Re: What if the link is failed between master/slave
From: "Blason R" > OK - Got it so is there any settings available at master by which it > will keep on probing slave and as soon it is contacted NOTIFY Message is sent. No. The slave will try every REFRESH interval to see if it can contact the master. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What if the link is failed between master/slave
-- William Brown Messaging Team Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 "bind-users" wrote on 06/29/2018 12:53:07 PM: > From: "Blason R" > I have bind Master server with me and slave is at other remote > location. My query is since I have opted for PUSH update from master > to slave over random port. > > What if the link at slave is down and NOTFY message is not reached? > When will slave then pull the update? Yes, according to the refresh interval in the SOA record. The pertinent values are REFRESH, RETRY and EXPIRE. See section 3.3.13 of RFC1035 https://tools.ietf.org/html/rfc1035#page-19 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Server running but not responding
From: "/dev/rob0"> Your OS denies named the permission to create the UDP socket on which > to listen for queries. > > That means, of course, that you're not able to receive queries. It's > Windows doing this, so you need Windows help. I'm unable to provide > that. Good luck. One thing the OP can check is to see if there is another DNS server (Active Directory?) running on poort 53. That will prevent named from binding to the port and running. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Separate DNS slaves as internal and external
From: "G.W. Haywood via bind-users"> On Mon, 19 Mar 2018, King, Harold Clyde wrote: > > > I have DNS slaves for internal and external entities. I don't know > > how to work the NS records so that outside users would only get the > > external slave and internal would only get the internal slave. > > > > How can I do this? ... > > You could use a firewall to route the queries as required. > > You might look at Bind 'Views', for example see the Cricket book. Or use different instances of bind for internal and external resolution. Hardly any extra cost if using virtual servers. Simplifies bind configuration at the expense of maintaining double the number of servers. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Minimum TTL?
From: "Reindl Harald"> To: bind-users@lists.isc.org > the ISP has no business to touch any package bewteen source and me > because he can't know the implications - he even must not know about > them because it#s not his business And yet they do (Supercookies?), and sell that data to any and all buyers. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SOA settings
From: "Alan Clegg"> Wait... who are you guys??!? Alan, you're the only one I've actually met. Are the rest are all Russian bots? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Domain Not Resolving
Does the lone DNS server even respond on the local network? Do you see DNS traffic flowing to that server? Time for the divide and conquer method of troubleshooting to find where the failure is occurring. Good luck. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need DNS records help for single server (and IP), and multi-domain mail server.
MX records cannot point to an IP address. try this: x.tld MX 10 x.tld. -- William Brown Messaging Team Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 "bind-users" <bind-users-boun...@lists.isc.org> wrote on 08/23/2017 03:28:12 PM: > From: Tom Browder <tom.brow...@gmail.com> > To: bind-users@lists.isc.org > Date: 08/23/2017 03:29 PM > Subject: Need DNS records help for single server (and IP), and > multi-domain mail server. > Sent by: "bind-users" <bind-users-boun...@lists.isc.org> > > I have a single remote server with one IP address (142.54.186.2) I > am using it to host multiple, independent domains. I am working on > configuring a single postfix instance to serve mail for all domains > (assuming I can successfully rewrite appropriate parts of mail in and out). > > From referring to "DNS and BIND" and previous discusssions here and > on the postfix users list I have re-examined my domain DNS records > to see if I can cover my requirements more easily. > > Given such a configuration described in the first paragraph, does > the following set of DNS records for a domain look look appropriate: > > # For each domain X.TLD: > X.TLD. INA 142.54.186.2. > *.X.TLD.IN CNAME X.TLD. > X.TLD. INMX 10 142.54.186.2. > X.TLD. INTXT "v=spf1 mx -all" > > Thanks. > > With warmest regards, > > -Tom > > Stream: WBROWN > > Spam > Not spam > Forget previous vote___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to > unsubscribe from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: designing the DNS from the scratch
> But you do know the approximate speed of light in a vacuum? ~3 x 10**8 m/s More importantly, what is the speed of light in a fiberoptic connection? Speed of electrons in copper wire? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
Can you post a copy of the zone file, changing any server names that absolutely must be obscure? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: wildcard not working after record deleted
> Thanks for your answer. There are no other records with that name in the > zone, and an ANY query comes back empty but still with status of > NOERROR. Unfortunately, I can't provide the query and zone data, and I > do understand that prevents you from helping. Not even an SOA record? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: make AAAA type the default for dig
Mark Andrews wrote on 06/15/2017 12:02:37 AM: > Other ISP's should try to match Google's level of IPv6 commitment. I'll be they would if they had Google's level of cash flow. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enforce EDNS
From: Matthew Pounsett> I fully support breaking resolution for such servers. I'd rather > have a hard failure on my end that I can investigate, and work > around if necessary, than have my server wasting cycles trying to > guess what sort of broken state there is on the far end. It would > also give me the heads up I need to contact the admin on the far end > and report their servers' broken behaviour. And the remote admin would say "Well, it must be your problem because no one else is complaining." I get the same line of BS when I refuse to honor a whitelisted domain in my spam filter if they fail SPF checks. Not many filters do that, but I think it is a great idea. People dread hearing from the IRS, but they can't afford to block the emails. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Need feedback on RPZ service setup
From: Tony Finch> BIND will only send NOTIFY to a zone's advertised name servers - "stealth > slaves" like your consumers have to rely on the SOA refresh timer. Why not use also-notify to specify client servers? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
From: Tony Finch d...@dotat.at ;; ANSWER SECTION: www.p3net.net. 0 IN A 199.101.28.20 That IP address indicates that your ISP is lying to you. It belongs to Skye By Nominum which is a cloud DNS service. I guess this is Skye Search since that sounds like a rent-seeking scheme based on replacing NXDOMAINs with advertising. http://www.darkreading.com/nominum-rolls-out-skye-dns-cloud-service/220100568 Maybe this is why the .berlin TLD is including the copyright notice in their TXT record: https://lists.dns-oarc.net/pipermail/dns-operations/2014-January/011211.html Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Sites that points their A Record to localhost
From: Alan Clegg a...@clegg.com Yes, it seems that they have an A record for that label that provides the IP address 127.0.0.1. You probably want to ask the owner of the zone about this, as I?m not sure what the community can do about it. They have an MX record, so perhaps the domain is only intended for email. # host p3net.net p3net.net has address 127.0.0.1 p3net.net mail is handled by 10 aspmx.l.google.com. Although, they should have more MX records if using google. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slowing down bind answers ?
From: Nicolas C. b...@nryc.fr Or really mess with them and answer all A queries with 199.181.132.249 It's not a bad idea. I could wildcard all requests to an internal HTTP server saying that the DNS configuration of the client is deprecated. But that's not as much fun as sending them someplace they weren't expecting... wbrown@WBrown:~$ dig +short disney.com 199.181.132.249 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slowing down bind answers
From: Bob McDonald bmcdonal...@gmail.com Of course, anycast would have solved this issue by allowing one to add/remove a server from a properly configured environment without affecting the clients... Unless the goal is to move all DNS services off that subnet. Our network staff would love to reclaim the /24 our DNS servers are tying up with very little else on it wasting 250 addresses. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slowing down bind answers ?
