You're thinking that the rate limit is intended to protect YOUR server.
It's actually to prevent your server from being used as a reflector to
attack some OTHER server. The spoofed addresses all point to that
server.
Sorry I just can't understand that why my server is being used to attack
If I remember correctly, $GENERATE is a zone file syntax only. When you start
up BIND, it parses those out and loads the generated records as if you'd
written them out manually. $GENERATE just helps condense the zone file, but
has no impact on overall operation.
I'm sure someone from ISC
When you do a dig, the TTL is the 2nd column:
;; ANSWER SECTION:
www.google.com. 604800 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 74.125.225.20
www.l.google.com. 300 IN A 74.125.225.19
www.l.google.com. 300 IN A
You can set interface-interval to a low number to make BIND scan for new
interfaces frequently:
interface-interval
interface-interval minutes;
interface-interval defines the time in MINUTES when scan all interfaces on the
server and will begin to listen on new interfaces (assuming they are
The reason I've heard a few times is that users are uncomfortable using only 1
address. In the past I've done 2 or 3 addresses just so that we can give out 3
addresses that all point to the same pool of servers.
Silly, I know, but sometimes it's easier to placate than to change
someone/groups
do you propose he specify the ratios with BIND?
One (icky) solution is to hand out more addresses for one server than
the otherŠ
www.example.com IN A 192.168.1.1
www.example.com IN A 192.168.1.2
www.example.com IN A 192.168.1.3
www.example.com IN A 192.168.2.1
Bind
I have had a tendency to dig axfr from my Windows workstation
+1 to you for using `dig' on Windows; most don't even know it exists
and suffer the `nslookup' pain. ;-)
First thing I do on a new windows box is download the BIND package and throw
dig on the box ... well, right after I get
there is a perl module out there that may help:
http://cpan.uwinnipeg.ca/htdocs/BIND-Config-Parser/BIND/Config/Parser.html
I don't know - I'm not much of a perl monkey (or any of one, really), but I may
work for what you'd like.
t.
-Original Message-
From:
With a static-stub zone (new in BIND 9.8), your server would not prime its
cache with the bad NS
rrset from the authoritative server. It would simply start all query
resolution for the domain in
question (possibly bigger than the zone) at that server, thus bypassing the
bad NS rrset.
Change:
file /var/log/query.log version; 3 size 5m;
to:
file /var/log/query.log versions 3 size 5m;
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Nate
Homier
Sent: Thursday, March 03,
It seems to do a regular lookup, plus maybe an ANY
But I've also noticed that it seems to find test.domain.com. I often put a
'test.whatever.com. IN A 127.0.0.1' into zones and a couple I checked it found
them, even though it shouldn't have by normal means
it also found a 'blog' record I had
dig -b {srcip}
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of John
Williams
Sent: Thursday, December 09, 2010 9:51 AM
To: bind-users@lists.isc.org
Subject: DIG Source IP
If I have a Linux
What version of bind, on what OS?
There may be some things you can do with iptables to limit connections
http://www.debian-administration.org/articles/187
I don't recall seeing anything native to BIND that would allow for limits per
src.
t.
-Original Message-
From:
What I have done is add another IP to boxes with views, one per view (ie:
127.0.1.1/2/3/4). Then put one of those ips in each view match statement.
When you do your dig, you tell it to source from a specific interface (dig -b
127.0.1.1 @localhost record.ext). That will ensure that you can
If you haven’t restarted the server, you could do an rndc dumpdb and grab the
zone content I’d think
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Jay Moore
Sent: Tuesday, October 05, 2010 1:13 PM
To:
If you are trying to reach RIM.com (makers of BlackBerry), we are at rim.com
;; QUESTION SECTION:
;rim.com. IN MX
;; ANSWER SECTION:
rim.com. 600 IN MX 10 mx05.rim.net.
rim.com. 600 IN MX 10 mx03.rim.net.
rim.com.
You need to specify different file locations for each of the slaved
zones (even if the data is the same) in each view.
Does that apply for master zones which are common (i.e. the same data)
to both views as well?
In my experience, you can use a shared file for mastering. We have adopted the
If you wanted to throw CVS into the mix, it would make all this pretty easy.
You can have it run scripts on checkin, and you know all the files changed from
a cvs diff, so it’s easy to run that through the named-checkzone.
CVS doesn’t have to make things much more complicated. You could
What version of BIND are you running? If you're getting FD limits, I'd think
it's an older version with a bug, and your problems might also be alleviated by
upgrading.
