Re: Getting the name of responding server(s)

In message , Stephane Bortzmeyer wrote: >Doing this sort of survey on the wild (and wide) Internet leads >rapidly into a deep rabbit hole :-) > >If you go that way, one may also add to the requirments: "test the >name servers returned, to see if they actually reply (and with bit >AA)". Yes.

Re: Getting the name of responding server(s)

In message <20210909103322.ga27...@fantomas.sk>, Matus UHLAR - fantomas wrote: >On 09.09.21 03:20, Ronald F. Guilmette wrote: >>I don't want and don't need SOA records. I want and need only the relevant >>NS records. > >server in some cases send the SOA. Yes. I a

Re: Getting the name of responding server(s)

In message , Stephane Bortzmeyer wrote: >On Tue, Sep 07, 2021 at 10:48:57AM -0400, > Matthew Pounsett wrote > a message of 32 lines which said: > >> Yeah, you can pretty reliably get the answer in one or two steps by >> requesting the NS set for the FQDN. You'll either get your answer, or >>

Re: Getting the name of responding server(s)

In message Matthew Pounsett wrote: >On Tue, 7 Sept 2021 at 03:45, Stephane Bortzmeyer wrote: > >> The only solution is chasing the delegations from the root (which is >> what dig +trace is doing). Caching speeds it, this is why it is >> better to go through your resolver than using dig +trace.

Re: Getting the name of responding server(s)

In message , Stephane Bortzmeyer wrote: >> I know that I can get this information by using "dig +trace", but that seems >> to be rather slow to me (wall clock time), and I want to be doing >> this a lot. > >The only solution is chasing the delegations from the root (which is >what dig +trace is

Getting the name of responding server(s)

Greetings all, Please forgive me if this question is a bit off-topic for this list. I can be sure if it is or isn't until I get the answer. My question is rather a simple one. Given some FQDN `D' and given some DNS record type 'T' (e.g. either A or or perhaps even PTR) does there exist

Re: dig +trace question

In message , Anand Buddhdev wrote: >On 21/06/2019 22:01, Ronald F. Guilmette wrote: >> I'll switch to using the 9.14.3 or 9.15.0 dig command as soon as possible. >> Until then I have a nice temprary workaround, which is to just append >> @a.root-servers.net to my dig +tr

Re: dig +trace question

In message , Anand Buddhdev wrote: >On 21/06/2019 04:55, Ronald F. Guilmette wrote: > >> What is it about unbound/local-unbound that makes it not plug and play well >> with dig +trace? What is it that Google's public name servers are doing >> that a local run

Re: dig +trace question

In message <4e8f2e2c-7571-44dd-b012-57543debd...@ncartron.org>, Nico Cartron wrote: >Are you sure it's not your setup? >I have plenty of dig running on FreeBSD (with bind-utils 9.14) and also >Debian and they work just fine. You know what? I think we may both be right. Checking now, I think I

Re: dig +trace question

In message <9ba154cc-2272-46ec-a793-47ff31dca...@arin.net>, you wrote: >Hi Ronald, >You usually need to reinstall packages and ports after you do a major >version upgrade to FreeBSD. I guess that I did not make myself clear. Everything on this system is freshly installed, from scratch. I have

dig +trace question

I just recently "upgraded" my old FreeBSD system to the latest, 12.0 release. Now, something that used to work doesn't seem to work anymore, specifically "dig +trace" seems to no longer function at all. Example: % dig +trace -x

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

In message <20180321055215.jm3ybhkz4vqgs...@mycre.ws>, Robert Edmonds wrote: >{... long explanation of why things are as they are, snipped...} Thanks for all this Robert. I guess it all makes sense. I just loath complexity. But sometimes it is unavoidable. >If you are

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

In message , Tony Finch wrote: >BIND9 was a new codebase with very different internal library APIs, and an >ambition to completely revamp the libc -> resolver interface - this is >what the lwresd stuff was about. But no

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

In message <20180320205558.23ld7b2orcfky...@mycre.ws>, Robert Edmonds wrote: >Rick Dicaire wrote: >> For libbind9, https://packages.ubuntu.com/trusty/libbind9-90 > >You would also need the ".so" symlink in order to link with -lbind9, >which is in this package:

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

In message <20180320205115.wanrlpfisxx6g...@mycre.ws>, Robert Edmonds wrote: >It should be in the SYNOPSIS section :-) > >http://manpages.ubuntu.com/manpages/trusty/en/man3/resolver.3.html >... >Link with -lresolv. Doh! yea. You're right. It's right there.