From: Mark Andrews ma...@isc.org After that specify a final date for them to fix their machines by after which you will send NXDOMAIN responses. Sometimes sending a poisoned reponse is the only way to get peoples attention. zone . { type master; file empty; }; empty: @ 0 IN SOA . stop.using.this.nameserver 0 0 0 0 0 @ 0 IN NS . @ 0 IN A 127.0.0.1 Or really mess with them and answer all A queries with 199.181.132.249 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS with several ip adessess
From: Barry S. Finkel bsfin...@att.net One caveat with using virtual servers. Make sure that the DNS server on which the host machine relies is NOT the DNS server that is virtualized on that host. The host machine needs to be up before the VMs residing on that host come up. And you should never have only one DNS server and for reliability, they shouldn't be on the same host. Or even in the same chassis if using blades. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: R: DNS with several ip adessess
Use views Views +1 When were views added to BIND? We started using using multiple servers in BIND 4, and I don't recall views being available back then, but I didn't configure the servers, just maintained the zones. We're still using multiple servers for internal vs. external resolution. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enabing RRL in bind
From: Gaurav Kansal gaurav.kan...@nic.in In bind 9.9.4, Reponse-Rate Limit doesn?t work until you configure bind with ??enable-rrl? option. I was wondering why is it so ? Why not this feature is enabled by default in bind. I tried to find out the same in ARM but didn?t get any success. BIND 9.9.4 provides support for Response Rate Limiting (RRL). However it is not enabled by default when building BIND. The reason for this is that BIND 9.9 is an Extended Support Version of BIND and per our policy on mangement of ESVs, we do not introduce any new features or functionality to a stable ESV version. https://kb.isc.org/article/AA-01058/0 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Enabing RRL in bind
I wrote on 12/30/2013 11:17:58 AM: BIND 9.9.4 provides support for Response Rate Limiting (RRL). However it is not enabled by default when building BIND. The reason for this is that BIND 9.9 is an Extended Support Version of BIND and per our policy on mangement of ESVs, we do not introduce any new features or functionality to a stable ESV version. https://kb.isc.org/article/AA-01058/0 For more information on Extended Support Versions see https://www.isc.org/downloads/software-support-policy/ Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bad owner name - Unable to add forward map from Nintendo Wii U ... REFUSED
From: David C. Rankin drankina...@suddenlinkmail.com I have bind 9.9.1.P1-2 with dynamic updates from dhcp 4.2.3.2-2. It has worked great, but I've run into a problem with a dreaded kids-present that I suspect is due to the game console attempting to provide a hostname containing spaces -- of all things. (Nintendo\032Wii\032U) Here is the transaction in detail: Clearly Nintendo doesn't want you to install two of these consoles on the same network either. Bad marketing! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance Tuning RHEL 5 and Bind
From: Alan Clegg a...@clegg.com Fix your windows clients. You can't fix stupid. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: how-to configure BIND or any DNS implementation for cloud infrastructure
From: Odimegwu David odimegwuda...@yahoo.fr Is it possible for one to configure BIND or any DNS implementation for the cloud? I was forced to search for this forum because the exigences of my situation necessitates a cloud. But yet, in a cloud: 1. I cannot be systems administrator, even if, I don't know yet, if the company can give me administrator privileges. 2. The IP address of the machine will not possibly be my own because the machine will be shared by numerous subscribers to the cloud infrastructure. 3. I know that like all other users, i will be given set of user privileges that are restrictive. So, i am doubtful if my intentions are possible? Although, the domain name and zone administration recourses to me. With this constraints, is it possible for cloud DNS to be possible? I have this site in mind: polarhome.com, where i intend paying for server space. This information should be provided by the service provider as it will vary from vendor to vendor. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: redirecting root hints to fake internal root server
From: Colin Harvey colinedwardhar...@yahoo.com My environment is firewalled from the real world. For queries on zones to which I'm not master, I want to recurse to a corporate server. nslookup some.internal.hostname.com internal.corporate.server works fine. Setting . to use this internal server in the root.hints file does not. In fact I do not even see my system trying to recurse. (I'm looking at network traffic with a sniffer.) My root.hints: .600INNSinternal.corporate.server. internal.corporate.server.600INA192.168.1.1 Alternatively I've setup a forwarding zone in named.conf to query 192.168.1.1 for 'internal.hostname.com'. When monitoring the network for udp data over port 53, I'm not even seeing the query being forwarded. Why? Add these lines to your options section: forward only; forwarders {192.168.1.1;}; see ftp://ftp.isc.org/isc/bind9/9.9.3-P2/doc/arm/Bv9ARM.ch06.html#id2578567 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary DNS question...
From: SH Development listacco...@starionline.com No, there is definitely something going on. I shut down our ns2.starionhost.net this morning for a while. Sure enough, emails started bouncing from customers even though our ns1.starionhost.net is up and on the faster machine. What exactly do the delivery failures say when the email bounces? Are their problems with other servers for your domain such as not getting to your website? Again, what error is returned? I miss the old days of simple browser error messages, IE's full page of nothing drives me crazy! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What happens when one out of three NSs are down?
From: Chris Buxton cli...@buxtonfamily.us In practice, though, your best bet is to find out why that small group of customers are having problems. Are they querying the servers directly? Are they behind the routing problem and can get to the isolated name server and not the other two servers? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND Configuration
I don't know how it's done, I'm not a networking guru, but here we have 2 upstream providers and somehow we route out through both, and both can route in to our /16 network. No messing with DNS changes depending on which ISP is having problems, As Clarke's third law states, Any sufficiently advanced technology is indistinguishable from magic. Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: architecture question
From: Jeremy P jpcra...@gmail.com In my experience the students who get it and comprehend the concepts are able to heed the warnings of in real life, we would do this a little different. The students who don't get it are gonna misconfigure regardless of what TLD I tell them to use in the lab. They'll probably also assign addresses in the 2001:DB8::/32 range because they saw it in documentation. My advice: hire the former and pass on the latter and everything will be ok ;-) Many students are more clued in than some teachers give them credit for. They will understand that what they see in class is not the same as they'll see in the real world. It's that other portion that will go on to cause mayhem or get elected to public office. It's easy to say pass on the later, but they will eventually get hired because they managed to squeak through an A+ or Microsoft certification and someone scrapes the bottom of the barrel because they're not willing to pay for talent. Or maybe they'll just be the the offspring of a friend of the person in the corner office. I wish I could say I've never seen that happen! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: architecture question
From: b...@bitrate.net on a side note, i would strongly discourage you from using .local in dns. .local is a pseudo tld, reserved for use with mdns. This just came up with a site I support. Thanks to this list and the DNS-OARC list, I know better. Hopefully, I can redirect them to use something below their real domain for Active Directory such as ad.example.org. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Mailing list reply-to setting
From: Steven Carr sjc...@gmail.com Any chance someone can correct the settings on this mailing list to reply to the list by default instead of the user posting the message? Why, Are the settings wrong? I have used and later run lists for years, and supported Listserv(tm) servers for others for most of those years. There is no right or wrong for the reply settings. It's really a personal preference of the list owner as to how replies should be handled. If the message should go back to the list, use reply all. That's supported by all the major mail clients. Subject tagging is another preference item - no right or wrong. I have my mail client filter on the sender moving list traffic into the appropriate folder. Works just as well as filtering on the tag. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ISC Courses
