrote:

I don't forward to gmail, but I've noticed that my DKIM signature on
messages to this list fail verification. I believe this problem is
specific to this list, as it doesn't happen with most other lists.

I assume the reason is the body modfications by the list server.


apparently.

from what I know, mailman only modifies From: if the headers/body are 
changed AND dmarc policy of the originator domain is set to reject.

yours is "none.

I encountered this problem with different mailing list and also got customer 
ticket with the same problem.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Access denied Bind9

2022-03-07 Thread Matus UHLAR - fantomas

On 08.03.22 04:44, Ritah Mulinde wrote:

Just got my primary and secondary name servers  running.


primary and secondary for your domains, or primary and secondary to provide 
DNS service for your  clients?


if the latter, you must allow  recursion for your IP ranges (and ONLY for 
your IP ranges)



However, when i reload rdnc and tail the syslogs all i get is "(.xx.com):
query (cache) '.xx.com/A/IN' denied"


does your server provide domain xx.com?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
A day without sunshine is like, night.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Forwarding zone, setup

2022-03-01 Thread Matus UHLAR - fantomas

On 2/28/22 1:47 PM, Gregory Sloop wrote:
I figured before I beat my head against the wall for too long, I'd 
ask the real experts! :)


On 28.02.22 22:27, Grant Taylor via bind-users wrote:

I'm definitely not an expert.  I don't even pretend to be one on T.V.

But I do wonder what, if any, sort of restrictions you are placing on 
recursion on your system.


It's my (mis)understanding that recursion has some effect on 
forwarding queries.  My limited understanding is recursion is another 
way of saying if the server should chase the answer for you or not.  
If it doesn't have it in it's own data (authoritative and / or cache), 
then it's recursion setting comes into play.


If I'm mistaken, please correct me.


you are right, forwarding queries requires recursion. 



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: copy EDNS options to resolver response

2022-02-19 Thread Matus UHLAR - fantomas

On 19.02.22 12:31, Brian J. Murrell wrote:

I have a BIND9 server configured as a resolver for the local network to
forward all requests to 1.1.1.1.


what's the point of this setup?
BIND can resolve by itself perfectly and you wouldn't rely on 3rd party 
service



 Given that that 1.1.1.1 includes
(RFC8914) EDE EDNS options in it's responses, can I configure the BIND
resolver to forward those EDNS options in it's response to the client?


bind uses edns by default unless you turn it off. Or unless your firewall 
blocks it, in which case you can't enable it.



While I know BIND9 doesn't yet do EDE itself, I am hoping for an option
in BIND to just blindly copy whatever EDNS options it receives to it's
client.


no, bind uses edns as it needs, not as client asks it to. communication with 
clients is independent from communication with servers

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Using Wildcards in Subdomain Records

2022-02-17 Thread Matus UHLAR - fantomas

On 17.02.22 11:08, muhanad wrote:
Hello allI have a main domain (aa.example.com) that have hundereds of 
sub-domain ( bb.aa.example.com).  I am setting a wildcard in the record 
file for the main domain so it forwards all subdomains to a number of 
addresses in a round-roben fashion( the record as follows "*  IN  A 
192.168.1.x ) the issue I am facing is the wildcard forwards any subdomain 
regardless wether it is a true subdomain ( bb.aa.example.com ) or it is 
not a true subdomain ( xx.bb.aa.example.com )


These are subdomains too.
And this is how wildcards work, you can't change it.

If you don't like it, you'll have to list all records.
if there are the same records with multiple addresses, you can define

wildcard.example.com.   A   192.0.2.1
A   192.0.2.2
A   192.0.2.3
bb.aa.example.com.  CNAME   wildcard.example.com.
cc.aa.example.com.  CNAME   wildcard.example.com.

etc.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
LSD will make your ECS screen display 16.7 million colors
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: ISC BIND & Windows

2022-02-01 Thread Matus UHLAR - fantomas

On 02.02.22 00:14, jukka.pakka...@qnet.fi wrote:

Just read from the 9.18.0 release notes that Windows is not supported.

Since don't remember reading expressly stated that Windows support 
would end with 9.16.x branch, inquiring if there is more information 
about future Windows compatibility available... is the plan to include 
support to Windows at some point, to some current or future Windows 
Server version, or is it a fact already, that no more Windows past 
9.16.x?


there were discussions starting here

https://lists.isc.org/pipermail/bind-users/2021-April/104506.html

further in may and june

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: test - ignore

2022-01-26 Thread Matus UHLAR - fantomas

On 26 Jan 2022, at 17.14, Matus UHLAR - fantomas  wrote:

Altering the body or headers at all (whch lists do) will often break the
hashing.  For this reason, most recent versions of mailman have an option
to rewrite your mail from:



On 26.01.22 17:30, Sten Carlsen wrote:

When the dkim is set up, you can select which parts of the header you want
to include in the signature.


this is not possible for body: modification of body (which this list does)
will always break DKIM signatures.

modifying list of headers to sign should be done carefully, to avoid
either breaking and faking.


I have selected a smaller part of the headers for my signature,  so does
this go through?


since domain s-carlsen.dk don't have dmarc policy, mailman does not care and
leaves dkim as is (broken) as described below.


...but only in the event you have a restrictive DMARC policy.



this explains why both your and Benny's mail did fail here, while Eduard's
did not - that one was signed by mailman because of his domains' restrictive
policy.


however, this discussion should be probably closed as it's not anymore
related to this mailing list operatiorns.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I'm not interested in your website anymore.
If you need cookies, bake them yourself.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: test - ignore

2022-01-26 Thread Matus UHLAR - fantomas

On Jan 25, 2022, at 8:50 AM, Benny Pedersen  wrote:
Authentication-Results: lists.isc.org;
dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z


On 25.01.22 12:25, Dan Mahoney wrote:

The headers you cite are lying to you.  :) The message passed DKIM on the
way IN to lists.isc.org (the dedicated vm that runs our lists), but then,
when the message got to the mailman python scripts and then shot back out
via the MTA, they had an altered body and no longer passed, and the header
was rewritten to say "fail".  (This is visible from the logging on the
servers, but nowhere else).


there were multiple headers when that mail came here:

Authentication-Results: fantomas.fantomas.sk;
   dkim=fail reason="signature verification failed" (1024-bit key; secure) 
header.d=isc.org header.i=@isc.org header.b="q/vOEba5";
   dkim=fail reason="signature verification failed" (1024-bit key; secure) 
header.d=isc.org header.i=@isc.org header.b="ozeUkO/Z";
   dkim-atps=neutral
Authentication-Results: lists.isc.org;
   dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=q/vOEba5;
   dkim=fail reason="signature verification failed" (1024-bit key; 
unprotected) header.d=isc.org header.i=@isc.org header.b=ozeUkO/Z

obviously when the mail came to list, DKIM was fine, not so after it left
(thanks to list signature)


will my dkim fail aswell ?


it did...


Altering the body or headers at all (whch lists do) will often break the
hashing.  For this reason, most recent versions of mailman have an option
to rewrite your mail from:


[...]

...but only in the event you have a restrictive DMARC policy. 


this explains why both your and Benny's mail did fail here, while Eduard's
did not - that one was signed by mailman because of his domains' restrictive
policy.

I missed this part before.


I've argued that it should be possible to do so for *any* dmarc policy,
even p=none, but that option is not present in mailman 3, at least.


I agree.
spam filter is something that can use dkim fail and should not be ignored.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: zone forwarding

2022-01-17 Thread Matus UHLAR - fantomas

On 17.01.22 10:46, ONRUBIA AVILES Carlos (CCS/MST) wrote:

Maybe someone can help me with the following problem:

My name server is authoritative with the following domain "toto.be":
zone "toto.be." {
   type master;
   file "/etc/masterdns.db";

But I would like that a subdomain "titi.toto.be" is not searched in my 
masterdns.db file but via the normal process via internet.

I have tried to 2 solutions but it do not work:


 1.  Adding a forward for this subdomain:

zone "titi.toto.be." {
type forward;
forwarders {1.2.3.4; 5.6.7.8;}; (ip's from dsn cache servers)
forward only;
};


 *   Seems not to work.  Not possible to add a subdomain forwarding?


it is possible, but will only work for recursive clients of your DNS server.


 1.  Using directly the cache servers as NS:

Cache.proximus.be.  INA 1.2.3.4
Cache.proximus.be.  INA 5.6.7.8
Titi.toto.be. INNS cache.proximus.be.


this should work properly.


 *   Not always working as if "titi.toto.be" is not at this moment in the
   cache, the cache will answer SERVFAIL and not do the recursion.  (I
   guess the query via this method is done with flag "Recursion Desired"
   set to false)


this also requires forwarding to be allowed from your IP address on the
server you are querying.

but, any recursive server should be able to query your server for Titi.toto.be 
and then query 1.2.3.4 or 5.6.7.8



So my question is: Is it possible to configure what I am trying to do?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Failing DNS Server Diagnostic Help Requested

2022-01-15 Thread Matus UHLAR - fantomas

On 13.01.22 14:29, Tim Daneliuk via bind-users wrote:

Environment:  Master/Slave with Split Horizon both on FreeBSD-STABLE
 Bind 9.16.24_1
 Master out in a cloud server
 Slave on a physical server with a static IP on Comcast Business

Problem:  After years of stable behavior, Slave intermittently not resolving
 addresses a few months ago, and then completely stopped working
 yesterday. We also noticed that the Slave will not update its files
 upon notify from the Master.

Action Taken: Replaced Slave with a clone of the Master instance.  That new
 Master does properly resolve names inside our zone, whether
 the requestor is on our LAN our one of our trusted servers out
 on the internet that are allowed to see internal names.

 HOWEVER, that new master instance will not resolve names in
 zones other than ours.  We're working around this by
 forwarding these failed lookups to our original master -
 that is working fine.

 So, we have two masters with the same configuration and
 tables, but one resolves outside names and one does not.
 We've tried disabling DNSSEC validation and opening up our
 firewalls and got nowhere.

 When the lookups outside our zone fail, we see this:

13-Jan-2022 14:28:09.702 resolver: notice: DNS format error from 192.203.230.10#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.702 lame-servers: info: FORMERR resolving './NS/IN': 
192.203.230.10#53
13-Jan-2022 14:28:09.721 resolver: notice: DNS format error from 192.36.148.17#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.721 lame-servers: info: FORMERR resolving './NS/IN': 
192.36.148.17#53
13-Jan-2022 14:28:09.741 resolver: notice: DNS format error from 193.0.14.129#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.741 lame-servers: info: FORMERR resolving './NS/IN': 
193.0.14.129#53
13-Jan-2022 14:28:09.763 resolver: notice: DNS format error from 199.7.91.13#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.763 lame-servers: info: FORMERR resolving './NS/IN': 
199.7.91.13#53
13-Jan-2022 14:28:09.781 resolver: notice: DNS format error from 202.12.27.33#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.781 lame-servers: info: FORMERR resolving './NS/IN': 
202.12.27.33#53
13-Jan-2022 14:28:09.801 resolver: notice: DNS format error from 199.7.83.42#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.801 lame-servers: info: FORMERR resolving './NS/IN': 
199.7.83.42#53
13-Jan-2022 14:28:09.820 resolver: notice: DNS format error from 192.58.128.30#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.820 lame-servers: info: FORMERR resolving './NS/IN': 
192.58.128.30#53
13-Jan-2022 14:28:09.837 resolver: notice: DNS format error from 198.41.0.4#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.837 lame-servers: info: FORMERR resolving './NS/IN': 
198.41.0.4#53
13-Jan-2022 14:28:09.855 resolver: notice: DNS format error from 198.97.190.53#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.855 lame-servers: info: FORMERR resolving './NS/IN': 
198.97.190.53#53
13-Jan-2022 14:28:09.875 resolver: notice: DNS format error from 192.5.5.241#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.875 lame-servers: info: FORMERR resolving './NS/IN': 
192.5.5.241#53
13-Jan-2022 14:28:09.893 resolver: notice: DNS format error from 192.112.36.4#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.893 lame-servers: info: FORMERR resolving './NS/IN': 
192.112.36.4#53
13-Jan-2022 14:28:09.921 resolver: notice: DNS format error from 199.9.14.201#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.921 lame-servers: info: FORMERR resolving './NS/IN': 
199.9.14.201#53
13-Jan-2022 14:28:09.937 resolver: notice: DNS format error from 192.33.4.12#53 
resolving ./NS for : non-improving referral
13-Jan-2022 14:28:09.937 lame-servers: info: FORMERR resolving './NS/IN': 
192.33.4.12#53
13-Jan-2022 14:28:09.938 resolver: info: resolver priming query complete


So ... could this be Comcast munging about in the DNS traffic?


looks like exactly it. 


  Other suggestions
of where to look appreciated as well ...


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https

Re: DNS cache poisoning - am I safe if I limit recursion to trusted local networks?

2022-01-03 Thread Matus UHLAR - fantomas

On 1/3/22 12:15 AM, Borja Marcos wrote:
If you separate the roles it is much simpler to implement an 
effective access control.


On 03.01.22 10:35, Grant Taylor via bind-users wrote:
The problem I have with separating recursive and authoritative servers 
has to do with internal LANs and things like Microsoft Active 
Directory on non-globally-recognized domains.


In short, how do you get a /purely/ /recursive/ server to know that 
internal-corp-lan.example (or any domain not in the global DNS 
hierarchy) is served by some other /purely/ /authoritative/ DNS server 
inside the company?


you configure your recursive server with internal-corp-lan.example as type
forward or static-stub pointing to your authoritative server.

however, the "purely recursive" and "purely authoritative" split is not
designed to cover domains like "internal-corp-lan.example"
but "example.com" that has to be seen from the world clients.

I feel like anything you do to the /purely/ /recursive/ DNS server to 
get it to know that it needs to route based on the DNS domain 
information slides away from the /purely/ /recursive/ role to somewhat 
/mixed/ /recursive/ & /authoritative/ role.


This is to prevent recursive servers from providing domains to the public.

in these cases I recommend setup purely authoritative servers for
"example.com" to be accessible from the internet and "purely recursive"
server accessible from your LAN, even if it would fetch "example.com" domain
from your public authoritative servers.

Just don't point NS record for "example.com" to this server as it's designes
as internal recursive server.

This niche role is the one nagging thing that I have that prevents me 
from supporting and proselytizing the role separation anywhere and 
everywhere.  --  I've been looking for, but have not yet found, what I 
consider to be a good method that maintains strict separation of roles 
in this niche use case.


Note:  I'm completely on board with the separate roles for public / 
Internet facing servers.


then, you should understand the need for separation of roles well.
just the "recursive only" and "authoritative only" have a bit different
meaning I tried to explain above.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: transfer-source / notify-source warnings if a port is specified

2021-12-29 Thread Matus UHLAR - fantomas

On 29.12.21 18:58, Duncan wrote:

Is there any option to suppress warnings if using transfer-source /
notify-source specifying ports ?


yes, don't specify source port.