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
The DNS Servers are authoritive. I have more than 100 users for them,
and the
number of queries performed per minute is very high due to the nature
of our
organization. Moreover, I do not have a specific time window in which
the
timeouts occur, so, it is impossible to run it 24/7! From your
Are all the slaves authoritative for all the zones? If so, unless
you're using forwarding, or some really odd delegation, queries
shouldn't be going to the master servers.
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
Alessandro,
Generally people won't want to lay out entire configurations for you. Spend a
little time with the DNS BIND book which will be your loving companion as a
BIND admin (available on google books for free if your google-fu is good), and
come back with direct questions/configuration
.
Todd Snyder, Systems Specialist
Data Networks Systems Engineering / Global DNS
bb 226.338.2617
dd 519.888.3176
Always On, Always Connected.
-
This transmission (including any attachments) may contain confidential
Yes, assuming you want them to both have the same zone data.
We use a naming convention so we know when we're sharing a file. Each
view gets their zonefiles with -viewname (ie: example.com-internal)
appended. Common zones get -common. This keeps us from modifying the
wrong file, and lets us
Good day,
We've started seeing this bug on a couple servers, but I see no mention
of it being fixed, so I don't know what version I should upgrade to.
Nor can I find anything that lays out the impact/risk of this.
Does anyone know the status of this bug?
Thanks!
From:
checkout allow-query-cache
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of
Riccardo Castellani
Sent: Tuesday, February 09, 2010 1:06 PM
To: bind-users@lists.isc.org
Subject: query (cache)
You can create an include file, and put it right under your SOA/NS
records. The file should start with blanks... something like:
@ IN SOA ns.example.com. root. (
2009112601 ; Serial
1h ; Refresh
Look at something like an F5 GTM ... it can do health checks on pools
and respond with only available/geographically close/etc ips...
http://www.f5.com/products/big-ip/product-modules/global-traffic-manager
.html
More than likely far too big for what you're looking for, but service
availability
There are a few approaches you could take, and it depends on what you are
trying to do.
If you are actually trying to block traffic to a specific server/servers, I'd
say use a firewall. If you're running on a linux box, it's pretty easy:
If you're on a closed network and not using forwarders, then you'll
also
need a hints file and associated hints-file definition in named.conf,
of
course, but even so, we're still not talking about adding a great deal
of additional care and feeding...
It's not much, I'll gladly concede, but
The problem with this approach is when you are running a couple thousand
servers - suddenly, you are running a couple thousand more instances of BIND
that need monitoring/patching/care/feeding.
A more clever resolver, or a simpler caching setup locally would be ideal.
Otherwise, you could
Martin,
It looks like you were relying on an odd mechanism to determine an
outage. What you were seeing is the server filling up all the available
recursive slots because they weren't getting answered, backing up the
queue. It wasn't necessarily an indication of an outage, it could have
meant
Good day all,
I am looking at making some sweeping changes to some zone files,
cleaning up NS records primarily. As I'm pondering the impact of this,
I got to thinking about how to validate every single record in my
namespace, and therefore the entirety of my change.
What I'm thinking of is a
Good day,
I am working at building BIND, and I will admit right now that I am not
much of a developer. I noticed that when you compile/make/install BIND,
it creates /var/named/chroot as the default chroot jail. We don't use
that particular standard, and have been simply moving things
...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Wednesday, June 10, 2009 11:45 AM
To: bind-users@lists.isc.org
Subject: Changing CHROOT at BIND compile time
Good day,
I am working at building BIND, and I will admit right now that I am not
much
Good day,
Looking through configuration of one of my servers (ns01.local), I have
example.com loading, and test.example.com loading.
In example.com, someone has delegated test.example.com back to the
server:
test.example.comIN NS ns01.local
Since I am loading
Do you have notify no; in your config options?
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Michael Di Martino
Sent: Thursday, May 28, 2009 10:17 AM
To: bind-users@lists.isc.org
Subject: Transfer delays
List Members,
+trace forces the server to go to the root. It doesn't necessarily
represent the path your query would normally take. If the server you
are querying is authoritative for the zone you are querying, it will
still trace from the root. This feature is, sadly, not as useful in an
internal DNS
Good day,
(BIND 9.6.0-P1)
Although, to me, delegation seems like a fairly simple configuration, I
seem to be having problems. What I am trying to do is very simple - I
have a lab, and I want to delegate part of the namespace to someone else
in the lab. My configuration looks like this:
(zone
It works that way, sometimes.