From: rohan.he...@cwjamaica.com Can anyone say why Bind course offering appears so expensive? Is something else included in the package that is not specified? 2-Day Introduction to DNS BIND Training Price: $1,795.00 I took this class about 2 years ago. IIRC, the instructor wasn't just a trainer, but a support engineer from ISC who could also teach. He pops up here on the list from time to time. Another advantage to taking this class is you can bring your DNS issues and discuss them with others to see how they are tackling them, and get an expert's opinion on it too. Some training company instructors and just certification mill graduates with little hands on experience. Other than the ISC course, I haven't had a truly knowledgeable instructor since my Netware 3 and 4 CNE classes. Aren't most Microsoft classes running about $1600/day. Don't forget that any modest profit from this class will go towards the continued development of BIND. Disclosure, I have no ties to ISC other than user of BIND and past student of the 2 day Intro to DNS and BIND. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
From: Dwayne Hottinger dhottin...@harrisonburg.k12.va.us I keep seeing messages in my named.log file that say things like clients-per-query increased to 30, then later it says clients- per-query decreased to a lower number. When this happens, lookups seem to not be working.What is an acceptable value for a large network? For the same reason it was increased to 15 in this thread: https://lists.isc.org/pipermail/bind-users/2013-April/090402.html Do you have a bottleneck on your queries to authoritative servers? If your recursive server can't resolve it for the first few clients that ask the question, it queues the query for subsequent clients that ask the same question. And it can't respond to any of them until it receives the answer from the authoritative server. What do your client queries look like? Have you turned on query logging to see what the clients are trying to resolve? Which are your top clients? Did you do something to the cache settings? How many clients are you trying to support? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: clients-per-query
Dwayne Hottinger dhottin...@harrisonburg.k12.va.us wrote on 04/10/2013 10:27:24 AM: Sorry, My spambox grabbed your earlier reply, my apologies.My clients are a mixed enviroment of macs,windows 7/xp, androids, etc. At any one time I'll have over 3000 devices connected to the network. I actually have one internal dns server for internal network and 2 external dns servers. I turned on logging for queries on all the dns servers and will monitor that. Im currently searching the logs to see if some clients query more than others to try and figure out if one is infected with somekind of malware. 3000 devices isn't much, even for a modest BIND server. Did this configuration work in the past? What changed? Is there a network rate limiting device in place that could be affecting the queries to the authoritative servers? Have you talked to your networking team? They would never make changes without informing, I'm sure. :) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
Warren Kumari war...@kumari.net wrote on 04/05/2013 06:48:08 PM: And then there's theses folks: http://no-www.org/ Oh wow! Gee, thanks for that? And it's always fun when you tell someone to go to a URL that doesn't include the W's and they want to type them in anyways, ie. chat.example.com. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Some Server not Resolving certain address
From: Arie L. Putra ari...@smartfren.com Some of my server reported SERVFAIL, i try some reference on http://www.whatsmydns.net/ and some result fail indeed, but why some of my server still resolve ok? or my other server which resolve the domain actually late to see the invalid record? In your first message, you said All server virtually the same configuration. What are the differences? What do the servers that do resolve have in common that is missing on the others? What do the ones that fail have in common? Could it be an issue with IPv6? Are they all running the same version of bind? Differences in named.conf? Could there be differing firewall rules for the different servers? Try running dig from each server. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Simple question about zone and CNAME
Incidentally, we have just been asked for an A record for cam.ac.uk to duplicate www.cam.ac.uk because, and I quote, all the publicity material sent out by the nominator [for an award for the web site] gave the URL as http://cam.ac.uk/ and this has been retweeted around. Yes, sadly I've lost that technical battle with marketing several places now. And then there's theses folks: http://no-www.org/ Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Suspecious DNS traffic
babu dheen wrote on 03/25/2013 12:21:30 PM: Still not convinced because if i need to allow 1024 port from our DNS server to external world(internet).. where is the security? Total security requires total isolation. It is a matter of accepting some risks to perform the needed task. I beleive we just need to allow TCP and UDP 53 from our DNS server to internet(any) which is already done. Not sure why we have to open non standard port from our DNS server to internet? Kindly provide some details. You send request via UDP from random high port to an authoritative server. Answer is too large to fit in UDP packet, so it responds via TCP to the source port of the request (random high port from above). If you block that TCP connection, you cannot receive answer to your query. Another reason for TCP replies is DNS Response Rate Limiting (RRL). Some modern stateful firewalls understand DNS and if there is a UDP packet sent to port 53, it will accept TCP connections back from the destination address on port 53 to the source address/port. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND roadmap
Shane Kerr sh...@isc.org wrote on 02/28/2013 05:37:26 AM: On Thursday, 2013-02-28 11:19:01 +1100, Mark Andrews ma...@isc.org wrote: ISC has no specific plans to end BIND 9 development. As Mark correctly says: Thanks for the clarification. BIND 10 is still a way off being a replacement for BIND 9. We are missing a lot of features in BIND 10 that are present in BIND 9. However, it is not as correct to say: Development for both is still proceeding in parallel. BIND 9 is still the server to install for production. BIND 10 is more for test environments at this stage though we would like people to play with it give feedback (good or bad). If BIND 10 has the functionality that you need - authoritative-only without BIND-managed DNSSEC signing - then BIND 10 *is* production ready today. I need recursion, at least for some of our servers and I'd rather not have learn and maintain different versions. The main issue is that it is a 1.0.0 version, so does not have the history of installed bases to increase confidence. Will it ever be referred to and Bind 10.0.1 or will it always be bind 10 version 1.0.1? The later sees confusing IMO. As of BIND 9.9.3, BIND 9.9 will be a extended support version. BIND 9.9.0 was released March 2012 so it will be supported until March 2016 and perhaps further as per the software support policy. https://www.isc.org/wordpress/software/software-support-policy/ Note though that as far as I can tell, few people actually use the ESV software. Please let us know if the ESV policy works for you! We're on a really, really old distro version (well, our externals are now 9.9.2 w/ RRL patches). New servers will run BIND compiled from source so I can pick my own upgrade path. Finally, we are currently discussing the BIND 9 and BIND 10 roadmaps and should have something we can publish shortly. Sorry to be so mysterious about it - it's nothing weird. :) I look forward to seeing that. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND roadmap
Doug wrote on 02/28/2013 12:31:21 PM: You probably want to have some discussions with OS vendors that embed BIND to familiarize yourself with how many people are using ESV versions from that channel. Or even older versions. FWIW, Ubuntu 8.04LTS uses bind 9.4.2. They backport critical fixes to it though. Ubuntu LTS releases are supported for 5 years so it is nearly EOL. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
BIND roadmap
Congrats to ISC and everyone that has worked on BIND 10! I am building new name servers and redesigning our infrastructure with an eye towards streamlining, improving security and implementing DNSSEC. I had been testing a few things with BIND 9.9.x. Now that BIND 10 is released, I am wondering which way to go. Will ISC continue to develop the BIND 9 code stream? I saw a mention of RRL being added to 9.10, but how long will development continue before hitting ESV? -- William Brown Core Hosted Application Technical Team and Messaging Team Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: disabling lame server logging