/etc/bind/named.conf:90: 'notify-source': specifying a port is not
recommended

/etc/bind/named.conf:91: 'notify-source-v6': specifying a port is not
recommended

/etc/bind/named.conf:88: 'transfer-source': specifying a port is not
recommended

/etc/bind/named.conf:89: 'transfer-source-v6': specifying a port is not
recommended



I know that this is NOT recommended, just looking for an option to suppress
these warnings.


what's the reason for specifying source port for zone transfers?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Strange named freezing

2021-12-27 Thread Matus UHLAR - fantomas

On 27.12.21 17:04, Nikita Druba wrote:
More, than enough. During last freeze server has ~30Gb free RAM and ~ 
2-3% CPU load and more than 200Gb free storage space for this jail. DC 
jail dont have any resources limitations. Its very strange, because 
during using previously DC in the similar jail on this server I dont 
have this trouble.


you don't know what entrypy is, right?
on linux do:

# cat /proc/sys/kernel/random/entropy_avail
3940

if this number gets to 0, you'll have problem with using /dev/random (which
is a blocking device) that leeds to problems like you have described.

using /dev/urandom instead should help.
there are daemons like haveged that can help you provide entropy.

some HW random number generators provide entropy source.



27.12.2021 11:07, Ondřej Surý пишет:

Does the jail have enough entropy? That would be my first guess…



On 13. 12. 2021, at 7:18, Nikita Druba  wrote:

What can be wrong here? How I can more localize the problem?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Millions of './ANY/IN' queries denied

2021-12-16 Thread Matus UHLAR - fantomas

You don't understand what kind of blacklist I want; I want to blacklist the 
domain name
being asked for, so I don't answer for it. I'm not looking to blacklist forged 
IP addresses
of requestors (since we all know criminals don't use their own identities; they 
use the
identities of innocent bystanders).

Again, why should _my_ nameserver_ respond to a query for "./ANY/IN"? I am not 
a rootserver, and never will be.


these answers are minimal, so the problem is made as small as possible.


Reindl Harald  writes:
Am 16.12.21 um 14:22 schrieb Andrew P.:

AGAIN: you don't gain anything by not responding on a UDP protocol
because the client can't distinct no response and packet loss


On 16.12.21 13:56, Andrew P. wrote:

AGAIN, the criminal DDoS attacker who's creating these forged requests
isn't looking for replies to themselves; they're looking to abuse some
poor victim.  And the victim can't make the attacker shut up.


I use fail2ban to block these, so while a few packets always pass, the rest
gets blocked.


so you *increase* the load by retries on the client


No, the attacker is going to send their packets as often as they feel like
it regardless of whether I answer, and they won't know if the load on the
victim is sufficient to crush them (or if I am participating), since the
attacker isn't receiving the attack.  They won't speed up on me just
because I refuse to participate in their ugly little games because they
won't know I'm not playing along (at least until they decide to attack
_me_ instead of someone else).


don't get me wrong but you need to understand the implications of what
you are doing - for DOS attacks "Response Rate Limiting" was invented
and for non-DOS requests there isn't any valid reason to take action


Please tell me what non-DOS requests would be asking _my_ name server to
dump the root domain.  I'm not running a caching-only public nameserver
(such as an ISP might run for their customers), so _no_ _one_ should be
asking my nameserver for the entire root domain.  Even webcrawlers don't
need to harrass non-root-nameservers for root domain information.

Note I haven't done anything yet; I'm asking if there _is_ a way to do it
presently implemented in Bind.


none I know so far.
I'd be glad if someone told me there's better way and what it is.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: insecurity proof failed for a domain

2021-12-14 Thread Matus UHLAR - fantomas

On 13.12.21 08:18, John Thurston wrote:
If you update your resolver to 9.16, I think you can do exactly what 
you want with the "validate-execpt" option.


{rolls eyes} been there. done that. for exactly the same reason :/


On 14.12.21 16:58, Matus UHLAR - fantomas wrote:

thanks, this helped.
I assume I need to put "local" into validate-except {}.
This should not be a problem since .local is reserved.

I guess .local should have negative trust anchor in root zone.


looks like I possibly could achieve the same with bind 9.11 by using

rndc nta local

to "temporarily" disable checking of "local" domain.

BIND would periodically re-check (and fail) and prolong the nta anchor
apparently forefer.

the "validate-except" is however cleaner solution.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: insecurity proof failed for a domain

2021-12-14 Thread Matus UHLAR - fantomas

On 13.12.21 08:18, John Thurston wrote:
If you update your resolver to 9.16, I think you can do exactly what 
you want with the "validate-execpt" option.


{rolls eyes} been there. done that. for exactly the same reason :/


thanks, this helped.
I assume I need to put "local" into validate-except {}.
This should not be a problem since .local is reserved.

I guess .local should have negative trust anchor in root zone.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


insecurity proof failed for a domain

2021-12-13 Thread Matus UHLAR - fantomas

Hello,

I need to internaly forward domain to different nameserver:

zone "x.local" {
   type forward;
   forward only;
   forwarders {
   100.1.2.3;
   };
};

when I do this with bind 9.11 (debian 10), I get these messages:

Dec 13 14:26:55 mail named[13112]: validating x.local/A: got insecure 
response; parent indicates it should be secure
Dec 13 14:26:55 mail named[13112]: insecurity proof failed resolving 
'x.local/ANY/IN': 100.1.2.3#53
Dec 13 14:26:55 mail named[13112]: validating x.local/NS: got insecure 
response; parent indicates it should be secure
Dec 13 14:26:55 mail named[13112]: validating x.local/SOA: got insecure 
response; parent indicates it should be secure

looks like I could avoig this by disabling dnssec but is there any way to
disable this checking only for domain "local" or "x.local"?

I have tried to create empty "local" domain but then I only received empty
responses for any requests.

(I know .local is for mdns, but I can't do anything with that).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND caching of nxdomain responses

2021-10-23 Thread Matus UHLAR - fantomas

On 22.10.21 09:57, Dan Hanks wrote:
>As I understand RFC 2308, when receiving an NXDOMAIN response, and when
>deciding how long to cache that NXDOMAIN response, a resolver should use
>whichever value is lower of the SOA TTL, and the SOA.minimum value as the
>length of time to cache the NXDOMAIN.
>
>I have a situation where I am seeing different behavior from that in BIND.
>Given the following SOA record:
>
>azure.mongodb.net.  900 IN  SOA ns-1430.awsdns-50.org.
>awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60
>
>I am finding that BIND (9.11.x) is caching the NXDOMAIN response for 900s
>(SOA TTL), instead of the expected 60s (SOA.minimum).
>
>I have noticed that many auth servers out there will drop the SOA TTL to
>match the SOA.minimum value when attaching the SOA record to an NXDOMAIN
>response. Is BIND expecting this to happen, and just opting to use the SOA
>TTL value (and not the SOA.minimum value if they disagree)?



On Fri, Oct 22, 2021 at 10:29 AM Matus UHLAR - fantomas
 wrote:

are you authoritative server for azure.mongodb.net?
if not, BIND will use cache time that came from authoritative server adn
won't parse the SOA itself.


On 22.10.21 10:56, Dan Hanks wrote:

I am not authoritative, I'm just making recursive queries against this domain.

When you say, "BIND will use cache time that came from authoritative
server", what 'cache time' are you referring to? Are you referring to
the values in the SOA record included in the AUTHORITY section of the
NXDOMAIN response?


I assume that BIND will keep the TTL as it was received from upstream
servers (of course, local TTL restrictions may override it)

If the upstream sends SOA record with TTL 900 second, BIND will keep it at
900 seconds, no matter what the SOA minimum says.

if the TTL returned above is 900 seconds, BIND will return 900 and cache the
record for up to 900 seconds.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND caching of nxdomain responses

2021-10-22 Thread Matus UHLAR - fantomas

On 22.10.21 09:57, Dan Hanks wrote:

As I understand RFC 2308, when receiving an NXDOMAIN response, and when
deciding how long to cache that NXDOMAIN response, a resolver should use
whichever value is lower of the SOA TTL, and the SOA.minimum value as the
length of time to cache the NXDOMAIN.

I have a situation where I am seeing different behavior from that in BIND.
Given the following SOA record:

azure.mongodb.net.  900 IN  SOA ns-1430.awsdns-50.org.
awsdns-hostmaster.amazon.com. 1 7200 900 1209600 60

I am finding that BIND (9.11.x) is caching the NXDOMAIN response for 900s
(SOA TTL), instead of the expected 60s (SOA.minimum).

I have noticed that many auth servers out there will drop the SOA TTL to
match the SOA.minimum value when attaching the SOA record to an NXDOMAIN
response. Is BIND expecting this to happen, and just opting to use the SOA
TTL value (and not the SOA.minimum value if they disagree)?


are you authoritative server for azure.mongodb.net?
if not, BIND will use cache time that came from authoritative server adn
won't parse the SOA itself.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind9 forwarder query

2021-09-23 Thread Matus UHLAR - fantomas

On 23.09.21 06:18, Sonal Pahuja wrote:

We have configured a forward zone in bind9  for e164.arpa and in forwarders we 
are giving 2 IPs.
Just wanted to know the mechanism/routing/ Load balancing policy by which bind9 
forwarding to different IPs.




I can see sometimes it routes to same IP always, sometime it forward it in 
round robin way.


bind keeps track of servers that responds fastest and periodically rechecks
the rest.
it's called SRTT algorithm, web search should give some explanations.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Getting the name of responding server(s)

2021-09-09 Thread Matus UHLAR - fantomas

On Tue, Sep 07, 2021 at 10:48:57AM -0400,
Matthew Pounsett  wrote a message of 32 lines which
said:

Yeah, you can pretty reliably get the answer in one or two steps by
requesting the NS set for the FQDN.  You'll either get your answer, or
get an SOA with the name of the enclosing zone.  Second lookup gets
you the NS set for the enclosing zone.



In message , Stephane Bortzmeyer
 wrote:

Indeed (unless you find a broken resolver that fail to send the SOA).


On 09.09.21 03:20, Ronald F. Guilmette wrote:

I don't want and don't need SOA records.  I want and need only the relevant
NS records.


server in some cases send the SOA. 


I was thinking of another issue: if the goal of the OP is to find
which domain names are on the same authoritative name servers...


Thank you but no, that was not among my goals.

I just want the names of the final and actual name servers that would /
should respond to the given query.


dig +trace finds those.

Note that some domains can be horribly broken and different nameservers can
send different NS, or no NS at all but SOA.



asking
the NS may not be sufficient, if a name server is known by several
names (for instance, a.nic.sex and a.nic.sucks are the same
machine). So, the OP may have to do a resolution of nameservers' names
into IP addresses, as well.


Thank you.  I am well and truly aware of that fact that multiple name
server names may resolve to some single common IP address.

Fortunately, for what I am doing, this fact is not of any relevance.


what exactly is your goal?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Does BIND supports ANAME RR

2021-08-09 Thread Matus UHLAR - fantomas

On 09.08.21 13:55, Klaus Darilion via bind-users wrote:
>But honestly SVCB will not solve the ANAME problem.  I will take years
> until all resolvers/client would support SVCB whereas ANAME would be
> implemented in the authoritative name server

resolving on authoritative server could in fact help, and wouldn't need
protocol
change at all, but the problem above is crucial (what would you do in case
of failure? refuse whole zone?)


On 09.08.21 14:37, Klaus Darilion via bind-users wrote:

Resolving is done when there is an incoming query, not on zone loading.  So
if the auth's resolver (either a full blown resolver or a stub resolver
which forwards to another resolver) fails to resolve I would just forward
this error to the client's resolver.


This would not change the fact that you are asking authoritative server to
resolve record which is by definition not the job of authoritative server.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Does BIND supports ANAME RR

2021-08-09 Thread Matus UHLAR - fantomas

On Sat, Aug 07, 2021 at 11:05:51PM +0530, Gaurav Kansal wrote:
> I need the help in figuring out whether BIND supports ANAME ? If yes,
> then from which version on wards ?



No, it doesn't. The effort to standardize ANAME stalled, and I doubt
it'll be coming back.

The new HTTPS and SVCB records look like a better approach anyway.
BIND will have support for those pretty soon.


On 09.08.21 13:55, Klaus Darilion via bind-users wrote:

But honestly SVCB will not solve the ANAME problem.  I will take years
until all resolvers/client would support SVCB whereas ANAME would be
implemented in the authoritative name server


recursive - authoritative server is not there to resolve remote hostnames, if
it doesn't provide recursion.
(well, it COULD try to resolve just as it resolves NS IPS for sending
notifies, but that's different). 


resolving on authoritative server could in fact help, and wouldn't need protocol
change at all, but the problem above is crucial (what would you do in case
of failure? refuse whole zone?)


and hence would work for
every client/resolver as client/resolver never sees the ANAME but only the
A/ record.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I drive way too fast to worry about cholesterol.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Odd A record in our hosts zone file

2021-06-25 Thread Matus UHLAR - fantomas

On 25.06.21 18:29, Bruce  Johnson wrote:

Thank you…this is very useful information; I thought TTL could only be 
specified on a per-zone basis, not per-host.


not even per-host. Different RR types for the same host can have different
TTL.


mail1m  IN  A   xxx.xxx.xxx.52; dhbex1
mail1m  IN  A   xxx.xxx.xxx.54; dhbex2


mail1d  IN  TXT "v=spf1 a -all"
mail1h  IN  MX  0   mail

etc.
Only same RR types MUST have same value so e.g.:

mail1m  IN  A   xxx.xxx.xxx.52; dhbex1
mail2m  IN  A   xxx.xxx.xxx.54; dhbex2

would be incorrect and server will choose one of those to implement for all
RRs (see rfc 2182 section 5.2)
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Reverse Lookup / PTR record

2021-06-21 Thread Matus UHLAR - fantomas

On 21.06.21 09:41, techli...@phpcoderusa.com wrote:
I am configuring a home office PHP webserver on my cable company's 
business connection that allows for servers.


My cable company provides the reverse lookup / PTR record.  Given 
that, I'm thinking I need to provide only the zone file, no reverse 
lookup.


if your ISP provides reverse lookup, you don't need reverse zone file at
all.


Any thoughts are much appreciated.


what is your question?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Need Help with BIND9

2021-06-15 Thread Matus UHLAR - fantomas

On 15.06.21 09:14, Lyle Giese wrote:
I think I stumbled upon a problem with the zone records for 
keiththewebguy.com.  It could be the root issue you are having.


If I run

dig ns +trace keiththewebguy.com

I got the following for the last record from your name servers:


ns1.keiththewebguy.com. 86400   IN  A   98.191.108.149
keiththewebguy.com. 86400   IN  NS  ns1.
keiththewebguy.com. 86400   IN  NS  ns2.


this is the problem.