Re: Help wanted: Linking to libbind9 on Ubuntu Linux

In message <20180320193041.d2bwvgkgyvqem...@mycre.ws>, Robert Edmonds wrote: >> I am porting some code of mine from FreeBSD to this Ubuntu system >> and I'm getting the following unresolved symbols at link time: >> >> __res_query >> __res_mkquery >> __res_send >>

Help wanted: Linking to libbind9 on Ubuntu Linux

Apologies in advance to all. I am probably just making some bonehead mistake or small typo, but... Can someone please instruct me as to the proper way to link to libbind9 on Ubuntu 14.02 LTS? I am porting some code of mine from FreeBSD to this Ubuntu system and I'm getting the following

Question about _res structure (retrans/retry)

Regarding the _res structure and the resolver library res_send() function... I have been unable to find any clear statement on the exact semantics of the .retrans and .retry fields of the _res structure, specifically with respect to the res_send() function. The man page for resolver(5) seems to

NEVERMIND! (was: Strange intermittent resolution)

In message <56796.1464377...@server1.tristatelogic.com>, I wrote: >Over the past week or more, I have occasionally tried to drop >in and read the forum discussions on this one particular site: > > www.amlinuxmedia.com > >Strangely, my own local name server seems to be able to resolve >that name

Strange intermittent resolution

Over the past week or more, I have occasionally tried to drop in and read the forum discussions on this one particular site: www.amlinuxmedia.com Strangely, my own local name server seems to be able to resolve that name only intermittently. First it resolved OK, then it doesn't for awhile,

Re: Punycode questions

In message alpine.lsu.2.00.1409291026090.18...@hermes-1.csi.cam.ac.uk, Tony Finch d...@dotat.at wrote: Ronald F. Guilmette r...@tristatelogic.com wrote: To be more specific and concrete about it, here is a small example Perl program I wrote: ftp://ftp.tristatelogic.com/pub/punybug.pl

Maximum DNS packet size?

My apologies if this question might also be considered a bit off-topic for this list. Is the maximum possible size of a DNS packet (just the payload part... not including IP and UDP headers) 64k bytes? I have some old code which assumes that, perhaps incorrectly.

Wildcard oddity

My apologies for my earlier, arguably off-topic questions. Now I have a real honest-to-goodness BIND question. I have the following simple zone file installed as test0.tristatelogic.com: === $TTL 3600 @ IN SOA

AXFR root zone

Is it possible to use dig to AXFR the root zone? I mean without having any special foreknowledge of which specific root zone servers will and will not accept the AXFR request? If so, how would I do that, exactly? I tried this: dig . axfr but I just got back a Transfer failed error

Re: AXFR root zone

In message 54287c3f.60...@ripe.net, Anand Buddhdev ana...@ripe.net wrote: ... Unlike other query types, an AXFR is not recursively looked up by a resolver. Ah! Ok. That certainly explains the failure then. Thank you for enlightening me! P.S. Strangely, this rather different query _does_

Re: AXFR root zone

In message 54288592.6030...@staticsafe.ca, staticsafe m...@staticsafe.ca wrote: I suggest using: xfr.lax.dns.icann.org xfr.cjr.dns.icann.org As mentioned on http://www.dns.icann.org/services/axfr/. Oh! Excellent! This is *exactly* what I needed! Thanks ever so much. Regards, rfg

Re: AXFR root zone

In message 54289195.2070...@ripe.net, Anand Buddhdev ana...@ripe.net wrote: If you wanted your script to be robust, then you would program it with the names of all 13 root name servers, and have it try the zone transfers from a random server each time, and trying another one in case of failure.

Punycode questions

I hope this post won't be considered too far off topic. I've already sent this same question off to the guy who is the current maintainer of the Net::IDN::Punycode Perl module, but while I'm still impatiently awaiting his response I'm thinking that maybe folks here could enlighten me. In a

Putting weird characters into zone files ?

For a special project, I need to be able to create resource records within a BIND zone file where some of the domain labels in some of the FQDNs on the left-hand-side will need to be either (a) literal asterisks or else (b) literal exclamation marks. What's the most proper way to do this? Can I

Re: Putting weird characters into zone files ?

In message 20140927122322.ga4...@totoro.home.mukund.org, Mukund Sivaraman m...@isc.org wrote: On Sat, Sep 27, 2014 at 04:31:07AM -0700, Ronald F. Guilmette wrote: For a special project, I need to be able to create resource records within a BIND zone file where some of the domain labels

Re: DNS Amplification Attacks... and a trivial proposal

In message 20130614050625.850cf35e5...@drugs.dv.isc.org, Mark Andrews ma...@isc.org wrote: In message 15120.1371179...@server1.tristatelogic.com, Ronald F. Guilmette writes: * Large numbers of ISPs claim they implement BCP 38. I claimed that I was Charlie Chaplin once. Unfortunately

Re: DNS Amplification Attacks... and a trivial proposal

In message 51baa714.9020...@dougbarton.us, Doug Barton do...@dougbarton.us wrote: It's obvious you're frustrated (understandable), and enthusiastic (commendable), but you might want to consider dialing down your rhetoric a bit. Great idea! I have only one small question... Would you be