Robert wrote on 02/26/2013 02:23:44 PM: There is a logging category for lame-servers. It's in the ARM. So far 2 reads and I am not getting out of it what to do for selective logging based on return codes. I am going to let it stay for now as I move on to other parts of this project. From my named.conf.logging: // Send all lame server errors to the null channel category lame-servers { null; }; Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: BIND master , Windows 2008 stub zone not transferring
From: Sowmya Manjanatha sowmy...@gmail.com Well, I have a stub zone on Windows 2008 server set-up to use two different BIND server as its list of IPs to use as masters. In the DNS manager on Windows, you can always right click on the zone and select Transfer zone from Master. With Wireshark on Windows, I have found that this triggers a DNS request for the given zone name. Yes. DNS does a query for the SOA record so it can compare serial numbers. If the received serial number is not higher, no transfer is started. You may be right that it may very well not be a zone transfer and just a regular query/response. However, I was just going by the terminology on the zone from Windows. Bad plan. Microsoft like to redefine terms. They do so in many of their products, even terms that have been around since before Johannes Gutenberg was moving type. In any case, the problem is that this zone transfer is finicky. Sometimes, the zone is loaded correctly and sometimes that Zone Tranfer failed or Zone Not Loaded by DNS Server. It has also been hard to understand what makes this failure occur. Are they allowed to do zone transfers (allow-transfer option)? Another problem I am also having is that Windows 2008 server doesn't seem to pick up the latest SOA i.e. it does not seem to honour the serial number within the SOA. It appears it just picks up the 1st response it gets. So, I find that sometimes the records are stale. I am trying to understand if there is any configuration in BIND that can help provide the right response the 2008 server prefers. Do all of your masters agree on the serial number? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Cannot create A record issue
Jsilliman wrote on 02/20/2013 01:44:20 PM: No, I think it's only loaded once, but port 53 is listening on Try ps aux |grep named to prove it. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Export / Import all zone data
Daniel wrote on 02/14/2013 02:52:55 PM: Just make the new server a slave of the old one, let it do zone transfers of all of the old zones, then change the config on the new one from slave to master. I wonder if that wasn't done once before which is why the zone files don't appear to be structured the 'proper' way.Depending on the zone contents you can end up with a lot of $ORIGIN and the like which can be a little confusing. Perhaps the original poster could share some examples of what is seeing. Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Slaving from DNS masters behind LVS
Nick wrote on 02/12/2013 10:00:27 PM: We have a pair of DNS servers running BIND behind a direct routing LVS director pair running keepalived. Let's call these two DNS servers A and B, and the VIP V. Several years ago I was lucky enough to take the ISC class on bind. One of my questions going into the class was about using a load balancer in front to our name servers. We have two VMs for internal resolution and two more for external. The instructor said not to use a load balancer as the DNS protocol had the resilience to handle a server going down and the load balancer adds to the complexity of troubleshooting problems. We had never had a problem with either BIND crashing or network issues making them all unavailable, so the load balancer was really a solution looking for a problem. Recently, we had to take the slave name servers (1 internal, 1 external) down to move the VMs to a different storage pool. There were no issues with everyone continuing to use the masters only. My current goals are to restructure our DNS, but load balancing is not in the future here. -- Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Define an internal zone with only a couple of A records, then forward to an external dns server
Alberto wrote on 01/17/2013 10:09:00 AM: - I want to define in my dns server a zone external_partner.com, which is the domain of our partner who manages it with his dns public server dns.external_partner.com. - I need to define into this zone a couple of servers (vpn_host_1.external_partner.com, vpn_host_2.external_partner.com) because we connect via vpn to our partner. - I want that the rest of the names, e.g. www.external_partner.com , are resolved forwarding the requests to the dns of our partner. Can you use host_[1|2].vpn.external_partner.com instead? Then you can define a zone for vpn.external_partner.com with those A records, and a forward zone for the rest of external_partner.com (but not including vpn.external_partner.com). Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Logging
Timothe Litt l...@acm.org wrote on 01/08/2013 08:19:56 AM: What I think would be more useful is if named actually reported the issues to where they'd do some good. Perhaps a DNS extension I got an invalid message from you - so it shows up in the log of the server (and administrator) with the problem. (I'd worry about denial of service, though if the server is in fact lame, it's not providing service - at least to that zone . Abuse of the reporting mechanism is the main risk, and avoiding it would take some careful engineering.) My sense of most lame servers is they served entities that had disappeared from the face of the earth, taking most of their online presence with them. The only thing left was their domain registration and the NS records in the parent domain, probably due to multi-year registrations that had not yet expired. Or they could have been spam related domains that were no longer being used. Reporting such domains would simply be noise. If there is truly is a domain having technical difficulties with name resolution, I suspect that they would find out about it soon enough because no one would be able to connect to them: - No email - outgoing email might be rejected depending on receiver's filtering policies - No web presence - Failure of other systems relying on DNS Wouldn't dig +trace reveal the lame server with the BAD REFERRAL error? From lame.log: 08-Jan-2013 08:52:37.747 lame server resolving 'mail.desktoptrainingacademy.com' (in 'desktoptrainingacademy.com'?): 208.89.21.65#53 And dig +trace desktoptrainingacademy.com returns ; DiG 9.4.2-P2.1 +trace desktoptrainingacademy.com ;; global options: printcmd . 452564 IN NS g.root-servers.net. . 452564 IN NS h.root-servers.net. . 452564 IN NS l.root-servers.net. . 452564 IN NS e.root-servers.net. . 452564 IN NS a.root-servers.net. . 452564 IN NS m.root-servers.net. . 452564 IN NS i.root-servers.net. . 452564 IN NS b.root-servers.net. . 452564 IN NS c.root-servers.net. . 452564 IN NS k.root-servers.net. . 452564 IN NS j.root-servers.net. . 452564 IN NS d.root-servers.net. . 452564 IN NS f.root-servers.net. ;; Received 508 bytes from 168.169.12.2#53(168.169.12.2) in 0 ms com.172800 IN NS j.gtld-servers.net. com.172800 IN NS d.gtld-servers.net. com.172800 IN NS e.gtld-servers.net. com.172800 IN NS g.gtld-servers.net. com.172800 IN NS c.gtld-servers.net. com.172800 IN NS l.gtld-servers.net. com.172800 IN NS h.gtld-servers.net. com.172800 IN NS i.gtld-servers.net. com.172800 IN NS k.gtld-servers.net. com.172800 IN NS m.gtld-servers.net. com.172800 IN NS f.gtld-servers.net. com.172800 IN NS b.gtld-servers.net. com.172800 IN NS a.gtld-servers.net. ;; Received 504 bytes from 202.12.27.33#53(m.root-servers.net) in 188 ms desktoptrainingacademy.com. 172800 IN NS ns2.evolveip.net. desktoptrainingacademy.com. 172800 IN NS ns1.pbp.com. ;; Received 128 bytes from 192.12.94.30#53(e.gtld-servers.net) in 94 ms desktoptrainingacademy.com. 3600 IN A 216.4.210.253 ;; Received 60 bytes from 208.89.23.71#53(ns1.pbp.com) in 12 ms root@ns5:/etc/bind# dig +trace mail.desktoptrainingacademy.com ; DiG 9.4.2-P2.1 +trace mail.desktoptrainingacademy.com ;; global options: printcmd . 452533 IN NS e.root-servers.net. . 452533 IN NS j.root-servers.net. . 452533 IN NS a.root-servers.net. . 452533 IN NS d.root-servers.net. . 452533 IN NS m.root-servers.net. . 452533 IN NS c.root-servers.net. . 452533 IN NS h.root-servers.net. . 452533 IN NS k.root-servers.net. . 452533 IN NS b.root-servers.net. . 452533 IN NS l.root-servers.net. . 452533 IN NS g.root-servers.net. . 452533 IN NS i.root-servers.net. . 452533 IN NS f.root-servers.net. ;; Received 508 bytes
Re: Distribute named.conf
How does Puppet compare to Ansible? http://ansible.cc/ -- William Brown Core Hosted Application Technical Team and Messaging Team Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Distribute named.conf
Mike wrote on 01/03/2013 02:45:29 PM: Thanks for sharing, first I'd heard of it... I read about it on http://jpmens.net/ http://en.wikipedia.org/wiki/Comparison_of_open_source_configuration_manage ment_software It's there today. I highly advise anyone new to configuraton management to setup some virtual machines and play with as many solutions as time permits...they each have interesting features, and no one solution will work for everyone IMHO. Good advice! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can we load balance traf[f]ic for CNAME records?