OP's NS records point to nonexistent hosts, and these are authoritative, so
after each nameserver fetches them, it uses them and fails.


Most probably it's the "ns1" and "ns2" in zone end with "." which means that
current $ORIGIN (apparently keiththewebguy.com) is not appended to them.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Need Help with BIND9

2021-06-15 Thread Matus UHLAR - fantomas

On 11.06.21 18:19, Sten Carlsen wrote:

From my place I resolve both to: 98.191.108.149

keiththewebguy.com. does not actually have the two nameservers 
required though that is not the problem. (ns1 and ns2 have same 
IP)


BIND seems to work ok but your local settings probably don't point 
your hosts to the right NS.


On 14.06.21 14:26, techli...@phpcoderusa.com wrote:
I do have the same IP in both "glue" records.  GoDaddy calls them host 
records.


those might be different records, haven't checked godaddy's dictionary.



Server was probably off.  Thank you for your help!!


it's apparently down again.

some registrars provide you with their own nameservers that don't go down,
why don't you use those?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Disable limitation

2021-06-14 Thread Matus UHLAR - fantomas

On 14.06.21 05:37, Roee Mayerowicz wrote:
I'm trying to use BIND9 as a recursive DNS server for my internal crawler. 
After a few hundred queries, my queries have started to get dropped.  What

configuration or requirements is needed for "unleash the beast"?


none, it should work by default.

Is there anything in logs?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
42.7 percent of all statistics are made up on the spot.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Need Help with BIND9

2021-06-12 Thread Matus UHLAR - fantomas

On 11.06.21 18:19, Sten Carlsen wrote:

From my place I resolve both to: 98.191.108.149

keiththewebguy.com. does not actually have the two nameservers required though 
that is not the problem. (ns1 and ns2 have same IP)

BIND seems to work ok but your local settings probably don't point your hosts 
to the right NS.


looks like you have registered domain on two servers, but failed to
provided the servers' IPs. "glue records" is what your domain needs

KEITHTHEWEBGUY.COM. 172800  IN  NS  NS1.KEITHTHEWEBGUY.COM.
KEITHTHEWEBGUY.COM. 172800  IN  NS  ns2.KEITHTHEWEBGUY.COM.
CK0POJMG874LJREF7EFN8430QVIT8BSM.COM. 86400 IN NSEC3 1 1 0 - 
CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.COM. 86400 IN RRSIG NSEC3 8 2 86400 
20210617042404 20210610031404 54714 com. 
X4G7euDX4ox5altSUvf+DfLyijD3A+97OxtkehYEGpUotSvAXXYdriAO 
rWhfqctrjb7pjNyMApY2lbkuHeqXHACUq26uunHKCoFbLkQ1l56mK2sW 
mX8qmzImJOaTysXQlH9pJggtlsjvT5+dA+wojtVxlQc7+uq2245G0q0i 
Nf8JseTw9JzSK66G4IOzl8Z9iQ6KXCKhIKFT4kQXeZP1rA==
AG1GER7HG6VFFKTUSO2FO8IDL76AC4B7.COM. 86400 IN NSEC3 1 1 0 - 
AG1HFAOR0D4AHNGRNHE5M02CMA12RRD4 NS DS RRSIG
AG1GER7HG6VFFKTUSO2FO8IDL76AC4B7.COM. 86400 IN RRSIG NSEC3 8 2 86400 
20210618044614 20210611033614 54714 com. 
Z0rbk8cLOj6ZOZRiW74uGgP5rPtdtr0gtKXhxgyVBcmBUjZ2WZcskJ5H 
YYK6D9KZJYhEvIdvIF+AVBDbyY/7BaRegq44a3Z0pSNlD+nk2fJMqlbA 
sj+9FkyADAp20dojAXPP+RxoCo2e9hz9XW/S0OKrVxv5NtXqvBOUnahr 
7hQOtJCD7uJeb2XLNAHGdOeleIJQhn3E/1CGApoSTxJTaw==
couldn't get address for 'NS1.KEITHTHEWEBGUY.COM': failure
couldn't get address for 'ns2.KEITHTHEWEBGUY.COM': failure
dig: couldn't get address for 'NS1.KEITHTHEWEBGUY.COM': no more


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [UNSOLVED] Re: Strange DNS behaviour

2021-05-09 Thread Matus UHLAR - fantomas

On 09.05.21 14:35, Xavier Humbert via bind-users wrote:

But on one machine, it fails :


[xavier@feanor ~]$ dig @numenor dns.google.com +trace



are you aware that +trace sends queries across the servers from root to
leaf, it doesn't go through the server numenor?


couldn't get address for 'm.root-servers.net': not found


None of the root servers can't be found. My root hint file is up to date.



Sorry, typed too quickly. Problem stands.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to return REFUSED

2021-05-07 Thread Matus UHLAR - fantomas

On 06.05.21 18:41, Axel Rau wrote:

This NS has some other clients in the DMZ LAN, so I need Views.


you need multiple views if you are going to provide multiple versions of the
same zones, different forwardings for different domains or alike.

Not just if you have other clients.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux is like a teepee: no Windows, no Gates and an apache inside...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to return REFUSED

2021-05-06 Thread Matus UHLAR - fantomas

On 05.05.21 21:09, Axel Rau wrote:

allow-query { any; };
allow-query-cache { recursive-users; };
allow-recursion { recursive-users; };

How can I make sure that none recursive-users get a REFUSED if query is 
recursive?


I thought this is the default...

PS: I want to minimize the responses to this amplification attack:
19:05:18.703238 185.230.55.130.30120 > 91.216.35.71.53: [no udp cksum] 1+ 
RRSIG? pizzaseo.com.(30) (ttl 249, id 33043, len 58)
19:05:18.703568 91.216.35.71.53 > 185.230.55.130.30120: [udp sum ok] 1- q: 
RRSIG? pizzaseo.com. 0/13/14 ns: com. NS j.gtld-servers.net., com. NS 
m.gtld-servers.net., com. NS c.gtld-servers.net., com. NS b.gtld-servers.net., 
com. NS d.gtld-servers.net., com. NS e.gtld-servers.net., com. NS 
l.gtld-servers.net., com. NS f.gtld-servers.net., com. NS h.gtld-servers.net., 
com. NS i.gtld-servers.net., com. NS a.gtld-servers.net., com. NS 
k.gtld-servers.net., com. NS g.gtld-servers.net. ar: m.gtld-servers.net. A 
192.55.83.30, l.gtld-servers.net. A 192.41.162.30, k.gtld-servers.net. A 
192.52.178.30, j.gtld-servers.net. A 192.48.79.30, i.gtld-servers.net. A 
192.43.172.30, h.gtld-servers.net. A 192.54.112.30, g.gtld-servers.net. A 
192.42.93.30, f.gtld-servers.net. A 192.35.51.30, e.gtld-servers.net. A 
192.12.94.30, d.gtld-servers.net. A 192.31.80.30, c.gtld-servers.net. A 
192.26.92.30, b.gtld-servers.net. A 192.33.14.30, a.gtld-servers.net. A 
192.5.6.30, m.gtld-servers.net.  2001:501:b1f9:

:30(490) (ttl 63, id 11754, len 518)

... exactly because of this reason.

Which named version do you run?
do you use views?

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
2B|!2B, that's a question!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Need Help With Setting up a Recursive Nameserver

2021-04-30 Thread Matus UHLAR - fantomas

On 30.04.21 17:50, Sainik Biswas via bind-users wrote:

  I need some help setting up a recursive nameserver for my internal
network using BIND 9. The recursive name server is not resolving any
domains.



Error Log [resolver.log]

2021-04-30T11:58:17.784Z notice: DNS format error from 198.41.0.4#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.788Z notice: DNS format error from 193.0.14.129#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.792Z notice: DNS format error from 192.36.148.17#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.796Z notice: DNS format error from 192.33.4.12#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.800Z notice: DNS format error from 192.58.128.30#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.804Z notice: DNS format error from 202.12.27.33#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.808Z notice: DNS format error from 198.97.190.53#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.808Z notice: DNS format error from 199.7.91.13#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.816Z notice: DNS format error from 199.9.14.201#53
resolving ./NS for : non-improving referral
2021-04-30T11:58:17.816Z info: resolver priming query complete

My ISP most probably uses some kind of transparent DNS proxy. I have come
to that conclusion based on running the test at dnsleaktest.com. It does
not matter which DNS I set in my laptop or desktop, the DNS IP always shows
up as the ISP's DNS [203.171.240.10, 203.171.240.11]. The only way I could
bypass this was by using DNSCrypt Proxy. Is it possible that my ISP is
preventing the root nameservers from resolving correctly which is
preventing my caching nameserver from working correctly?


It's most probably the reason. Ask your ISP.


Or maybe I have
incorrectly configured something?

Can anyone help me figure out what exactly is the problem?


your ISP probably

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: NXDOMAIN processing

2021-04-27 Thread Matus UHLAR - fantomas

On 26.04.21 20:45, bamberg2000 via bind-users wrote:

BIND 9.11.5, I forward the request ("forward zone" or global "forward
first") to another server and I get NXDOMAIN.  Is it possible to process
NXDOMAIN other than "redirect zone"?  I just want to repeat the request to
another forwarder.


It's not possible.

the NXDOMAIN response means that the rquested domain definitely does not
exist, so there's no logical need to verify this from another source.

maybe if you explained us what you're trying to do, we could give you better
advice. 
--

Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Name server delegation

2021-04-26 Thread Matus UHLAR - fantomas

On 26.04.21 16:07, John W. Blue via bind-users wrote:

Since "" is a subzone inside of the example.com zone the answer is yes, it 
can be delegated.


however, the delegation must be done on example.com server (1.1.1.1)

local forwarding resolution of domains example.com and .example.com to
different server is different issue.


From: Karol Nowicki via bind-users 
Sent: Monday, April 26, 2021 10:24 AM
To: bind-users@lists.isc.org
Subject: Name server delegation

Its possible to delegate tld domain example.com to 1.1.1.1 name server and 
.example.com to 2.2.2.2 name server ?



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-15 Thread Matus UHLAR - fantomas

On 15.04.21 20:53, Zhengyu Pan wrote:

The  "intelligent" means that dns server return the corresponding A record IP 
address according  to the source IP address of the tenants.
My dns server is an Authoritative dns server. It hosts the zones of different 
tenants.


do you mean, the same domains with different content, depending on clients'
IPs? That's common multiple-view setup
(nothing special or intelligent).


I need to update config file name.conf frequently Because The views and ACLS 
are added frequently.


Why? Do you have that many clients constantly with changing IPs?

Maybe they could use local DNS server talking to your DNS server using TSIG,
and instead of IPs you'd define TSIG keys.


So i want to know whether have commands or API to add acl and view like the command "rndc 
addacl" or "rndc addview"?


I'm afraid for now there's no  way to make this via rndc.
You'll have to generate named config per-client.


Updating config file frequently may affect other zones in this dns server.


I don't understand how/why it should affect other zones.




At 2021-04-15 15:08:26, "Matus UHLAR - fantomas"  wrote:

On 15.04.21 15:35, Zhengyu Pan wrote:

I want to implement intelligent DNS through bind9.



I need to add a custom line(IP address ranges) to bind9 using acl and view
when add a user.  Because when add a tenant, i need to define a new acl
and view.  I don't want to update named.conf config file frequently.


what is supposed to be intelligent there?

I mean, why?  are you going to provide recursive service to someone who pays
for that?


Does bind9 support adding acl and view through commands or API, not by updating 
config file?
like the command "rndc addacl" or "rndc addview".


I don't think so, looks a bit too complicated.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Does bind9 support adding acl and view through commands, not by updating config file?

2021-04-15 Thread Matus UHLAR - fantomas

On 15.04.21 15:35, Zhengyu Pan wrote:

I want to implement intelligent DNS through bind9.



I need to add a custom line(IP address ranges) to bind9 using acl and view
when add a user.  Because when add a tenant, i need to define a new acl
and view.  I don't want to update named.conf config file frequently.


what is supposed to be intelligent there?

I mean, why?  are you going to provide recursive service to someone who pays
for that?


Does bind9 support adding acl and view through commands or API, not by updating 
config file?
like the command "rndc addacl" or "rndc addview".


I don't think so, looks a bit too complicated.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: forwarding zone setup from a BIND slave (without recursion?)

2021-04-07 Thread Matus UHLAR - fantomas

On 06.04.21 22:47, RK K wrote:

We have a set of BIND primary servers (MASTERs) and a set of secondary
servers (slaves to the MASTERs).
The secondary BIND DNS servers disabled recursion ( with "*recursion no;" *)
in the global options.
All the applications/systems do use secondary DNS servers for name
resolution.

Now there is a need to configure a forwarding zone in the "secondary DNS
servers" to an external DNS server.

In this scenario, in-order for the secondary server to forward the DNS
query to an external DNS server, is it required to enable the recursion in
the global options on the secondary servers?


yes.


Based on reference material, I did not see such a requirement. But my
observation is the query is not getting forwarded ( tried to check using
the packet trace)
When recursion is enabled, the query is getting forwarded.

The BIND version I am using is 9.11.2.x.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Matus UHLAR - fantomas

On 31.03.21 13:57, Roberto Carna wrote:

But if I want to resolve:

foo.google.com

that doesn't exist in my google.com private zone, I don't obtain any result.


do NOT define private zone "google.com".
configure private zone "www.google.com" that will NOT contain anything other
than www.google.com and below it.

Or, better, install dnsmasq and redefine "www.google.com" via /etc/hosts.


I need to tell my private BIND to forward to 8.8.8.8 all the received
*.google.com queries, except www.google.com that is the one locally
resolved.


there's no point in forwarding from BIND to public nameservers.


El mié, 31 mar 2021 a las 13:48, Matus UHLAR - fantomas
() escribió:


On 31.03.21 13:07, Roberto Carna wrote:
>Dear Matus, maybe I have not understood very well...
>
>I can setup a master zone as you said:
>
>zone "www.google.com" {
>type master;
>file "...";
>};
>
>But what are the needed clauses from Bind's named.conf.options file in
>order to tell "if foo.google.com is not present in the google.com
>private zone, you have to forward the query to another server (public
>forwarder) in order to be publicly resolved" ???

that above will cover www.google.com and *.www.google.com

>El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
>() escribió:
>>
>> On 31.03.21 12:49, Roberto Carna wrote:
>> >Dear, I have a BIND private DNS server which has two forwarders for
>> >public resolution.
>> >
>> >I need to create a private zone "google.com" with just one A record as 
follow:
>> >
>> >www.google.com IN A 192.168.0.100
>> >
>> >All the local clients will resolve www.google.com to a private address
>> >from our company.
>> >
>> >And for the other google.com records that this private BIND receives
>> >and they are not defined in the local private zone, they have to be
>> >forwarded to the public forwarders in order to be resolved as normal.
>> >
>> >Is it possible to have this scenario ???
>>
>> yes, simply define zone
>>
>> zone "www.google.com" {
>> type master;
>> file "...";
>> };
>>
>> note that for this kind setup, using dnsmasq with two forwarders and 
www.google.com
>> overriden through /etc/hosts would be easier solution.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Matus UHLAR - fantomas

On 31.03.21 13:07, Roberto Carna wrote:

Dear Matus, maybe I have not understood very well...