If recursion is enabled on your server, it will query the other servers
in
the NS records on behalf of the resolver and return what it finds. If
recursion is off, it will just return the NS records and the resolver
is
expected to follow them (and some really dumb
in forward first mode, but not in forward only mode.
Has the logic here changed, or am I misinterpreting the book?
Thanks!
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Tuesday, May 05, 2009 11:59
You say my DNS servers - if you own them, why not just look at the
named.conf? grep zone named.conf should tell you pretty quickly.
If you are using external hosting, you will need to talk to your
provider. They should be able to provide you a list.
t.
-Original Message-
From:
BIND already creates an internal view _bind with class CH to contain
the zones version.bind, hostname.bind, authors.bind, etc. I was thinking
in terms of zones.bind living there as well.
Of course there's the barber-shaving question: should zones.bind
contain an entry describing itself?
My
I agree with Rick Dicaire that this should not be done as a zone at
all.
Instead, this should be implemented in rndc. I do agree with the
premise that it
would be nice to be able to have a list of all zones on the server.
I would tend to agree that rndc is the best place for it, except in
I know that people may laugh, but when I need to look at the stats, I
pump the data into excel. A quick script turns that data into csv, pull
into excel, highlght, graph, done!
I've seen people using Cacti for graphing the numbers. RRD would work
too, I believe. I expect you could feed the
-protocols-dns-b...@isc.org
Subject: Re: Servers loading zones with lower serials
In article gqaoi6$1j7...@sf1.isc.org, Todd Snyder tsny...@rim.com
wrote:
Good day,
I saw some strange behaviour from BIND and am trying to understand it.
In one of the labs, someone mucked up a DNS change and made
Good day,
I saw some strange behaviour from BIND and am trying to understand it.
In one of the labs, someone mucked up a DNS change and made the serial
lower than the previous version.
Some of the nameservers complained:
Mar 23 15:07:24 ns1001 named[5913]: zone 5.1.10.in-addr.arpa/IN: serial
I had to do this a couple times lately .. this is the simplest way I've
found. It's not elegant or nifty, but it works.
on the master:
grep zone named.conf | awk '{print $2} | sort master.zones
on the slave:
grep zone named.conf | awk '{print $2} | sort slave.zones
get the files on the
.
-Original Message-
From: John D. Vo [mailto:j...@eagle.net]
Sent: Friday, March 20, 2009 3:27 PM
To: Todd Snyder
Cc: bind-users@lists.isc.org
Subject: Re: number of zones not matching
Yes, Todd. 9.2.2.
Todd Snyder wrote:
I had to do this a couple times lately .. this is the simplest way
I've
BIND does NOT load RFC1918 zones. The Internet-Draft that will
allow that has been stalled for over a year now. Once that
draft
clears the working group the #if 0/#endif around the RFC 1918
zones will be removed.
Perhaps I am confused by terminology.
I am referring
Good morning,
We utilize a number of include files as part of our named.conf. I am
looking to see if there is a clever way to dump the entire named.conf
(or, even better, the entire RUNNING named.conf), which includes all the
include files.
I say running config, because sometimes you do an rndc
While running a checkzone, one of my users is getting this error:
dns_master_load: /var/named/var/named:1: isc_lex_gettoken() failed: I/O
error
dns_master_load: /var/named/var/named:1: I/O error
Google isn't helping me too much.
We're thinking maybe it's terminal related - a user has had
Good day,
I am stuggling to get my head around the 512 byte limit with regards to
DNS queries/responses. I am sure there is much in the RTFM category,
and I will continue to RTFM, but I wanted to ask a couple of specific
questions.
1) If a reply is over 512 bytes, which can't in theory be done
If you don't host any zones on the server, then it would always recurse, no?
The server will always answer for zones it's authoritative for, as far as my
understanding.
You might need to explain more about your confguration/desired outcome than you
currently have.
Todd.
-Original
I've been doing some testing lately on query times. What I did was
create a new zone and create a * record within it. Then, from a shell,
I do dig @server $RANDOM.test.testdomain.com. For more randomness,
you can combine: dig @server $RANDOM.$RANDOM.test.testdomain.com
That's how I've worked
).
Merci!
Todd.
From: Ben Croswell [mailto:ben.crosw...@gmail.com]
Sent: Thursday, December 11, 2008 5:15 PM
To: Todd Snyder
Cc: bind-us...@isc.org
Subject: Re: recursion for reverse/in-addr.arpa zones
Are there NS records and/or zone forwarding for the 10.131.10.0
56 matches
Mail list logo