Manis Rane wrote on 12/14/2012 02:12:59 PM: That is true by default rrset-order is cyclic I believe. And even if it replies randomly I guess we will have to NAT the traffic on firewall for particular IPs Your original post made me believe you are running Windows CAS servers. Why not use Windows High Availability features to bind one address to both servers. A colleague was setting up a HA cluster for Exchange and was explaining some of it to me. IIRC, you point to one IP address, and it points to one server, if it goes down, the other picks up the load. You have MX records point to both of them, the client access uses a different address than the SMTP process. At least that's how I understood it. Sorry, I'm not an Exchange guru. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Bind not forwarding all requests
Romgo wrote on 12/10/2012 06:36:10 AM: I had 2 old zone with forwarders configured, the forwarders was down. One equipment was still using one of this zone, so bind wasn't able to contact the forwarders and fall back to root zone. I don't really why it try the root zone but since I delete those old zone I don't have any new queries to the root zone. According to what I read about forward only : it doesn't try to contact other name servers to find information if the forwarders don't give it an answer. I had exactly opposite behaviour. Actually, it was operating as designed. The zones with forwarders defined were overriding the global option to forward only. Try taking down (or block access to) the target of your forward only statement and see if you get any resolution. Everything that you are not authoritative for should fail. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF records in reverse zones?
Dan Mahoney wrote on 12/05/2012 06:52:43 PM: I can't even imagine what spamfilters would think of such an address. :) To quotes some annoying TV ads here in the US: REJECTED! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SPF records in reverse zones?
Karl Auer wrote on 12/05/2012 06:44:01 PM: This may be a silly question, but are SPF records supposed to be supported in reverse zones? I'm thinking of a mail server that has no entry in the DNS. THe SPF query is looking for the sender's domain, not the sender's server, so the record would be added for biplane.com.au, not for 4.251.58.117.in-addr.arpa Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: OT - Dns test Q/A
I don't have any source of a a DNS exam, but since you seem to be expecting a limited set of skills, how about a few questions of the sort What is an A record? What is an MX record? What does the SOA record contain What does the serial number control Think about what they will be working with and make up simple questions about it. Perhaps come up with a few questions on what could happen if they see certain behaviors and how they would troubleshoot. Years ago, I was told that you can either spend time creating an exam or you can spend time grading it. Creating short answer or essay questions is quick and easy. Grading them takes time. Creating a good true/false or multiple choice test is very difficult and time consuming. Grading it is a snap. Good luck. -- Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Performance tuning
Adamiec, Lawrence ladam...@kentlaw.iit.edu wrote on 11/26/2012 01:12:48 PM: To the best of my knowledge, there are no problems with our DNS. We only host 25 domains. The report must also address these two specific questions: 1. Why does www.kentlaw.iit.edu load quicker than kentlaw.iit.edu in any browser? Are you sure this is a DNS issue? Test it by adding both to /etc/hosts (or Windows equal). Reboot and flush all caches between tests. 2. What happens if we remove the forwarders option from named.conf? Depends why you have the forwarders. . I can't duplicate the issue in Q1 and I'm trying to determine a way of testing Q2. Oh the joys of intermittent problems. Are you sure the issues reported as Q1 are real? Have the web site folks been involved in discussions or are they just blaming DNS without testing anything? If possible sneak host file entries onto a handful of user machines and see if they still complain. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delegations
I have a zone file for example.org that has entries for a subdomain l2.example.org like this: vpn.l2 IN A10.1.2.3 Now they want to add a subdomain below l2, ie. ad.l2.eboces.org with hosts such as dc.ad.l2.eboces.org In the zone file for example.org, I can add NS and glue records for ad.l2.example.org as this: dc.ad.l2 IN A 10.2.3.4 dr.ad.l2 IN A 10.4.5.6 ad.l2 IN NS dc.ad.l2.example.org. ad.l2 IN NS dr.ad.l2.eboces.org. Will this work, or do I need to delegate l2.example.org before I can delegate ad.l2.example.org? -- William Brown Core Hosted Application Technical Team and Messaging Team Technology Services, WNYRIC, Erie 1 BOCES Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Delegations
Phil wrote on 10/31/2012 02:15:16 PM: You terminology is a bit confusing here. subdomain is imprecise. Sorry, I meant it as a piece of the FQDN. Specify what *zones* you want, and where you want the delegations, and it should be easy to see what will work and not. Yes, if I've understood what you want. I think you got it. or do I need to delegate l2.example.org before I can delegate ad.l2.example.org? No. Zone cuts can be at any label inside a zone. Thanks. Waiting for firewall changes tonight to test. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Glue from Root Servers returns wrong A record, why?
ponga2...@gmail.com wrote on 09/10/2012 03:11:30 PM: SOA points correctly to the DNS provider (zoneedit).. there is no mention of that 216 address anywhere in the registrar :( Is the information below correct? wbrown@wbrown-D630:~$ whois intaq.com Whois Server Version 2.0 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: INTAQ.COM Registrar: NETWORK SOLUTIONS, LLC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com/en_US/ Name Server: NS1.INTAQ.NET Name Server: NS2.INTAQ.NET Status: clientTransferProhibited Updated Date: 23-may-2011 Creation Date: 31-may-2002 Expiration Date: 31-may-2013 Last update of whois database: Mon, 10 Sep 2012 19:15:16 UTC [Blah blah blah] Registrant: Finger Rock Technology 5030 N. Post Trail Tucson, AZ 85750 US Domain Name: INTAQ.COM [Blah blah blah] Administrative Contact, Technical Contact: Finger Rock Technologyarma...@fingerrock.com 5030 N. Post Trail Tucson, AZ 85750 US (520) 906-5437 fax: 123 123 1234 Record expires on 31-May-2013. Record created on 31-May-2002. Database last updated on 10-Sep-2012 15:15:47 EDT. Domain servers in listed order: NS1.INTAQ.NET216.146.46.198 NS2.INTAQ.NET216.146.46.198 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Russell Jones wrote on 08/30/2012 09:39:17 AM: Normal web filtering software that auto updates is a better approach. Using Bind with a manual list of domains to try to achieve this is like trying to kill an ant hill 1 ant at a time There are several sources of RPZ data such as Spamhaus and SURBL. Both are respected sources of spam filtering data. (Disclosure: My employer subscribes to both for spam filtering, I have no financial stake) Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: ho to filter hundeds of domains ?