I can setup a master zone as you said:

zone "www.google.com" {
type master;
file "...";
};

But what are the needed clauses from Bind's named.conf.options file in
order to tell "if foo.google.com is not present in the google.com
private zone, you have to forward the query to another server (public
forwarder) in order to be publicly resolved" ???


that above will cover www.google.com and *.www.google.com


El mié, 31 mar 2021 a las 12:56, Matus UHLAR - fantomas
() escribió:


On 31.03.21 12:49, Roberto Carna wrote:
>Dear, I have a BIND private DNS server which has two forwarders for
>public resolution.
>
>I need to create a private zone "google.com" with just one A record as follow:
>
>www.google.com IN A 192.168.0.100
>
>All the local clients will resolve www.google.com to a private address
>from our company.
>
>And for the other google.com records that this private BIND receives
>and they are not defined in the local private zone, they have to be
>forwarded to the public forwarders in order to be resolved as normal.
>
>Is it possible to have this scenario ???

yes, simply define zone

zone "www.google.com" {
type master;
file "...";
};

note that for this kind setup, using dnsmasq with two forwarders and 
www.google.com
overriden through /etc/hosts would be easier solution.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Local resolution first and then public resolution for "google.com" domain

2021-03-31 Thread Matus UHLAR - fantomas

On 31.03.21 12:49, Roberto Carna wrote:

Dear, I have a BIND private DNS server which has two forwarders for
public resolution.

I need to create a private zone "google.com" with just one A record as follow:

www.google.com IN A 192.168.0.100

All the local clients will resolve www.google.com to a private address
from our company.

And for the other google.com records that this private BIND receives
and they are not defined in the local private zone, they have to be
forwarded to the public forwarders in order to be resolved as normal.

Is it possible to have this scenario ???


yes, simply define zone

zone "www.google.com" {
type master;
file "...";
};

note that for this kind setup, using dnsmasq with two forwarders and 
www.google.com
overriden through /etc/hosts would be easier solution.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
10 GOTO 10 : REM (C) Bill Gates 1998, All Rights Reserved!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: resolv.conf question / timeout behaviour

2021-03-31 Thread Matus UHLAR - fantomas

On 31.03.21 10:56, Tom Preissler via bind-users wrote:

at my work place we have a three resolver setup in /etc/resolv.conf.


resolv.conf is not a BIND thing, it's configuration of system libraries. 


We had sometimes, though rarely, response times for DNS like 14000ms,
due to the fact that the *first* listed resolver is down for maintenance
reasons. The application we test this with is Oracle/TNSPing.


if this is an issue, you can run local caching DNS server like BIND or
dnsmasq. They can handle such timeouts better than most libraries.


As a mitigation we therefore put in timeout:1, but we just recently got
again a TNSPing response of 9000ms.

I noticed in man resolv.conf this section on "timeout":

 timeout:n
Sets the amount of time the resolver will wait for
a response from a remote name server before
retrying the query via a different name server.
|This may not be the total time taken by any
|resolver API call and there is no guarantee that a
|single resolver API call maps to a single timeout.
Measured in seconds, the default is RES_TIMEOUT
(currently 5, see ).  The value for this
option is silently capped to 30.

I am intrigued by the above sentence marked with "|". Does anybody
know what that means in detail, can anybody explain that please?

I explained the reason for the 9000ms so that Oracle and its many processes
all come together to resolve the DNS name and they *keep hitting* the first
resolver - and "timeout" can't kick in due to parallel requests from different
processes, hence the high overall response time.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Authoritative for one domain, caching for the rest

2021-03-24 Thread Matus UHLAR - fantomas

On 24.03.21 17:08, Olivier wrote:

After reading [1]and many trials, I couldn't figure how to set a Bind9
(9.11.5 on Debian Buster) server to operate this way:

- server has two Ethernet interfaces, one connected to foo.lan/
192.168.51.0/24 domain/network, the other connected to bar.lan/
192.168.43.0/24 domain/network
- I want it to resolve for bar.lan and for anything to query a DNS server
available on foo.lan.

My anonymized /etc/bind/named.conf.local content is:

acl "good-guys" {
  localnets;
};

zone "bar.lan" {
  type master;
  file "/etc/bind/db.bar.lan";
  forwarders {};
  allow-query { "good-guys"; };
};

zone "43.168.192-in-addr.arpa" {
  type master;
  file "/etc/bind/rev.43.168.192.in-addr.arpa";
  forwarders {};
};

zone "foo.lan" {
  type master;
  file "/etc/bind/db.foo.lan";
  forwarders { 192.168.51.1; };
};

zone "51.168.192-in-addr.arpa" {
  type master;
  file "/etc/bind/rev.51.168.192.in-addr.arpa";
  forwarders { 192.168.51.1; };


Resolution works for:
bar.lan,
google.com
host1.foo.lan if entry present in /etc/bind/db.foo.lan
but it does not work for:
host2.foo.lan if entry not present in /etc/bind/db.foo.lan


"file" is used in master and slave zones.
"forwarders" is used in "type forward" zones.

those are mutually-exclusice, so forwarders aren't used for master and
slave zones, while "file" is not used for "type forward" zones.

Maybe you want something like dnsmasq?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
We are but packets in the Internet of life (userfriendly.org)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Zone transfer is happening intermittently between slave and master bind

2021-03-17 Thread Matus UHLAR - fantomas

On 17.03.21 07:59, Prasanna Mathivanan (pmathiva) via bind-users wrote:

I have a weird DNS issue where zone transfer between slave and master is
happening intermittently or even if it happens it just says 0 records it
got and then sometimes it gets all records.


that should be fine, there may be incremental transfer done, which only
transfers changes.


Transfer completed: 0 messages, 1 records, 0 bytes, 0.001 secs (0 bytes/sec) • 
intermittent o/p

Transfer completed: 13 messages, 15423 records, 472336 bytes, 0.063 secs 
(7497396 bytes/sec) • excepted o/p which happens after two to three zone 
transfers with 0 messages.

When I initiate manual zone transfer via rndc retransfer  it works fine.


I guess this forces full transfer.


Refresh interval set in zone is 4 hours but still even if it crosses this time 
zone transfer doesn’t work.


refresh means how often to check for updates, but transfer happens only when
there's a change.


Is it something like if difference in serial number is big because of 
unsuccessful zone transfers and its taking time to catch up ?


the difference in serial number is how change is detected.
Note that new serial must be bigger than the old one.

(there are measures if it's to be wrapped around zero).

what is your real problem?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Enter any 12-digit prime number to continue.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: underscore in A or PTR records

2021-02-17 Thread Matus UHLAR - fantomas

On 17.02.21 09:41, ONRUBIA AVILES Carlos (CCS/MST) wrote:

What do you mean with " absolutely no, but since underscore is not valid in hostname 
as per rfc1123, I don't recomment you to use it in hostnamed" ?


substitute the last word with "hostnames" (a mistype).

I mean that since rfc1123 prohibits using underscores in hostnames, you
should not try to use them in hostnames.

Othersise, you may expect different problems on different places, and
whenever you'll solve such problem, people can tell you it's your problem.


I tried with the following configuration in zone " dekil.nl " and bind do not 
accept it:


hello_mail2.dekil.nl. 3600IN  A   81.246.48.28

I have the following message error:

Feb 17 10:40:41 dnszone904 named[1633]: /etc/bind/zones/master/dekil.nl:19: 
hello_mail2.dekil.nl: bad owner name (check-names)
Feb 17 10:40:41 dnszone904 named[1633]: zone dekil.nl/IN: loading from master 
file /etc/bind/zones/master/dekil.nl failed: bad owner name (check-names)
Feb 17 10:40:41 dnszone904 named[1633]: zone dekil.nl/IN: not loaded due to 
errors.


yes, exactly.


Sensitivity: Internal Use Only


this is really useless here, since you posted this to public mailing list.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: underscore in A or PTR records

2021-02-17 Thread Matus UHLAR - fantomas

On 17.02.21 08:13, ONRUBIA AVILES Carlos (CCS/MST) wrote:

I face the following problem  ==> bind do not accept an A record with 
underscore:

Example: example_try   A1.2.3.4


Same for a PTR:

Example:   1.2.3.4   PTR   example_try


Is it absolutely forbidden to have in such cases an '_'?


absolutely no, but since underscore is not valid in hostname as per rfc1123,
I don't recomment you to use it in hostnamed.


I know that it is possible for SRV or TXT records.


it's valid in DNS, but not in hostnames.  You can in fact disable checking
but you may encounter problems with remote sites.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux IS user friendly, it's just selective who its friends are...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [SOLVED] Re: bind listening on UDP port 53 using 2 fd

2021-01-26 Thread Matus UHLAR - fantomas

On 26.01.21 12:04, Bernardo wrote:

Again, the problem here is that perfectly valid configuration lines in
/etc/named.conf would cause serious trouble.


again, the "port 53" is what causes the problem.

The rest is okay.
Using those options without "port 53" is okay too.



El lun, 25 ene 2021 a las 14:33, Matus UHLAR - fantomas ()
escribió:


On 25.01.21 14:05, Bernardo wrote:
>Yes. This causes serious problems.
>
>The problem is that these perfectly valid configuration lines in
>/etc/named.conf file (provided that 192.168.10.100 is the IPv4 address of
>your DNS server, it doesn't matter if it is a primary or secondary) will
>cause you a lot of trouble.
>
>query-source address 192.168.10.100;
>notify-source 192.168.10.100 port 53;
>transfer-source 192.168.10.100 port 53;
>
>These configuration lines will cause you problems as described in my post
(
>BIND ignores "packets received correctly" ) from January 2020.
>
>It seems that this is a know issue since BIND 9.16.1 version: UDP network
>ports used for listening can no longer simultaneously be used for sending
>traffic.

which means, that the "port 53" is what causes problems and the rest can
stay there.

If you only have interace address "192.168.10.100" (except loopback, if
course), or if that is the primary address of your interface, those
defitions are useless, otherwise you should keep them there.

>El lun, 25 ene 2021 a las 11:13, Matus UHLAR - fantomas (<
uh...@fantomas.sk>)
>escribió:
>
>> On 23.01.21 12:44, Bernardo wrote:
>> >Finally I've found the solution.
>> >The problem seems to be caused by a known issue since BIND version
9.16.1
>> >
>> >Commenting out these lines in /etc/named.conf solves the issue:
>> >
>> >query-source address 192.168.10.100;
>> >notify-source 192.168.10.100 port 53;
>> >transfer-source 192.168.10.100 port 53;
>>
>> this should not cause a problem and may cause troubles when
192.168.10.100
>> is not the primary address.
>>
>> the "port 53" is usually useless (unless you have stateless firewall)
and
>> may be what caused your problem.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [SOLVED] Re: bind listening on UDP port 53 using 2 fd

2021-01-25 Thread Matus UHLAR - fantomas

On 25.01.21 14:05, Bernardo wrote:

Yes. This causes serious problems.

The problem is that these perfectly valid configuration lines in
/etc/named.conf file (provided that 192.168.10.100 is the IPv4 address of
your DNS server, it doesn't matter if it is a primary or secondary) will
cause you a lot of trouble.

query-source address 192.168.10.100;
notify-source 192.168.10.100 port 53;
transfer-source 192.168.10.100 port 53;

These configuration lines will cause you problems as described in my post (
BIND ignores "packets received correctly" ) from January 2020.

It seems that this is a know issue since BIND 9.16.1 version: UDP network
ports used for listening can no longer simultaneously be used for sending
traffic.


which means, that the "port 53" is what causes problems and the rest can
stay there.

If you only have interace address "192.168.10.100" (except loopback, if
course), or if that is the primary address of your interface, those
defitions are useless, otherwise you should keep them there.


El lun, 25 ene 2021 a las 11:13, Matus UHLAR - fantomas ()
escribió:


On 23.01.21 12:44, Bernardo wrote:
>Finally I've found the solution.
>The problem seems to be caused by a known issue since BIND version 9.16.1
>
>Commenting out these lines in /etc/named.conf solves the issue:
>
>query-source address 192.168.10.100;
>notify-source 192.168.10.100 port 53;
>transfer-source 192.168.10.100 port 53;

this should not cause a problem and may cause troubles when 192.168.10.100
is not the primary address.

the "port 53" is usually useless (unless you have stateless firewall) and
may be what caused your problem.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [SOLVED] Re: bind listening on UDP port 53 using 2 fd

2021-01-25 Thread Matus UHLAR - fantomas

On 23.01.21 12:44, Bernardo wrote:

Finally I've found the solution.
The problem seems to be caused by a known issue since BIND version 9.16.1

Commenting out these lines in /etc/named.conf solves the issue:

query-source address 192.168.10.100;
notify-source 192.168.10.100 port 53;
transfer-source 192.168.10.100 port 53;


this should not cause a problem and may cause troubles when 192.168.10.100
is not the primary address.

the "port 53" is usually useless (unless you have stateless firewall) and
may be what caused your problem.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Choosing A records based on hosts' load?

2021-01-18 Thread Matus UHLAR - fantomas

On 18.01.21 09:49, Marek Kozlowski wrote:
I believe that such a solution (read to install) should exist. 
Unfortunately I don't know the magic keywords to find it:


I have a group of hosts with different IPs offering the same services. 
I'm able to install some agents on them for monitoring their 
network/cpu/number of users/whatever utilization. I'm wondering if 
there is an option for BIND9 to obtain those load parameters on a 
regular basis (let's say: every 10 minutes) and when queried for the A 
record return ONLY one IP address - the one of the server with the 
lowest utilization?


and whenever one of servers hits the lowest utilization, all connections get
directed to it, which will result in highest utilization.

It can be implemented on those servers but in the solution I'm asking 
about the key point is that the BIND server takes the decision.


This is not problem for BIND nor for DNS. 
Due to DNS caching it won't work properly and if you shorten the TTLs, at

first DNS issue it will fail globally.