Re: DNS Amplification Attacks... and a trivial proposal

In message 51b991f7.9070...@imperial.ac.uk, Phil Mayers p.may...@imperial.ac.uk wrote: On 06/13/2013 06:31 AM, Ronald F. Guilmette wrote: 2) Has anyone ever proposed adding to the DNS protocol something vaguely reminicent of the old ICMP Source Quench? If so, what became of that proposal

Re: DNS Amplification Attacks... and a trivial proposal

In message 51b9fb6a.1090...@tiggee.com, David Miller dmil...@tiggee.com wrote: This could lead to wrong headed statements like, Yes, we sent X GB of traffic at your network. Yes. Last night I reconsidered at some length the scheme I put forward yesterday. (Please note that I am very

Re: DNS Amplification Attacks... and a trivial proposal

In message 201306131753.r5dhrwon093...@calcite.rhyolite.com, Vernon Schryver v...@rhyolite.com wrote: I think that the use of RRL on some roots shows that keeping state is not a problem if the state keeping is not utterly stupid. (I'm not sure what, if anything, I should be reading into that

Re: DNS Amplification Attacks... and a trivial proposal

In message 51ba355b.10...@dougbarton.us, Doug Barton do...@dougbarton.us wrote: No. You can still get pretty good amplification with 512 byte responses. That is an interesting contention. Is there any evidence of, or even any reasonably reliable report of any DDoS actually being perpetrated

Re: DNS Amplification Attacks... and a trivial proposal

In message 20130614004155.72013.qm...@joyce.lan, John Levine jo...@iecc.com wrote: The real solution is BCP 38... I agree completely John. I cannot do otherwise. But I have to ask the obvious elephant-in-the-room question... How is that comming along so far? Maybe we could find worse ways

Re: DNS Amplification Attacks... and a trivial proposal

In message 20130614020930.c1c1c35e2...@drugs.dv.isc.org, Mark Andrews ma...@isc.org wrote: Well the process has started. BCP 38. If you want hurry it along complain to your local politician that they need to consider drafting legislation that requires ISP's to implement BCP 38 in their

Re: DNS Amplification Attacks... and a trivial proposal

In message 20130614022305.72272.qm...@joyce.lan, John Levine jo...@iecc.com wrote: The real solution is BCP 38... I agree completely John. I cannot do otherwise. But I have to ask the obvious elephant-in-the-room question... How is that comming along so far? Based on discussions I've had

Re: DNS Amplification Attacks... and a trivial proposal

In message 20130614023140.7735d35e2...@drugs.dv.isc.org, Mark Andrews ma...@isc.org wrote: * Router manufactures have code to support BCP 38 though it defaults to off. Well then, THAT is going to be a great help in solving the problem, isn't it? * Large numbers of ISPs claim they implement

Re: DNS Amplification Attacks... and a trivial proposal

In message 20130614032434.72450.qm...@joyce.lan, John Levine jo...@iecc.com wrote: So, may I infer that rather than being put off until the end of the century, which seemed to be the previous implementation timeline, pervasive implementation of BCP 38 may now be expected at around the time that

DNS Amplification Attacks... and a trivial proposal

I personally have been mad as hell about DNS amplification attacks, ever since I first had the displeasure of finding myself on the business end of one back in 2003. In recent days however I've been given reason to be outraged about them all over again with the news that two organiza- tions that

Re: blacklisting replies, was: Proper CNAME interpretation

In message 39634800-7e01-4878-b1a1-cf384c8a6...@mac.com, Chuck Swiger cswi...@mac.com wrote: On Sep 14, 2011, at 5:09 PM, Ronald F. Guilmette wrote: In message cf550bd6-ba85-4cb3-8b03-e4e1b0829...@mac.com, you wrote: Sigh: your mail server is blacklisting email from mac.com. Yes. Sorry

Proper CNAME interpretation

Last night, it appeared to me that nslookup was resolving the name graphiteops.com to IP address 72.52.4.95. Today however it is no longer doing that, reporting instead: % 127.0.0.1 Address:127.0.0.1#53 Non-authoritative answer: graphiteops.com canonical name = graphiteops.com.

Re: Proper CNAME interpretation

In message 7d9b265c-36bf-40c1-9012-ac0a96fb8...@sackheads.org, you wrote: On Sep 14, 2011, at 4:35 PM, Ronald F. Guilmette wrote: Is there a rule that says how a resolver should behave in cases where there is both an A record and also a CNAME record for the same FQDN? Which one should take

Re: blacklisting replies, was: Proper CNAME interpretation

, please le me know via the contact form on my web site.) Anyway, on-list replies are OK, I think. I mean it's not like any of this is in any way off topic. On Sep 14, 2011, at 2:27 PM, Ronald F. Guilmette wrote: The second part however seems to go more to my question, which is What is the resolver

Max response packet size ?

When called, res_query must be passed the base address of a buffer (`answer'), and the maximum length of that buffer (`anslen'). Upon return, res_query returns the count of bytes bytes actually used in the target buffer (i.e. the response packet size) or else -1 for errors. Assuming that one