Russell Jones russ...@jonesmail.me wrote on 08/30/2012 10:28:07 AM: Oh I know, I use spamhaus myself for spam filtering - catches a ridiculous amount of spam. It is my understanding though the OP wants to filter domains for NSFW web browsing, not spam - specifically gambling sites. Spamhaus describes it this way: The DBL is managed as a zero false-positive list, safe to use by production mail systems to reject emails that are flagged by it. The DBL includes URIs (domains/hostnames) which are used in spam including phishing, fraud/'419' or domains sending or hosting malware/viruses. Sounds like what I would want in an RPZ, but may not include the gambling sites the OP was looking to block. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Typical Bind slave failure scenario - What happens and when?
Russell Jones russ...@jonesmail.me wrote on 08/27/2012 06:39:31 PM: Is there any documentation outlining what will actually occur, and when, with a slave server when it cannot contact a zone's master for updates? The authoritative documentation is the Bind Administrators Reference Manual (ARM). Another excellent resource is DNS and BIND by Paul Albitz and Cricket Liu, also known as the Grasshopper Book because of its cover. It is published by O'Reilly Associates. If you have a chance to attend an ISC training, I recommend it too. I took their Intro to DNS and BIND after running bind for over a decade. I still learned a lot! I would love to take the Advanced session if I get the opportunity. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: What can cause excessive amount of _dns-sd queries?
Elvind wrote on 08/23/2012 09:18:06 AM: Yeah, now I'm just wondering which OS / application / malware / whatever could be responsible for this :) Someone trying to use ZeroCOnf: http://zeroconf.org I believe Macs come configured to use it by default, Linux and Windows can be configured to use it. (no, the client isn't directly under my control, it belongs to some customer) Good luck with that! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: 2 dns records for same server
Dwayne wrote on 08/19/2012 07:37:39 PM: My hosts get the ip's of all 3 dns servers when they recieve dhcp information. I think this is the issue. The internal clients should only point to the internal DNS server. They should never be querying the DNS that returns the public IP addresses EVER! Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: 2 dns records for same server
Lightner, Jeff jlight...@water.com wrote on 08/20/2012 08:56:56 AM: That is to say don't put the external servers in /etc/resolv.conf on your clients - only put the internal one there. (Or the Windows equivalent setup should only see your internal DNS server.) Or push via DHCP as in this case. I would correct the prior post not to say EVER but rather not directly. Often in an internal/external configuration only the external server queries the internet and the internal one forwards requests it gets to the external one. It doesn't matter if the external server the internal DNS server is pointing to also has records for the domains because the internal server would already have answered for the domains it is authoritative for before trying to forward. We have internal/external setup here for one domain and have no problems doing this. (Oddly enough we also have views but that's another story...) We're using different semantics here. I meant that the workstation should only send queries to the internal server and get answers from same. Where that data comes from, is not important, at least from the perspective of the workstation as long as it is correct. Put another way, packets are only exchanged between workstation and the internal name server. Also, this is only for normal operations. Use of host/dig/nslookup directed at any specific DNS servers not included. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: SRV query with no domain?
kevin wrote on 08/15/2012 12:52:18 PM: I don't believe SRV lookups use the search directive in /etc/ resolv.conf; I think that's only for A (name-to-address) lookups. But I could be wrong on that... Using host I was able to do a search for _sip._tcp for the search domain on my system (domain changed to example.org): wbrown@wbrown-D630:~$ host -t srv _sip._tcp _sip._tcp.example.org has SRV record 0 0 5060 tandberg-vcse.example.org. wbrown@wbrown-D630:~$ host -t srv _sip._tcp.example.org _sip._tcp.example.org has SRV record 0 0 5060 tandberg-vcse.example.org. Dig fails on same query without domain, succeeds if it is included: wbrown@wbrown-D630:~$ dig +short _sip._tcp srv wbrown@wbrown-D630:~$ dig +short _sip._tcp.example.org srv 0 0 5060 tandberg-vcse.example.org. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Can't receive emails from another machine
Stayvoid wrote on 07/30/2012 08:22:30 PM: I'm using Postfix. I can send / receive emails from / to localhost via telnet. [1] But I can't receive emails from another machine. I guess that there are three variants: 1. Postfix doesn't work properly; 2. Bind doesn't work properly; 3. IPTables doesn't work properly. I can't be 100% sure but I think that it's not connected with Postfix. So I have to check Bind or / and IPTables. I hope that you'll help me to check my Bind settings. What should I paste? As Jeff Lightner said, this really isn't the right forum, but you need to check what the sending server is failing on. Check the logs there. Is it unable to resolve the domain for the message? Is it unable to connect? Find the disease before asking for a cure. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Journal File Question
Chris wrote on 07/25/2012 09:04:49 AM: Is it possible to restore a zone file from its associated journal file? No. The journal file only records updates to the zone. At best you would only recover the changes since last commit to the zone file. The docs seem to indicate that a restart of bind will sync the two files, but in practice I get such as this: It doesn't sync the files to make two equal copies. It applies all of the outstanding transactions in the journal file to the zone file and then empties the journal. zone foo.bar/IN: journal rollforward failed: journal out of sync with zone Yep, the journal is out of sync because the zone file is non-existent. The problem here is that a large portion of the zone file was accidentally deleted. Oops. That's what backups are for. Slaves are not backups. However, you might be able to extract some meaningful data from the slave's zone file. It won't be pretty though. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Journal File Question
Chris Buxton chris.p.bux...@gmail.com wrote on 07/25/2012 12:07:22 PM: It doesn't sync the files to make two equal copies. It applies all of the outstanding transactions in the journal file to the zone file and then empties the journal. I don't believe that is entirely correct. The journal file needs to be retained to support ixfrs. My understanding is that it will be automatically trimmed to max-journal-size, if that option is set. Do you know how it determines what is kept? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Basic scope question
Gary wrote on 07/10/2012 11:27:24 AM: If I have domain-name-servers configured globally and a different set configured on a subnet DHCP pool, which takes precedence for the client? My understanding is the more specific, or the subnet DHCP pool, but could someone please confirm? Thanks. The client will only query the DNS servers they are told about, either statically (/etc/resolv.conf) or by your DHCP server. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind dies with assertion failure
Oscar Ricardo Silva wrote on 07/02/2012 06:40:51 PM: The reason I'm running is that we're currently running the stock version of BIND available with RHEL6. It's their policy to backport patches and if there's a patch available then they may apply it faster rather than deploying a new version. At an ISC Intro to DNS and BIND class, the instructor pointed out that if you rely on the distro provided version of BIND, you are at the mercy of the package maintainers to upgrade/patch versions of BIND. With Ubuntu LTS (not sure about other distros), you are stuck at the same version of bind until you upgrade your distro. For Ubuntu 8.04LTS which is still supported, BIND is stuck at 9.4, which is no longer supported by ISC. I am building/redesinging our DNS infrastructure and I am building BIND from tarball. It's really quite easy. Plus, I can run the latest and greatest version to get the best DNSSEC features. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: RPM [was: Re: bind dies with assertion failure]