Install some load balancers in front of those servers.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Nothing is fool-proof to a talented fool.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Getting "query failed (REFUSED) for ./IN/ANY"

2021-01-13 Thread Matus UHLAR - fantomas

On 13.01.21 10:21, Alessandro Vesely wrote:

I'm getting lots of log lines like the following:

Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2a3b80 74.74.74.8#24048 
(.): view external: query failed (REFUSED) for ./IN/ANY at 
../../../bin/named/query.c:7144
Jan 12 04:35:18 30 north named[22233]: client @0x7fe0fc2784d0 74.74.74.8#24048 
(.): view external: query failed (REFUSED) for ./IN/ANY at 
../../../bin/named/query.c:7144
Jan 12 04:35:27 30 north named[22233]: client @0x7fe0fc2953f0 74.74.74.8#57620 
(.): view external: query failed (REFUSED) for ./IN/ANY at 
../../../bin/named/query.c:7144

Is that meant to be a DoS attack?


most probably.


Yesterday I got 42639 of those, from 41 different IPs, the most frequent 
clients looking like so:
821-north:~$ sed -rn 's/^.{15} 30 north named[^:]*: client @0x[0-91-f]* 
([0-9.]*)#[0-9]* ...: view external: query failed .REFUSED. for ..IN.ANY at 
.bin.named.query.c:7144/\1/p' < /var/log/daemon.log.0 |sort |uniq -c 
|sort -rn |head
  4957 68.42.225.19
  2914 73.73.73.73
  2868 24.21.125.251
  2783 193.70.81.112
  2440 73.73.3.73
  2273 101.71.138.9
  2032 74.74.74.8
  1814 98.25.235.45
  1785 209.94.134.20
  1756 73.109.143.81

I looked up some of these on AbuseIPDB, and I see there are a few people
reporting them for the same DDoS.


can be ddos attempt on those IPs. 


Are the queries refused because of the dot (.)?  In the query log, I also
found some 28 IN ANY queries from 7 IPs for xxx.at.fragolina.it, which
probably got away with a NXDOMAIN.


no. the dot is just the root domain.

This morning, queries for IN ANY are filling up a 63% of total queries. 
Named seems to be pretty quick at discarding them.  I'm wondering whether

it takes more resources to track and firewall those IPs or just ignore
them.


fail2ban should help not to see those messages


I'd be also curious of what they are after.  Is there a protest against RFC
8482?  It looks pretty nonsensical.  Any insight?


often, nameservers respond with list of delegations for this query:

% dig +noall +stats -t any . @localhost
;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 13 11:01:08 CET 2021
;; MSG SIZE  rcvd: 2272

this way, server will respond with >2KB packet which may flood the
destination IP.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
My mind is like a steel trap - rusty and illegal in 37 states.
% dig +noall +stats -t any . @localhost
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: SRV Record Server Availability

2021-01-06 Thread Matus UHLAR - fantomas

On 06.01.21 21:41, Wilfred Sarmiento via bind-users wrote:

Your understanding is correct, i just thought that SRV can detect whose
server is alive so it can choose and provide an answer with the available
Server.


DNS is not designed to provide this functionality. While technically you can
change contents of DNS depending on which servers are alive and which are
not, it's almost never a good idea.

That means, BIND has nothing like this built in.


On Tue, Jan 5, 2021 at 4:30 AM Wilfred Sarmiento via bind-users
 wrote:
> Is DNS Bind SRV record can detect the Server's availability? If yes, how?



On Tue, 5 Jan 2021, 23:53 tale  wrote:

Could you provide more information about your goal?  I don't fully
understand the question.

For my reading, the answer is basically no, in that an SRV record just
provides data about where.a particular service can be found.  It's up
to other systems to fetch that data and interpret it, including
whether that service is actually available at the given endpoint.  In
its typical operation, BIND will just take whatever name and port the
zone administrator said to provide for that SRV record, and not do any
sort of availability checks on it.

However, if you go deep into a far more complicated, custom use of
BIND, you could set up a process that monitors the availability and
changes the SRV record accordingly.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How does query denial actually work?

2020-12-23 Thread Matus UHLAR - fantomas

On 17.12.20 14:35, Andrew P. wrote:

I was curious about one of the features in BIND.  Per the Best Practices,
my on-site primary nameserver for my public domains (the secondaries being
with a large public DNS provider) is configured to only allow queries from
within my LAN and transfers in the LAN and to the designated servers at
the DNS provider, and the zones don't actually list the primary in NS
records (only in the SOA record).  So I'm seeing large numbers of bursts
of denied errors like this:

client @0x6e702710 73.61.186.10#21509 (.): query (cache) './ANY/IN' denied

I'll get maybe 20 in a row in under 2 seconds from one IP address, then a time 
gap, then a similar burst supposedly from a different IP address.

So, my questions are:

1. Are these attacks?


yes, and they are very common on the internet.


2.  Does BIND actually send a reject message back, or is it silent in such
denial cases (as in, not still attacking with smaller packets the victim
of a DNS amplication attack)?


usually, yes.  Those responses are small (I measured 74B now) and you can
limit there using responses-per-second or errors-per-second.

if you don't provide any servce (domain) to a public, you can filter DNS
requests from the internet.


I can't figure it out from reading the source code; I haven't so far been
able to trace back from where the messages are logged to where (if any) a
response packet would be transmitted.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Two copies of recent posts

2020-11-26 Thread Matus UHLAR - fantomas

On 26.11.20 13:01, Mark Andrews wrote:

The message that generated this thread had the following:

To: upendra.gan...@gmail.com
Cc: bind-users , BIND Users 


I have mentioned this 3 days ago, this info apparently got missed.
https://lists.isc.org/pipermail/bind-users/2020-November/103912.html


Note the 2 different addresses for bind-users.  Both where delivered to
lists.isc.org in a single SMTP transaction as you noted (ESMTP id
026B967ED73) because the MTA worked out they both needed to be delivered
to the same server.  They where then sent through 2 different instances
mailman.  One for bind-users@lists.isc.org and one for bind-us...@isc.org
and re-injected (ESMTP id B380C67F367 and ESMTP id E414B67F36E).


2 mailman instaces or 2 mails to mailman, thus to the list?

This is not the first time it happened, it happed to me iirc already, when
ISC changed to mailman:

https://lists.isc.org/pipermail/bind-announce/2008-November/000570.html

maybe ISC could stop accepting the mails to old addresses?


On 26 Nov 2020, at 12:35, Paul Kosinski via bind-users 
 wrote:

Yes indeed: I sent the last email (and this one) to bind-users and CC-ed
to you.  That explains why there are two different ESMTP IDs.

The question is, have you, like I have, received two copies of any emails
(from lists.isc.org) where there *identical* ESMTP IDs in their
associated sequences of "Received:" headers.  This would indicate that
the duplication was caused by an intermediate MTA.  (The one I previously
indicated was mx.pao1.isc.org, which is the one and only MX for
lists.isc.org.)


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Boost your system's speed by 500% - DEL C:\WINDOWS\*.*
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Two copies of recent posts

2020-11-23 Thread Matus UHLAR - fantomas

On 22.11.20 21:56, Paul Kosinski via bind-users wrote:

I've been getting two identical copies of recent posts to this list
(such as this item). This only started happening in the past 24 hours
or so. Is anyone else seeing this?

Upon examination of the headers of the two copies, it looks like ISC's
list-servers are doing the duplication.


No, it's some people sending duplicate mail:

Cc: bind-users@lists.isc.org, BIND Users 

IIRC this happened to me when I set up bind-us...@isc.org as list address
and when using list-reply, my MUA mutt decided the mail has to go to another
address as long:

List-Post: <mailto:bind-users@lists.isc.org>

in this case, this seems to be OP's fault, when first reply went to 
bind-us...@isc.org
together with bind-users@lists.isc.org and people who replied continued
sending to multiple addresses.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Servfail on Bind -9.16.1

2020-11-22 Thread Matus UHLAR - fantomas

On Sun, Nov 22, 2020 at 8:14 AM Ismael Suarez 
wrote:



Also, just for testing. Similar happened to me. Try with
‘dnssec-validation no;’


On 22.11.20 09:05, upen wrote:

Thank you Ismael, you are right .
The resolution worked after setting ^^^

So to answer Julien also I believe +nodnsdec in the dig would have helped
with resolution.

So validation is not working it seems . What could be reason for that? Is
something wrong on my configuration or network that the dnssec validation
can not be used in my configuration.


it's possible that your provider does DNS hijacking.
DNS over TLS or DNS over HTTPS could help verify that.



I can set to auto again and run dig +trace if that will help
troubleshooting further why validation may not be working. I’m unsure if
this is expected or something could be wrong somewhere on my end /network .



From: bind-users  on behalf of julien
soula 
Sent: Sunday, November 22, 2020 9:31:56 AM
To: upen 
Cc: bind-users@lists.isc.org ; BIND Users <
bind-us...@isc.org>
Subject: Re: Servfail on Bind -9.16.1

On Sat, Nov 21, 2020 at 03:20:26PM -0600, upen wrote:
> .../...
> default.log:21-Nov-2020 15:11:18.008 client @0x7fb6a800c0a0
127.0.0.1#33706
> (www.facebook.com<http://www.facebook.com>): query failed (broken trust
chain) for
> www.facebook.com/IN/A<http://www.facebook.com/IN/A> at query.c:6883
> dnssec.log:21-Nov-2020 15:11:18.008 validating www.facebook.com/CNAME:<
http://www.facebook.com/CNAME:> bad
> cache hit (com/DS)
> lame-servers.log:21-Nov-2020 15:11:18.008 broken trust chain resolving '
> www.facebook.com/A/IN':<http://www.facebook.com/A/IN':> 129.134.31.12#53

it seems to be an error in dnssec. So I suppose that "dig +nodnssec
" works.

May be "dig +trace facebook.com" will give you more hints.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
It's now safe to throw off your computer.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: reload but the old value linger

2020-11-21 Thread Matus UHLAR - fantomas

On 21.11.20 00:18, Boylan, Ross wrote:

My fix for the DNS lookup problems I reported a few days ago, based on help
here, seems to mostly work.  But there is one oddity.  When the tunnel
goes down I comment out the special handling for the zone I reach through
the tunnel and reload the server.  But my DNS queries return the same
internal IP number I got before, at least for awhile.

Since I can't reach the remote machine anyway, this is probably a pretty
minor problem, but I'd like to understand what's going on and how I might
fix it.

My theory is that reloading (via rndc reload) does not clear the cache, and
that my queries just get the cached value until they expire.  Is that
plausible?


yes.

If that is the problem, would rndc flushtree ucsf.edu inside remove the no
longer valid values from the cache?  ucsf.edu is the domain for which I
forward, and it is accessible from the "inside" view.


yes.


- ucsf.conf.tunnel
zone "ucsf.edu" {
type forward;
forwarders {10.10.10.10;};
};



The nameserver doesn't resolve records that are in the cache and still
valid.

This section is thus used only when it has to resolve under ucsf.edu
something that is not in cache.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #9: Out of error messages.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: NXDOMAIN problems

2020-11-16 Thread Matus UHLAR - fantomas

On 17.11.20 05:41, Boylan, Ross wrote:

One other detail may be important: I just added a bridge interface and
virtual machines.  I presume the VPN tunnel was using the hardware
interface (enp5s0) before, and is using the bridge (br0) now.  OpenConnect
creates the tunnel (tun0); both the name and inspection of the code
indicate the tunnel is based on the TUN interface, at the IP layer,
instead of the TAP interface, at the MAC layer.  If some of the
communication is not using IP then I presume it could be disappearing at
the bridge.


I guess that your VPN uses the IP that topologically closest to the
other side of VPN tunnel. Usually it's the IP with the default route set.

you can often override it in the VPN configuration.
Note this is not bind issue.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: NXDOMAIN problems

2020-11-16 Thread Matus UHLAR - fantomas

On 16.11.20 22:58, Boylan, Ross wrote:

I have been experiencing NXDOMAIN errors persistently, though not 100% of
the time, for a machine I am trying to reach.  The queries worked OK
before today.  I not only don't know what's causing it, but am having
trouble tracing what's going on inside of bind.  I'd be grateful for help
on either front, getting DNS to work or debugging.

There are a lot of complications.  In brief, the machine and name
resolution for it are only available through VPN; I have a search list
which should cause some failed lookups if the original doesn't work; and
I'm using views.  Some details follow, and then discussion of my debugging
attempts.

DETAILS

The remote machine is only accessible though VPN, and the nameserver that
knows how to find it is also accessible only through VPN.  The IP of that
nameserver is first on my forwarders list on my local machine.  When
failures happen the replies indicate the request was addressed to the
public-facing nameservers; it is good that they don't provide any info,
but they shouldn't be getting the request.


forwarders are not used in specified order, named measures TTL and uses server
that answers first.

you can configure configure your domain with specified forwarders and to be
"forward only".


I also added the target domain (ucsf.edu) to my search list.  So when I ask
for mymachine.ucsf.edu, this will also generate a query for
mymachine.ucsf.edu.ucsf.edu if the first query fails.  The second query is
asking for a non-existent domain, and so maybe that is the proximate
source of the NXDOMAIN.


this could be controlled by option "ndots:1" in resolv.conf, so search list
ignored for every hostname with one or more dots
... this is not BIND issue but the stub resolver issue.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: nested $GENERATE possible?

2020-11-16 Thread Matus UHLAR - fantomas

On 12.11.20 15:32, Matus UHLAR - fantomas wrote:

is it possible to nest $GENERATE directives?
I have to create DNS for /16 subnet...


so I assume it's not possible.
just wanted to be sure...

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Linux - It's now safe to turn on your computer.
Linux - Teraz mozete pocitac bez obav zapnut.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


nested $GENERATE possible?

2020-11-12 Thread Matus UHLAR - fantomas

Hello,

is it possible to nest $GENERATE directives?
I have to create DNS for /16 subnet...
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Malformed transaction errors

2020-10-19 Thread Matus UHLAR - fantomas

On 18.10.20 11:00, @lbutlr wrote:

I am getting the following error on one specific domain and I am unsure how to 
fi it. Searching for the error lead to suggestions about not running multiple 
copies of bind on the same machine, but that is not the case here (and it is 
only affecting one domain).

named[652] malformed transaction: example.com.signed.jnl last serial 2018022385 
!= transaction first serial 2018022384
named[652] zone example.com/IN: zone_resigninc:dns_journal_write_transaction -> 
unexpected error
named[652] malformed transaction: example.com.signed.jnl last serial 2018022385 
!= transaction first serial 2018022384
named[652] zone example.com/IN: zone_resigninc:dns_journal_write_transaction -> 
unexpected error

If I put aside the jnl file and stop/start bind the error goes away, but 
eventually it comes back, always for the same domain.

(Setup is DNS primary on on machine and a secondary server on a separate 
machine. Errors are on the primary server.)


what's the primary server? maybe broken DNS implementation

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: forwarders used in order or based on RTT ?

2020-10-16 Thread Matus UHLAR - fantomas

On 16.10.20 09:56, Bob Harold wrote:

The BIND ARM (9.16.2) says:
"There may be one or more forwarders, and they are queried in turn until
the list is exhausted
or an answer is found."

But
https://lists.isc.org/pipermail/bind-users/2015-August/095544.html
says:
"Forwarders are selected based on an RTT(round-trip-time)-based algorithm"

So which is correct?


both are. The ARM does not say they are queried in defined order.
The order is defined by RTT


And did it change at some point?


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to compute db.192.168.x names from network addresses ?

2020-10-01 Thread Matus UHLAR - fantomas

On 01.10.20 17:46, Olivier wrote:

Here or there, you can read configuration files named like db.192.168.42
when holding data for a 192.168.42.0/24 network.
For networks with a /24 mask, simply striping  ending 0/24 substring from
192.168.42.0/24 is enough.
But what about network with a different prefix ?


RFC
2317 Classless IN-ADDR.ARPA delegation. H. Eidnes, G. de Groot, P. Vixie.
March 1998. (Format: TXT=17744 bytes) (Also BCP0020) (Status: BEST
CURRENT PRACTICE) (DOI: 10.17487/RFC2317)



1. How can you compute this "db.192.168.whatever" from 192.168.x.y/z
network address ?


better set up reverse zones 192.168.0, 192.168.1 etc.
the RFC above should be only used for  <24 ranges.


Example in Python would be appreciated.

2. Instead of using short "db.192.168.42" names, I used a long
"db.192.168.42.0". I didn't notice any issue. Did I overlooked something ?


it's just a file name.  You can use "myrevzone" as long, but using
db.192.168.42 is much more explanatory.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows 2000: 640 MB ought to be enough for anybody
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: different TTLs for multiple TXT records

2020-09-26 Thread Matus UHLAR - fantomas

On 26.09.20 09:58, Verne Britton wrote:

I see that RFC2181, written I think 20+ years ago, says in part




5.2. TTLs of RRs in an RRSet

 Resource Records also have a time to live (TTL).  It is possible for
 the RRs in an RRSet to have different TTLs.  No uses for this have
 been found that cannot be better accomplished in other ways.  This
 can, however, cause partial replies (not marked "truncated") from a
 caching server, where the TTLs for some but not all the RRs in the
 RRSet have expired.

 Consequently the use of differing TTLs in an RRSet is hereby
 deprecated, the TTLs of all RRs in an RRSet must be the same.

[...]



but in the last few years, perhaps even a decade, TXT record usage has
expanded to be used for many different and unique purposes, such as domain
ownership verification and SPF data.


unfortunately, TXT is overloaded with multiple uses. SPF record was
deprecated ... 


What is the proper avenue to request an enhancement so each TXT record can have 
its own unique TTL value?


not possible. IF you ask for a TXT, you must get all TXTs, the same for A, NS, 
MX
and all other records of the same type.

if you don't get something, it means it's not there. This is not just
documented standard - doing it differently would make DNS unreliable.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: It is too hard for me to read from this mailing list

2020-09-22 Thread Matus UHLAR - fantomas

On 21.09.20 23:04, Scott Nicholas wrote:

You need to visit https://lists.isc.org/mailman/listinfo/bind-users and
turn off digest.


maybe switch it do digest mode, so it's easy to extract individual mails and
sort them...



On Mon, Sep 21, 2020, 4:15 PM Allen Chen 
wrote:

It is so hard to follow up a thread if you put several subjects in one
email. How do I find the previous/next emails related to a particular
subject?

I am tired to find a subject in the middle of an email. Every time I
have to use the search function to find it. It is so weird.

Why not like the others, put one subject in one email. Let the reader
focus on one subject.

I am using Thunderbird to read the emails. Should I use something else
to read it? Any suggestions are welcome.

This is my feeling. But, maybe you are happy with it.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Emacs is a complicated operating system without good text editor.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: "forward first" set on a master zone not working as expected

2020-09-03 Thread Matus UHLAR - fantomas

On 02.09.20 15:00, Taylor Vierrether via bind-users wrote:

I am attempting to set up an internal DNS server that is authoritative for
internal resources, but also will respond for external resources on the
same domain that it does not have records for.

For example, I have a domain sub.example.com , and I want to have internal
entries in the BIND zone file for host1.sub.example.com and
host2.sub.example.com.  That part is working fine.  However, there is a
publicly available DNS entry for sub.example.com that I want my internal
clients to be able to resolve, but I don’t want to have the IP in the BIND
zone file, because the IP is dynamic.


you can delegate that entry elsewhere.


 There are also some hosts (host3.sub.example.com ) and
(host4.sub.example.com) that are externally resolvable that I don’t want
to put in my internal BIND file because they are not controlled by me. 
(Think CNAME to a SaaS application)


you can delegate those records somewhere.


I’ve attempted to do this as follows, and it seems to make sense that it
would work, but it does not.


named.conf:

zone “sub.example.com" IN {
   type master;
   file "/etc/bind/sub.example.com.zone";
   forward first;
   forwarders { 1.1.1.1; 1.0.0.1; };
};


forwarding is not used for zone other than "type forward".


What actually happens, is if I query for sub.example.com I get the following 
from nslookup:
*** Can't find sub.example.com: No answer


if you search for "sub.example.com" record, you can not delegate that one,
of course.

you apparently should use redesign your DNS. Easiest way would be using
different domain internally.


And if I query for host3.example.com , I get the following from nslookup:
** server can't find host3.sub.example.com: NXDOMAIN


note that nslookup is very bad program for tracking DNS errors.
use "host" or "dig" for that case.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I just got lost in thought. It was unfamiliar territory.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: VS: CNAME / TXT

2020-08-24 Thread Matus UHLAR - fantomas

On 23.08.20 09:59, Jukka Pakkanen wrote:

Yes, I think the whole CNAME is useless here anyway.


CNAME is useful, but it does not (and can not) work the way you want.


These were the recommendations of this service provider, mailgun though..


where? the CNAME issue is long known and clarifies in RFC 2181, section
10.1. CNAME resource records
...published in 1997.



Lähettäjä: bind-users  Puolesta Ben Croswell
Lähetetty: 23. elokuuta 2020 2:24
Vastaanottaja: ML BIND Users 
Aihe: Re: CNAME / TXT

If you uncomment that mg CNAME you end up with a CNAME mx and TXT at the same node in to 
the DNS tree and that is illegal. That is why you get the error "cname and other 
data". The mx and txt are the other data.
On Sat, Aug 22, 2020, 8:19 PM Jukka Pakkanen 
mailto:jukka.pakka...@qnet.fi>> wrote:
Cannot figure out what is wrong here… must be something simple but after 
sitting in airplanes the last 40 hours and it’s 2am…

Only when I comment out the two lines in the end of the named.harriot, it goes 
through and BIND load the zone. With those two lines, get the following:

C:\DNS\etc\namedb>named-checkzone harriot.fi<http://harriot.fi> named.harriot
dns_master_load: named.harriot:33: mg.harriot.fi<http://mg.harriot.fi>: CNAME 
and other data
dns_rdata_fromtext: named.harriot:35: syntax error
zone harriot.fi/IN<http://harriot.fi/IN>: loading from master file 
named.harriot failed: CNAME and other data
zone harriot.fi/IN<http://harriot.fi/IN>: not loaded due to errors.

;
;File:  named.harriot
;

$TTL 864

@IN SOA  ns1.qnet.fi<http://ns1.qnet.fi>. 
helpdesk.qnet.fi<http://helpdesk.qnet.fi>. (
202008243  ; serial number
28800  ; refresh every 12 hours
 7200  ; retry after 2 hours
   604800  ; expire after 2 weeks
 3600) ; default ttl is 2 days

harriot.fi<http://harriot.fi>.   IN A  
35.214.111.143
 IN MX 10 
qntsrv8.qnet.fi<http://qntsrv8.qnet.fi>.
 IN MX 10 
qntsrv9.qnet.fi<http://qntsrv9.qnet.fi>.
IN NS 
ns1.qnet.fi<http://ns1.qnet.fi>.
IN NS 
ns2.qnet.fi<http://ns2.qnet.fi>.
IN NS 
ns3.qnet.fi<http://ns3.qnet.fi>.
 IN NS 
ns1.z.fi<http://ns1.z.fi>.
 IN NS 
ns2.z.fi<http://ns2.z.fi>.

wwwIN A 35.214.111.143
api IN A 35.214.111.143
webmailIN CNAME mail.qnet.fi<http://mail.qnet.fi>.
_autodiscover._tcp  IN SRV 0 5 443 mail.qnet.fi<http://mail.qnet.fi>.

dev 
  IN A  35.214.111.143

; mg  IN 
CNAME eu.mailgun.org<http://eu.mailgun.org>.
mg IN 
MX 10 mxa.eu.mailgun.org<http://mxa.eu.mailgun.org>.
mg IN 
MX 10 mxb.eu.mailgun.org<http://mxb.eu.mailgun.org>.
mg IN 
TXTv=spf1 include:eu.mailgun.org<http://eu.mailgun.org> ~all

; smtp_domainkey.mg<http://smtp_domainkey.mg> IN TXT "k=rsa; 
p=MII-AQAB"



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org<mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
___
Please v

Re: Error "Query section mismatch : got"

2020-08-21 Thread Matus UHLAR - fantomas

On 21.08.20 09:28, Smile TV wrote:

> my question is why would anyone do this, as this apparently does not make

sense.



Because when I was from a server that was querying the reverse record
250.199.212.125.in-addr.arpa it gave an error with the "SERVFAIL" error
code so I tried to query directly to the hosting that managed it to
determine the cause.


your query of course makes sense under there curcumstances.

But delegating /24 subnet using RFC2317 delegation is useless, because in
fact you can delegate whole /24 directly



>> On Wed, Aug 19, 2020 at 7:42 AM Matus UHLAR - fantomas
>>  wrote:
>>> again, why you query for 250.0-24.199.212.125.in-addr.arpa
>>> under normal circumstances there's no point of querying that name.



> On 19.08.20 10:05, tale via bind-users wrote:
>> Well yes and no.   While an individual user would typically not,
>> resolvers sure will.  While trying to resolve
>> 250.199.212.125.in-addr.arpa, it will eventually get to
>> 250.199.212.125.in-addr.arpa CNAME 250.0-24.199.212.125.in-addr.arpa.



> On 20 Aug 2020, at 00:41, Matus UHLAR - fantomas 
> wrote:
> my question is why would anyone do this, as this apparently does not make
> sense.



Vào Th 4, 19 thg 8, 2020 vào lúc 22:00 Mark Andrews  đã
viết:

Presumably because they don’t know that APNIC can delegate the /24s that
make
up the /17 independently of each other.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
How does cat play with mouse? cat /dev/mouse
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error "Query section mismatch : got"

2020-08-19 Thread Matus UHLAR - fantomas

On 20 Aug 2020, at 00:41, Matus UHLAR - fantomas  wrote:


On Wed, Aug 19, 2020 at 7:42 AM Matus UHLAR - fantomas
 wrote:

again, why you query for 250.0-24.199.212.125.in-addr.arpa
under normal circumstances there's no point of querying that name.


On 19.08.20 10:05, tale via bind-users wrote:

Well yes and no.   While an individual user would typically not,
resolvers sure will.  While trying to resolve
250.199.212.125.in-addr.arpa, it will eventually get to
250.199.212.125.in-addr.arpa CNAME 250.0-24.199.212.125.in-addr.arpa.


my question is why would anyone do this, as this apparently does not make
sense.


On 20.08.20 00:59, Mark Andrews wrote:

Presumably because they don’t know that APNIC can delegate the /24s that make
up the /17 independently of each other.


even if not, they can fetch whole /24 from their customer (requiring
customer to add their NSes as long).

but, yes, in case of very incompetent customer they can require such
delegation.



someone (vietel) illogically delegated whole /24 subnet to broken servers:

199.212.125.in-addr.arpa. 86400 IN  NS  dns2.vietel.com.vn.
199.212.125.in-addr.arpa. 86400 IN  NS  dns1.vietel.com.vn.

0.199.212.125.in-addr.arpa has address 125.235.4.59
1.199.212.125.in-addr.arpa is an alias for 1.0-24.199.212.125.in-addr.arpa.
...
255.199.212.125.in-addr.arpa is an alias for 255.0-24.199.212.125.in-addr.arpa.


delegation from apnic to vietel:

199.212.125.in-addr.arpa. 86400 IN  NS  dns2.vietel.com.vn.
199.212.125.in-addr.arpa. 86400 IN  NS  dns1.vietel.com.vn.
199.212.125.in-addr.arpa. 3600  IN  NSEC2.212.125.in-addr.arpa. NS 
RRSIG NSEC
199.212.125.in-addr.arpa. 3600  IN  RRSIG   NSEC 13 5 3600 20200917160047 
20200818150047 30887 125.in-addr.arpa. 
5ixPuj/J+cDFSDwxy3MSMs1xkmpGrdzhrmjiodo6CkEBazwUxojGfIYU 
R5MNZCbDoMZEF4Fq8eL9lcsZgrBctA==
;; Received 321 bytes from 203.119.95.53#53(ns2.apnic.net) in 255 ms

delegation from vietel to vietelidc:

0-24.199.212.125.in-addr.arpa. 86400 IN NS  ns.viettelidc.com.vn.
0-24.199.212.125.in-addr.arpa. 86400 IN NS  ns2.viettelidc.com.vn.
0-24.199.212.125.in-addr.arpa. 86400 IN NS  ns1.viettelidc.com.vn.
;; Received 160 bytes from 203.113.188.2#53(dns2.vietel.com.vn) in 367 ms


zone 199.212.125.in-addr.arpa. at vietelidc who is supposed to provide
0-24.199.212.125.in-addr.arpa:

199.212.125.in-addr.arpa. 2560  IN  SOA ns.viettelidc.com.vn. 
hostmaster.199.212.125.in-addr.arpa. 1597850355 16384 2048 1048576 2560
;; Received 129 bytes from 115.84.181.10#53(ns2.viettelidc.com.vn) in 291 ms


vietelidc is in this case the problem:

1. they block DNS over TCP
2. they should have configured zone 0-24.199.212.125.in-addr.arpa

although it's possible that viettelidc.com.vn asked vietel.com.vn to delegate 
199.212.125.in-addr.arpa.
and vietel.com.vn messed it up...



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
If Barbie is so popular, why do you have to buy her friends?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error "Query section mismatch : got"

2020-08-19 Thread Matus UHLAR - fantomas

On Wed, Aug 19, 2020 at 7:42 AM Matus UHLAR - fantomas
 wrote:

again, why you query for 250.0-24.199.212.125.in-addr.arpa
under normal circumstances there's no point of querying that name.