Jan-Piet wrote on 07/03/2012 10:41:20 AM: Building BIND is easy; turning it into an installable RPM not so. I highly recommend fpm [1] which makes building an RPM trivial. :) Any advice or tricks for making a DEB for Ubuntu? So far my plan was to copy the source directory to each server and just run make install on each. I'm only looking at 8 to 10 servers. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Moving DNS out of non-cooperative provider
Did you update your whois information to point to the name servers at NEWprovider.net? After this change is made and any cached data expires, the world will query them (NEWProvider), with the exception of anyone that uses name servers at OLDprovider.net who still thinks they are authoritative for your domain. Alexander wrote on 06/18/2012 11:49:36 AM: Can someone enlighten me on the following scenario (I guess it's explained somewhere, but can't find the info.): example.com was served by ns.OLDprovider.net example.com owner wants to move his domain to ns.NEWprovider.net oldprovider.net is not cooperating, and continues to serve example.com 172800 NS ns.OLDprovider.net (*.gtld-servers.net and ns.newprovider.com now serve example.com 172800 NS ns.NEWprovider.net) Recursive resolver ns.isp.com queried for www.example.com every few minutes, and currently have example.com 45892 NS ns.OLDprovider.net in it's cache. www.example.com have TTL of 3600. Thus each hour ns.isp.com queries ns.OLDprovider.net, with each query gets new NS record, and... refreshes the NS TTL ? Will ns.isp.com EVER query ns.NEWprovider.net ? I'd be happy to know how BIND behaves, but also how other servers may behave in this case. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: limiting number of requests of a single hosts
bind-users-bounces+wbrown=e1b@lists.isc.org wrote on 06/15/2012 04:25:16 AM: We have a problem with one of our firewalls caused by DNS peaks. Once or twice a day a DNS burst (20K requests/15sec) kills all connections on the firewall. The firewall is due for replacement but in the mean time we would like to stop these peaks at their origin or at least try to limit their impact. We have 6 dns servers (bind) on our campus, that are all authoritative for our domains and also resolver for our campus hosts. Most of our clients however use our AD/LDAP/DNS Microsoft servers as their resolver, which on their turn contact our 6 dns servers for further resolving. What we figured out by packet capturing, is that at a certain point in time these AD/LDAP/DNS servers start ?collecting? dns requests without sending them further and then in a burt pass them on to our 6 dns servers which try to resolve these queries. Due to the fact that one request of a client mostly results in several queries of our dns servers to the outside world (root server contact, NS record resolving,..) , this results in a burst of dns requests through our firewalls, killing them. I have 2 questions, one, is there a way to rate-limit the amount of request a single client (the AD servers in this case) can have standing out against a bind server ? Kind of rate-limiting parameter for bind name server. Two, has anyone already seen this type of behavior on a Microsoft AD/LDAP/DNS server and has a clue what could cause this stalling ? Solving that would be the best solution. Any chance of using network devices (firewalls, intelligent switches) to rate limit connections from the AD/DNS server to the bind server? Is the odd behavior of the AD/DNS server causing issues with the clients making the original request? Have you tried tracking down the original source of the query? Could that be the ultimate source of the traffic burst? It seems unlikely that MSDNS would intentionally hold DNS requests. Have you tried troubleshooting that? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: random-device purpose in DNSSEC
Warren wrote on 05/10/2012 04:14:01 PM: Multiple options: 1: install haveged (http://www.irisa.fr/caps/projects/hipsor/) -- this will provide you with much randomness [0]. 2: buy a USB entropy widget (for example: http://www.entropykey.co.uk/) 3: See if there is a driver for your TPM -- many boxes have them, and many provide good randomness. 4: NOT RECOMMENDED: use /dev/urandom (only for testing) You forgot an option: 5: Patience, Grasshopper. /dev/random will eventually fill and the crypto function will get enough data to complete. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
Jan-Piet wrote on 05/11/2012 02:17:53 AM: Indeed, which brings on the question why BIND (still) doesn't have the a negative trust anchor feature. So how do we implement one? Create a separate caching server with DNSSEC validation turned off and forward all queries for the broken domain to it? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Secondary Master
John wrote on 05/11/2012 11:05:58 AM: I found this article about setting up a secondary master. This may be useful as we are bringing up a disaster recovery site. The author explains that the zone type should be ?slave?? so it can receive db updates from the normal master. Seems like that makes it a slave instead of a master for that zone? We are also looking at the app rsync for db transfers so we will have mirrored masters, IP traffic separated by routers. Thanks https://help.ubuntu.com/8.04/serverguide/dns-configuration.html What they describe is a typical slave server. I wonder if they are misusing the term master for authoritative. They are correct that more than one server is needed in order to maintain the availability of the domain should the Primary become unavailable. It's a good idea to make sure that your DNS servers are physically separated so a network failure does not block access to all of them. I would just let zone transfers take care of keeping things in sync instead of using rsync and a bunch of custom procedures to so it. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Hi;
William Thierry wrote on 05/10/2012 08:02:57 AM: i'm trying to have a TTL of a zone just by typing a command, but i can't seen which command line i can used to have the solution. Can someone have an idea? is it possible to found that? PS: The zone file is not created by me. For example, i made a dig +dnssec www.google.fr and i want to know what is the TTL of www.google.com not the period of querry. Ask an authoritative server: cowman@ns-homer:~$ dig @ns1.google.com www.google.com ; DiG 9.9.0 @ns1.google.com www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 32683 ;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.google.com.IN A ;; ANSWER SECTION: www.google.com. 604800 IN CNAME www.l.google.com. www.l.google.com. 300 IN A 173.194.73.103 www.l.google.com. 300 IN A 173.194.73.147 www.l.google.com. 300 IN A 173.194.73.105 www.l.google.com. 300 IN A 173.194.73.106 www.l.google.com. 300 IN A 173.194.73.99 www.l.google.com. 300 IN A 173.194.73.104 ;; Query time: 35 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Thu May 10 08:12:13 2012 ;; MSG SIZE rcvd: 148 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNSSEC
Warren wrote on 05/10/2012 11:50:30 AM: Nope -- Comcast does a large amount of checking before turning off validation for a failing domain. This is (IMO) more secure than the alternative, which is to simply leave it failing, and have users move to a non-validatiing resolver instead? Does Comcast have a process to re-enable validation once the issue is resolved? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Question about KSK
We are authoritative for a few dozen small zones. Is it possible to use the same KSK for all of them? I can see where if it gets compromised we would need to resign all zones using the KSK at once. How much effort would I be saving sharing the KSK? I'm sure there are plenty of other good reasons not to do this... Enlighten me! -- William Brown Messaging and Core Hosted Application Technical Teams Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Question about KSK
Jan-Piet wrote on 04/27/2012 10:22:39 AM: When the shared KSK needed to be rolled over, you would have to process DS records in the parents of your few dozen zones all at the same time. *If* you want to roll the KSK, a.k.a. when did you last roll your SSH keys? :-) Correct. I was mistakenly thinking the KSK also had an expiration as the the ZSK does. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: generate a set of request DNSsec
William wrote on 04/18/2012 05:45:21 AM: I'm faced with a big problem, How can i generate a log file for my test? it's a big problem for me, i'm working on Bind 9.8.1-P1 and i'm using dnsperf to inject requests on my servers. Did you have an idea? thank you for your help. What do you want to log? The ARM covers the topic of logging pretty well, as does the grasshopper book. Bind's logging is nice in that you can log different information to different locations. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: How to reset the serial number?