On 19.08.20 10:05, tale via bind-users wrote:

Well yes and no.   While an individual user would typically not,
resolvers sure will.  While trying to resolve
250.199.212.125.in-addr.arpa, it will eventually get to
250.199.212.125.in-addr.arpa CNAME 250.0-24.199.212.125.in-addr.arpa.


my question is why would anyone do this, as this apparently does not make
sense.

someone (vietel) illogically delegated whole /24 subnet to broken servers:

199.212.125.in-addr.arpa. 86400 IN  NS  dns2.vietel.com.vn.
199.212.125.in-addr.arpa. 86400 IN  NS  dns1.vietel.com.vn.

0.199.212.125.in-addr.arpa has address 125.235.4.59
1.199.212.125.in-addr.arpa is an alias for 1.0-24.199.212.125.in-addr.arpa.
...
255.199.212.125.in-addr.arpa is an alias for 255.0-24.199.212.125.in-addr.arpa.



Then it will need to resolve the canonical name, and a response like
the original one that was shown will be clearly buggy.

I say "possibly" because from my vantage, all three of
ns{,1,2}.viettelidc.com.vn, the authorities for
0-24.199.212.125.in-addr.arpa, are giving fine answers right now (on
udp; blocked on tcp).   This includes the originally reported problem
IP, 115.84.177.8




--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fucking windows! Bring Bill Gates! (Southpark the movie)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Error "Query section mismatch : got"

2020-08-19 Thread Matus UHLAR - fantomas

On 19.08.20 17:40, Smile TV wrote:

   I query the PTR Resource Record that is hosted on DNS Server/
115.84.177.8 (reverse zone: 250.0-24.199.212.125.in-addr.arpa). However,
There is a difference between when querying directly the PTR RR and
querying Any RR.
   The results of two case below:
*Case 1: Query the PTR RR directly, i meet the error: "Question section
mismatch" like:*

dig @115.84.177.8 250.0-24.199.212.125.in-addr.arpa ptr
;; Question section mismatch: got 255.0.199.212.in-addr.arpa/PTR/IN
;; Question section mismatch: got 255.0.199.212.in-addr.arpa/PTR/IN
;; Question section mismatch: got 255.0.199.212.in-addr.arpa/PTR/IN




What is the error "Query section mismatch"? and the why? Can anybody help
me!


you asked for:
250.0-24.199.212.125.in-addr.arpa 
but got:

255.0.199.212.in-addr.arpa

that's different therefore the mismatch.


Why do you query for 250.0-24.199.212.125.in-addr.arpa by the way?



*Case 2: Query Any RR, the result like here*

dig @115.84.177.8 250.0-24.199.212.125.in-addr.arpa any

; <<>> DiG 9.10.4-P3 <<>> @115.84.177.8 250.0-24.199.212.125.in-addr.arpa
any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12424
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 21
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;250.0-24.199.212.125.in-addr.arpa. IN  ANY

;; ANSWER SECTION:
250.0-24.199.212.125.in-addr.arpa. 360 IN PTR   smtp.vss.gov.vn.
250.0-24.199.212.125.in-addr.arpa. 360 IN PTR   baohiemxahoi.gov.vn.

;; AUTHORITY SECTION:
199.212.125.in-addr.arpa. 360   IN  NS  ns.viettelidc.com.vn.
199.212.125.in-addr.arpa. 360   IN  NS  ns1.viettelidc.com.vn.
199.212.125.in-addr.arpa. 360   IN  NS  ns2.viettelidc.com.vn.



I got the same results for both queries, but UDP is allowed while TCP is
refused.
- no matter if I ask for any or for ptr.

seems that default for 'any' is TCP, while for 'ptr' the default is UDP.

TCP is required for working DNS - they should not block it.


again, why you query for 250.0-24.199.212.125.in-addr.arpa ?

under normal circumstances there's no point of querying that name.


there


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: CNAME restrictions

2020-08-04 Thread Matus UHLAR - fantomas

On 04.08.20 17:29, Leroy Tennison wrote:

I have a situation where, due to the system's location (IP subnet), its DNS
name is ..datavoiceint.com.  We have a
certificate for *.datavoiceint.com which we prefer to use


wildcard in certificates only covers one level of subdomains, so
*.datavoiceint.com will cover .datavoiceint.com but not
anything under it.

you will have to strip the   part or get other certificate.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: issue of Amplification attack

2020-07-12 Thread Matus UHLAR - fantomas

On 7/12/20 6:23 AM, ShubhamGoyal wrote:
 Thank you  for give me answer for my 
previous question,  Sir now we are suffer from amplification attack 
so is there any method in bind to stop DNS Amplification attack.
I am thinking to stop or drop ANY type queries from our DNS 
Recursive resolver , so please tell me how can we drop or stop ANY 
type queries from bind.


On 12.07.20 12:48, Michael De Roover wrote:
There was a very interesting conversation about this last week. See 
https://www.mail-archive.com/bind-users@lists.isc.org/msg29187.html.


alternative link:
https://lists.isc.org/pipermail/bind-users/2020-July/103389.html

I find it more readable.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [Non-DoD Source] Re: [DoD Source -- ssshhhh Top Secret] Re: Dumb Question is an A or AAAA record required?

2020-07-10 Thread Matus UHLAR - fantomas

On 09.07.20 15:49, DeCaro, James John (Jim) CIV DISA FE (USA) via bind-users 
wrote:

We have an application that queries reverse lookups on clients trying to
access it in order to verify the client and its IP are legit and a part of
the correct domain/acl..  So if the pointer record does not match, the
client is rejected.  I don't know if that is relevant in this case, but it
provides an example.


it's not relevant...

Of course, there must be A or  at the end, since all those NS, MX, CNAME
records point to domain names, and chains need to end with A or , but
the original question was whether the A record is needed at zone apex.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The only substitute for good manners is fast reflexes.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Dumb Question is an A or AAAA record required?

2020-07-09 Thread Matus UHLAR - fantomas

On 09.07.20 15:06, Matthew Richardson wrote:

On a related issues there were (perhaps long ago) issues if the A record
for a domain had an SMTP server on it, where email could sometimes be
delivered to that A record rather than the MX.  I had (again long ago:
10-15 years) actually seen this occur.


If there is MX record for a domain, a MTA MUST only use MX record when
delivering to that domain. 


If there is no MX record for a domain, but an A record is available, MTA
uses default MX with preference of 0 pointing to that A records.

This is how it's defined to work, this is not "an issue about that".


Do people think that this problem could still occur these days?  What sort
of transient (presumably DNS) failure might cause an SMTP server to deliver
to A rather than MX?


the only DNS failure that could cause this (and I can think of now) is if
DNS server incorrectly returned NODATA for MX record (effectively saying
there's no MX).

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam = (S)tupid (P)eople's (A)dvertising (M)ethod
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: [Non-DoD Source] Re: Dumb Question is an A or AAAA record required?

2020-07-09 Thread Matus UHLAR - fantomas

On 09.07.20 13:16, DeCaro, James John (Jim) CIV DISA FE (USA) via bind-users 
wrote:

Would the lack of A records affect pointer records?  Seems like it would.


pointer records are independent on A/CNAME records and irelevant in thie
case.


-Original Message-
From: bind-users  On Behalf Of Mark Andrews
Sent: Thursday, July 9, 2020 8:56 AM
To: @lbutlr 
Cc: bind-users 
Subject: [Non-DoD Source] Re: Dumb Question is an A or  record required?

At this stage one still needs A records to be reachable by everyone.  One 
should also ensure you are reachable over IPv6 as lots of the world behind IPv6 
only links as their ISPs don’t have enough IPv4 addresses for every one.  
Instead they have to use some form of IPv4 as a service which is significantly 
more expensive to operate compared to straight routers.




On 9 Jul 2020, at 22:22, @lbutlr  wrote:

Given a domain that is hosted and used for email and web, is an A record for 
that domain actually required?

That is, if bob.tld is hosted by example.com can you simply have

   NS ns1.example.com
   NS ns2.example.com
   MX mx.example.com

wwwCNAME Caution-www.example.com

Without specifying

   A 11.22.33.444

(I am pretty sure this is *technically* allowed, but is it really OK to do or 
are there reasons not to do this?)


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Quantum mechanics: The dreams stuff is made of.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: your mail

2020-06-28 Thread Matus UHLAR - fantomas

On 28.06.20 12:43, baalchina wrote:

I had a bind 9.16.4 as recursive name server. I want to forward all queries
to a specific dns server out of my net such as 8.8.8.8.


it makes no sense to foward queries to 8.8.8.8, BIND can do the resolution
itself. Unless your access to internet is blocked, but access to 8.8.8.8
(and 1.1.1.1) is not.


While I have a new
domain( such as abc.com) I want to forward to a new dns server such as
9.9.9.9.

Here is my named.conf:


options {
   listen-on port 53 {192.168.1.1;};
   recursion yes;
   allow-recursion {any;};
   forwarders {
   8.8.8.8;
   };
};




zone "abc.com" {
   type forward;
   forwarders {1.1.1.1;};


of 1.1.1.1 is IP of nameserver for abc.com, you should better configure it
as "type stub" or "type static-stub".

Note that resolving BIND can do that itself, so it really only matters if
1.1.1.1 is not accessible from internet.


};



So, in this configuration, the abc.com will be forward to 8.8.8.8 or
1.1.1.1?


the latter.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Question about Recommended stress test tools for bind.

2020-06-26 Thread Matus UHLAR - fantomas

On 2020-06-25 04:10, Techs-yama wrote:

and How do you have any recommended statistics items to check by
rndc stats.


On 25.06.20 12:43, Chuck Aurora wrote:

I don't know what you are looking for, but I would recommend NOT
using rndc stats:

https://kb.isc.org/docs/aa-00769


if you want to say that xml statistics are better than rndc stads, I admin
that they are kind fo better solution, however, I haven't found anything
better for cacti, that could process those than what we currently have:

https://docs.cacti.net/usertemplate:host:bind9.7

snmp support would be great.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Microsoft dick is soft to do no harm
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Recursive Client Rate limiting in BIND applicable in forward mode

2020-06-19 Thread Matus UHLAR - fantomas

On 19.06.20 13:53, 249558254 wrote:

Is the function of Recursive Client Rate limiting in BIND applicable in forward 
mode?


yes, since forwarding is recursion.


My concern is that the client request is too large, resulting in a forward in 
the global limit my request, such as 8.8.8.8


1. do you mean client request _rate_ is too large?

2. why forward to 8.8.8.8 ? BIND can resolve by itself, it does not to
forward to 8.8.8.8

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: VS: A And Cname-record

2020-06-18 Thread Matus UHLAR - fantomas

On 17.06.20 22:31, Jukka Pakkanen wrote:

Yes but before going to RFC details one should check the basic spelling and 
syntax first...


if there was a spelling mistake, the error would not be "CNAME and other data"
when the error is "CNAME and other data", spelling mistakes don't matter...


Lähettäjä: bind-users  Puolesta Mark Andrews


On 18 Jun 2020, at 07:56, Bogdan-Stefan Rotariu  wrote:
Hi,


On 18 Jun 2020, at 00:44, Ejaz Ahmed  wrote:

when i am trying to add A and CNAME record together  for the same
subdomain, getting an error as below, you all kind  assistance would
be highly appreciated thanks in  advance

my records are as follows in zone

auotdiscover IN A 1.1.1.1
autodiscover IN CNAME autodiscover.acig.com.sa

==
dns_master_load: acig.com.sa.hosts:102: autodiscover.acig.com.sa:
CNAME and other data

zone acig.com.sa/IN: loading from master file acig.com.sa.hosts
failed: CNAME and other data

zone acig.com.sa/IN: not loaded due to errors


CNAME records cannot coexist with any other records last time I’ve
checked. See section 2.4 from RFC1912[1]

[1] https://tools.ietf.org/html/rfc1912


Well it actually goes back to RFC 1034.  Unfortunately it wasn’t enforced in 
nameservers at the beginning and is still not enforced by some servers.

3.6.2. Aliases and canonical names

...

The domain system provides such a feature using the canonical name
(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and specifies 
the corresponding canonical name in the RDATA section of the RR.  If a CNAME RR 
is present at a node, no other data should be present; this ensures that the 
data for a canonical name and its aliases cannot be different.  This rule also 
insures that a cached CNAME can be used without checking with an authoritative 
server for other RR types.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Fwd: DNS Misconfiguration on- http://cyberia.net.sa/

2020-06-05 Thread Matus UHLAR - fantomas

On 05.06.20 11:54, Ejaz Ahmed wrote:

Some one is is claiming that our name server 212.118.64.2 is vulnerable
with below information is this true


it's not the nameserver. It's the domain "cyberia.net.sa" that has
"localhost" in it pointing go 127.0.0.1

This is useless. The localhost hostname should not exist in domains other
than "localhost." that should be configured on recursive servers.


Any suggestions would be appreciated


simply remove the "localhost" record from cyberia.net.sa and possibly other
domains.


Dear CYBERIA GROUP Security Team ,

I Rahul a Ethical Hacker and Security Researcher. I found a vulnerability
on your website that is DNS Misconfiguration .

Your *localhost.cyberia.net.sa <http://localhost.cyberia.net.sa>   *has
address 127.0.0.1 and this may lead to "Same- Site" Scripting. I can also
ping the localhost network.


Here is detailed description of this minor security issue :*
http://www.securityfocus.com/archive/1/486606/30/0/threaded
<https://hackerone.com/redirect?signature=f22656dd5afea782410979cdd3fbb951f819c82e=http%3A%2F%2Fwww.securityfocus.com%2Farchive%2F1%2F486606%2F30%2F0%2Fthreaded>*

*Find attached POC  Video. *

*Dear Team Waiting for your response and I want bounty(money) with an
Appreciation letter for my work and effort which I have given for *


*Thanks in advance *
*Ejaz *


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Upgrade from 9.14 to 9.16 - transfer-source with low source port no longer works.

2020-05-26 Thread Matus UHLAR - fantomas

On 26.05.20 11:38, Ingeborg Hellemo wrote:

If I do a full 'rndc reload' I finally get an error:

May 26 11:08:14 ludvigsen named[25953]: unable to create dispatch for reserved
port 129.242.5.254#53: permission denied

Since this is a host with serveral virtual interfaces this address/port is set
in named.conf:

   transfer-source 129.242.5.254 port 53;

The solution was to remove the 'port 53' part of the config,


FYI, using static source port is discouraged for about 12 years, since it
maked DNS servers prone to DNS cache poisoning:
https://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience-05

I guess source port 53 was meant long ago to avoid DNS from being
firewalled. However nowadays it's long time obsolete and unsecure.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"They say when you play that M$ CD backward you can hear satanic messages."
"That's nothing. If you play it forward it will install Windows."
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: oddity with trubuiltpambula.com.au

2020-04-19 Thread Matus UHLAR - fantomas

On Sun, 2020-04-19 at 12:26 +0100, Matthew Richardson wrote:

The answer is that the .au registry has NS (delegation) records for
the webcity.com.au servers, but those servers return NS records for
the instanthosting.com.au servers.  As you observed, they have the
same IPs.


On 19.04.20 22:15, Karl Auer wrote:

I didn't pose my question clearly enough. Why would WebCity put NS
records into .au that delegate to themselves with different names?

It's common enough that the .au delegations made by registry X point to
the nameservers of hosting company Y, but in this case they point to
themselves, so why the different names?


it's common when registrar is not the same as DNS master.
better contact either to fix that
While it may work, it can also cause unexpected problems.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind 9.11.2 - domain and subdomain with one zone does not work

2020-04-03 Thread Matus UHLAR - fantomas

On 03.04.20 14:20, David Alexandre M. de Carvalho wrote:

Where can I find about alternatives to point 2?
I have a windows subdomain configured in that way, never realized there was a 
better way.


On 03.04.20 16:35, Matus UHLAR - fantomas wrote:

if you want to have subdomain with different set of nameservers, you should
put it into another zone and it should have different SOA as long.
so, "sub" would  have NS records in "test.local." but "sub.test.local" would
have own zone, own file, containing SOA, NS, MX etc records.


I think I should rephrase this:
You should put NS records for subdomain only if you are creating another zone.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind 9.11.2 - domain and subdomain with one zone does not work

2020-04-03 Thread Matus UHLAR - fantomas

On 03.04.20 14:20, David Alexandre M. de Carvalho wrote:

Where can I find about alternatives to point 2?
I have a windows subdomain configured in that way, never realized there was a 
better way.


if you want to have subdomain with different set of nameservers, you should
put it into another zone and it should have different SOA as long.
so, "sub" would  have NS records in "test.local." but "sub.test.local" would
have own zone, own file, containing SOA, NS, MX etc records.


why so much complexity to begin with?

t1   A  127.0.0.3
sub.t30  A  127.0.0.2


On 03.04.20 11:53, mail-list-us...@materna.de wrote:

---
Well, in first place to make it human readable, if needed to look into the zone.


well
1. the above is more readablt than whay you proposed.

2. delegating subdomain (sub) to other servers via NS records and setting
   any other records in the zone is a bad idea.

3. putting localhost into any domain is useless and I discourage you from
   doing that


For some subdomains we would have entries for the subdomain itself, like couple 
NS,TXT,A,CNAME,SRV etc.
So with these thoughts, the documentation gives this as a valid option and it
worked in small scale on the testsystem, so we decieded to go this way.
If this needs to be changed, I need a reason besides of 'that is this way more 
easy',
because these zones get generated from an automated system and I need an
argument to get a permission for a change request.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Have you got anything without Spam in it?
- Well, there's Spam egg sausage and Spam, that's not got much Spam in it.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind 9.11.2 - domain and subdomain with one zone does not work

2020-04-03 Thread Matus UHLAR - fantomas

why so much complexity to begin with?

t1   A  127.0.0.3
sub.t30  A  127.0.0.2


On 03.04.20 11:53, mail-list-us...@materna.de wrote:

---
Well, in first place to make it human readable, if needed to look into the zone.


well
1. the above is more readablt than whay you proposed.

2. delegating subdomain (sub) to other servers via NS records and setting
  any other records in the zone is a bad idea.

3. putting localhost into any domain is useless and I discourage you from
  doing that


For some subdomains we would have entries for the subdomain itself, like couple 
NS,TXT,A,CNAME,SRV etc.
So with these thoughts, the documentation gives this as a valid option and it
worked in small scale on the testsystem, so we decieded to go this way.
If this needs to be changed, I need a reason besides of 'that is this way more 
easy',
because these zones get generated from an automated system and I need an
argument to get a permission for a change request.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Support bacteria - they're the only culture some people have.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to get random subset of large rrset (30+ IPs for round robin)?

2020-03-21 Thread Matus UHLAR - fantomas

>On Fri, Mar 20, 2020 at 3:14 AM David Klatt  wrote:
>> I can't find a way to do the following although I invested plenty of time
>> in research - maybe you guys have an idea:
>>
>> With bind, I'd need to serve a single A record with  30+  IP addresses  and
>> these addresses have to be returned in random order round robin,
>> which is done with:

>> Now I'd like bind to just return a  random subset  of e.g. 5 IP addresses
>> if someone requests this A record.

On 20.03.20 10:37, Warren Kumari wrote:
>I realize that this is the BIND list, but this sounds like an almost
>perfect example of PowerDNS's LUA record type (or something with
>CoreDNS)
>Other than that, the only thing I can think of is BIND with DLZ and a
>database that returns a random subset from a DB query, but that sounds
>awful...




On Fri, Mar 20, 2020 at 1:04 PM Matus UHLAR - fantomas 
wrote:

I don't think BIND can do this at all. And I don't think it should...

>> Reason for this are in my case some (thousands) older clients (that I can't 
control)
>> that seem not being able to handle that many IPs - the OS resolver just 
returns an error.

why no use IPVS-like load balancer and hide all hosts behind one or two IPs?
that would help you much more, amongst others when any of those machines
fails.


On 20.03.20 13:15, Warren Kumari wrote:

That's almost definitely the right answer, but there *are* cases where
something like what the OP was asking for -  0.pool.ntp.org springs to
mind as one example.
But, yes, a load balancer / anycast is almost definitely going to be a
better choice...


according to the OP request mentioning multiple 10.0.0.* addresses I assumes
this is not the case of IPs spread over the world but more like a server farm
providing the same services.

In that case IPVS would help.

I realize not I shouldn't have removed the IPs from my reply so it would be
more clear.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: How to get random subset of large rrset (30+ IPs for round robin)?

2020-03-20 Thread Matus UHLAR - fantomas

On Fri, Mar 20, 2020 at 3:14 AM David Klatt  wrote:

I can't find a way to do the following although I invested plenty of time
in research - maybe you guys have an idea:

With bind, I'd need to serve a single A record with  30+  IP addresses  and
these addresses have to be returned in random order round robin,
which is done with:



Now I'd like bind to just return a  random subset  of e.g. 5 IP addresses
if someone requests this A record.


On 20.03.20 10:37, Warren Kumari wrote:

I realize that this is the BIND list, but this sounds like an almost
perfect example of PowerDNS's LUA record type (or something with
CoreDNS)
Other than that, the only thing I can think of is BIND with DLZ and a
database that returns a random subset from a DB query, but that sounds
awful...


I don't think BIND can do this at all. And I don't think it should...


Reason for this are in my case some (thousands) older clients (that I can't 
control)
that seem not being able to handle that many IPs - the OS resolver just returns 
an error.


why no use IPVS-like load balancer and hide all hosts behind one or two IPs?
that would help you much more, amongst others when any of those machines
fails.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: how can we restart bind-9.14.11

2020-03-16 Thread Matus UHLAR - fantomas

On 16.03.20 19:18, ShubhamGoyal wrote:

  I installed bind version 9.14.11 by tar file .


why tar file?


it is
working okk.



   i tried
   1. systemctl restart named
2.  /etc/rc.d/init.d/bind restart
3.  service named restart

   But I do not able to restart service.
 please tell me how can i restart bind 9.14.11


maybe your OS distribution provides debian that is maintained by their
mainrainers.

When you install from tar file, you must maintain it yourself (fix security
bugs etc).

I recommend installing from distro.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Fwd: Re: recursive resolver

2020-03-12 Thread Matus UHLAR - fantomas

On 12.03.20 11:54, ShubhamGoyal wrote:

we made a recurive resolver (Cent OS 7,  8GB RAM ,250 GB Hard disk and network
speed is also good  ) . It reply in 1200 msec and 1800 msec (which is very
slow). if it gave Reply by Cache (80 msec or 76 msec).
so i want to know about,
How can i improve my recursive resolver speed.
and If  we apply syslog  (it is a centralised logging of bind) .  then any
profit for recursive resolver.


If you have anything like DNS fixups set on your routers, turn it off now. 
Those don't offer any real fixups, but they do mess up DNS service instead.




In order for us to help you better, you need to provide more information. What
makes you think The recursive resolver is slow? Do you have syslog? Is the BIND
instance slow, or is it the operating system (low RAM? Slow disk?) or is this a
network-related issue?

On Thu, Mar 12, 2020 at 11:00 AM ShubhamGoyal < shubhamgo...@cdac.in
<mailto:shubhamgo...@cdac.in> > wrote:

   Dear sir,
  how can we improve my DNS Recursive resolver
speed.



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Saving Private Ryan...
Private Ryan exists. Overwrite? (Y/N)
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: bind as "reverse-proxy"

2020-02-26 Thread Matus UHLAR - fantomas

On 26.02.20 15:28, Erich Eckner wrote:
is it possible to set up a zone in bind similar to a http(s) reverse 
proxy:


No. DNS is very far from proxying.

1. The server appears authoritative to clients (the consulted server 
is indeed authoritative).


2. Each request is passed on to the other server (or served from 
cache), but the information is *not* obtained by zone transfers 
(because the other server does not have/allow this).


For records that are managed locally, BIND is authoritative.
For records that are stored elsewhere, BIND is NOT authoritative.

So, either you have authoritative server, or you have not.

What is the point of your request?
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Unable to completely transfer root zone

2020-02-14 Thread Matus UHLAR - fantomas

Matus UHLAR - fantomas  wrote:

If you use cisco routers, ask network admins to disable any DNS "fixup"
functionality, because that usually causes problems.


On 14.02.20 12:47, Tony Finch wrote:

In my experience all Cisco PIX/ASA fuxup options are horribly broken and
should be turned off.


I agree but FW admins won't like generalisation like that.
Currently we can say that DNS fixup caused the DNS to fail and should be
turned off.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
There's a long-standing bug relating to the x86 architecture that
allows you to install Windows.   -- Matthew D. Fuller
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Unable to completely transfer root zone

2020-02-14 Thread Matus UHLAR - fantomas

On 14.02.20 09:32, von Dein, Thomas wrote:

As reported we were unable to transfer the root zone for 1 week, then the
expire time was over and we had an outage.  


unfortunately this happens when you decide to mirror root zone and it fails.

you should use more primary servers when possible and change root zone type 
from secondary
to hint if it fails.

Note that rarely someone needs to have local copy of the root zone.


Now we've seen in the logs
many many log entries as the following on slave nameservers during that
week when our local copy were still valid but the transfer was failing:

09-Jan-2020 16:24:23.361 edns-disabled: success resolving
'some-random-hostname.some-domain.de/A' (in '.'?) after reducing the
advertised EDNS UDP packet size to 512 octets

Besides the EDNS problem: it says (in '.'?). What does this mean?


don't you have any problem with "intelligent" firewall on your side?
If you use cisco routers, ask network admins to disable any DNS "fixup"
functionality, because that usually causes problems.


The setup is like this:

Proxy dmz with local forwarding bind => internet bind => internet


why not client => bind => internet?
one bind is superflous there, isdn't it?


The error above occurred on the forwarding bind in the proxy dmz.


so the problem firewall is between "forwarding bind" and 
"internet bind"


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Weird behaviour in wildcard CNAME - is this feature or bug? Can it be changed?

2020-02-11 Thread Matus UHLAR - fantomas

On 11.02.20 15:58, Petr Bena wrote:

for example test.prod.app.pcp.cn.prod

step 2) search the available zones - the zone in question here is 
pcp.cn.prod which is found


step 3) no matching name is found but *.prod.app exists inside of 
pcp.cn.prod which is returned


However, with payis.test.prod.app.pcp.cn.prod

step 2) search the available zones - the zone in question here is 
pcp.cn.prod which is found


step 3) no matching name is found, *.prod.app exists inside of 
pcp.cn.prod but NXDOMAIN is returned instead?


because defining domain funding-gw.payis.prod.app.pcp.cn.prod defined empty
domain payis.prod.app.pcp.cn.prod, and since it exists (although empty), the
*.prod.app.pcp.cn.prod does not apply to payis.prod.app.pcp.cn.prod nor to
any subdomain under it.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
WinError #98652: Operation completed successfully.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: Getting all IP adresses for a domain name

2020-01-29 Thread Matus UHLAR - fantomas

On 29.01.20 19:12, Leroy Tennison wrote:

I ran into a situation here the IP (v4) address returned for a domain was
different from two systems.  It turned out that two DNS servers served the
domain and were replying with different IP addresses (discovered by doing
whois on the domain followed by dig @ for each name server). 
This led me to wonder "How would I get all IP addresses if DNS round robin

was being used?"  I work with external organizations so I can't count on
the DNS server being ISC's.  I'm not concerned about multiple servers
behind a single IP address (Anycast for instance) because I consider
issues related to that to be the destination organization's problem, I'm
only concerned with what possible IP addresses could be returned in
response to a query.


in standard operation, DNS returns all A records associated with a domain
name.

However, current CDNs tend to send different IPs for different clients,
often just the one that is tropologically closest to the client.

Unfortunately, such CDNs don't provide all possible addresses so I guess you
are unlucky here.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
BSE = Mad Cow Desease ... BSA = Mad Software Producents Desease
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND - in loop rewrite zone serial no.

2020-01-28 Thread Matus UHLAR - fantomas
gt;?(signed): sending notifies (serial
2020011058)
Jan 15 12:04:09 mydnsserver01 named[1172]: zone 0.10.in-addr.arpa/IN
<http://0.10.in-addr.arpa/IN>?(signed): sending notifies (serial
2020011059)
Jan 15 12:08:01 mydnsserver01 named[1172]: zone 0.10.in-addr.arpa/IN
<http://0.10.in-addr.arpa/IN>?(signed): reconfiguring zone keys

Could you please help me with troubleshooting?

There is no problems.
Periodic incremental resigning.

Emmanuel.

--

Subject: Digest Footer

___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


--

End of bind-users Digest, Vol 3356, Issue 1
***
"



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users



--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
On the other hand, you have different fingers.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


Re: BIND Workaround for Broken DNS

2020-01-18 Thread Matus UHLAR - fantomas

On 17.01.20 22:03, Crist Clark wrote:

We have a service vendor with broken DNS. It looks like a well known
problem of F5 load balancers. For the name,

efederation.wip.ceridian.com (you get redirected there from
https://iam.ceridian.com)

The DNS "servers" return an answer for a A request, but when you ask
for any other record type, they send a name-does-not-exist status,
"NXDOMAIN." Once our caching BIND servers get the NXDOMAIN response,
the A record info doesn't matter anymore. They return NXDOMAIN for a A
record query too.

Yes, yes, I know the Right Answer is to get the vendor to fix their
load balancer. But we get the "it works when we're at home," "it works
with Google/Cloudflare DNS," "it works on my phone when I use mobile
data," so our DNS server must be broken. We have to make it work while
we convince the vendor to fix it.


knowing their DNS when they are at home and use mobile data, plus a few
requests to google DNS could change their "it works when..."

I don't know how google DNS works, some reported it not following standard
much.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users


  1   2   3   4   5   6   7   8   9   >