-- William Brown Messaging and Core Hosted Application Technical Teams Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Chuck Swiger wrote on 03/26/2012 02:35:24 PM: Shut down the slave server(s). Use scp or rsync to copy over the zone file, one with a corrected serial #. Restart the slave server(s). If I have access to the slave, I just deleted slave zone and issue rndc reload. It will transfer the missing zone. Several advantages: No need to shut down slave. Less typing/less chance to mis-type something. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: external view recursion issue
Who will be using this in-house DNS server? Your local users? If yes, then you will need to enable recursion so they can look up outside resources (google.com, etc.) If this server will strictly be an authoritative server for your domain, then it won't need recursion but queries that return a CNAME will cause the recursive server to look up anything in otherdomain.com, CNAME or A. Samantha wrote on 03/16/2012 10:13:30 AM: I am getting prepped to migrate dns from one service to in-house servers. While going through the zone file to ensure I got everything, I found that we have CNAME in our domain pointing to a CNAME in another domain that is pointing to the A record in the other domain: host record.ourdomain.com record.ourdomain.com is an alias for record.client.otherdomain.com. record.client.otherdomain.com is an alias for otherhost.otherdomain.com. otherhost.otherdomain.com has address x.x.x.x To duplicate this exactly on our servers, it appears that I have to enable recursion but the provider said that they are not doing that. I get the feeling that I am not going to get the information from them on how they are accomplishing this without recursion. Right now I have replaced the CNAME with an A record pointing to the IP directly and am getting the proper results, but feel that this leaves me having to watch for changes that the otherdomain.com administrator might make. Am I missing something else that I can do to replicate? A separate external view? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: external view recursion issue
Put record.ourdomain.com as a CNAME in both your internal and external views. Internal user will query internal view and get CNAME record to record.client.otherdomain.com. Your recursive name server will look up record.client.otherdomain.com and get the CNAME record to otherhost.otherdomain.com. It will look up that name and get the A record. Address is returned to the DNS client. External user queries your authoritative serve for record.ourdomain.com and get CNAME to record.client.otherdomain.com. Their recursive name server will look up record.client.otherdomain.com and get the CNAME record to otherhost.otherdomain.com. It will look up that name and get the A record. Address is returned to the external DNS client. -- William Brown Messaging and Core Hosted Application Technical Teams Technology Services, WNYRIC, Erie 1 BOCES (716) 821-7285 Samantha Steers sam.fait...@gmail.com wrote on 03/16/2012 03:09:52 PM: From: Samantha Steers sam.fait...@gmail.com To: wbr...@e1b.org, Date: 03/16/2012 03:09 PM Subject: Re: external view recursion issue Thank you for getting back to me. We have a set up with internal and external views. The internal is handling all the internal/recursive queries and the external is supposed to be authoritative without recursion. I am trying to reverse engineer the existing setup so I can match it. I guess the long and short of it is, if there are CNAMES looking for otherdomain.com then recursion has to = yes on the existing server, correct? The existing server is giving the result mentioned previously (below) while the new server is giving REFUSED. host record.ourdomain.com record.ourdomain.com is an alias for record.client.otherdomain.com. record.client.otherdomain.com is an alias for otherhost.otherdomain.com. otherhost.otherdomain.com has address x.x.x.x My thought is that it is either one way or the other, recursive or not, and that the record are going to have to be changed when they are migrated to the new servers to be A records pointing to the IP of the related, existing CNAMES. On Fri, Mar 16, 2012 at 1:47 PM, wbr...@e1b.org wrote: Who will be using this in-house DNS server? Your local users? If yes, then you will need to enable recursion so they can look up outside resources (google.com, etc.) If this server will strictly be an authoritative server for your domain, then it won't need recursion but queries that return a CNAME will cause the recursive server to look up anything in otherdomain.com, CNAME or A. Samantha wrote on 03/16/2012 10:13:30 AM: I am getting prepped to migrate dns from one service to in-house servers. While going through the zone file to ensure I got everything, I found that we have CNAME in our domain pointing to a CNAME in another domain that is pointing to the A record in the other domain: host record.ourdomain.com record.ourdomain.com is an alias for record.client.otherdomain.com. record.client.otherdomain.com is an alias for otherhost.otherdomain.com. otherhost.otherdomain.com has address x.x.x.x To duplicate this exactly on our servers, it appears that I have to enable recursion but the provider said that they are not doing that. I get the feeling that I am not going to get the information from them on how they are accomplishing this without recursion. Right now I have replaced the CNAME with an A record pointing to the IP directly and am getting the proper results, but feel that this leaves me having to watch for changes that the otherdomain.com administrator might make. Am I missing something else that I can do to replicate? A separate external view? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -t txt output variation
sun-guru wrote on 03/09/2012 01:45:33 PM: Is this a BIND bug? Check ARM for RRSet Ordering. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dig -t txt output variation
Alan wrote on 03/09/2012 02:38:25 PM: Don't base anything on RRset ordering. Be sure that the application is able to handle the random order -- you never know who owns the intermediate caching servers, so you will never know the order even if you fix it on the authoritative. That prompted me to look at the original post... The owner of the domain needs to reconcile the two records (including included records) and verify all allowed servers are listed. It's more of an email/spam filtering issue than a BIND problem. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Configuring a domain slave to look up subdomain hosts
Why not set up the zone with its own forward statement like this: zone subdomain.example.com { type forward; forwarders { 10.172.2.50; 10.172.2.51; }; forward only; }; -- bind-users-bounces+wbrown=e1b@lists.isc.org wrote on 02/28/2012 01:04:46 PM: I am simply trying to get the domain slave to make queries for hosts in the subdomain which is hosted on other servers, instead of forwarding the queries to the domain master. I thought a stub zone would facilitate this by giving my server the lookup information it needed to do this. Apparently this is not the case. Even though it receives a db file with the NS and SOA information for the subdomain, it is ignoring it. Forwarding works. Being a slave for the subdomain works. Stub zone doesn?t work. If it?s supposed to ?ignore? the stub zone in my configuration, what is the value of a stub zone? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Configuring a domain slave to look up subdomain hosts
Perhaps this article from the ISC knowledge base will help: https://kb.isc.org/article/AA-00302/47/I-want-to-forward-all-DNS-queries-from-my-caching-nameserver-to-another-server-but-configure-exceptions-for-some-domains-how.html Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Adding DS record to parent
Does anyone know how to register a DS record for domains registered through Network Solutions? I submitted a query through their website and got this response below. I find the copyright on the canned response an amusing touch. I called the number shown, and fought my way though a tangle of prompts to talk to a human in their DNS group. I could tell DNSSEC was a foreign concept to her and asked to speak with someone familiar with DNSSEC. She assured me she could help. Turns out she was wrong. http://www.google.com/#q=site%3Anetworksolutions.com ds record returns no meaning hits. Going to GoDaddy's website, I was able to find the directions in a couple minutes. Network Solutions customerserv...@networksolutions.com wrote on 02/23/2012 01:00:48 PM: Dear William Brown, I apologize for the inconvenience this has caused you. In order to update your managed name servers, please refer to the link below for instructions: http://www.networksolutions.com/support/create-a-new-name-server/ If you have any other questions about this issue, please contact our Support Center and refer to Service Request # 1-578747785. A Specialist will be happy to further assist you and ensure that we completely resolve your issue as quickly as possible. Thank you, Eisset001 Technical Support Specialist Network Solutions US/Canada: 1.866.391.4357 International: 1.570.708.8788 (c) Copyright 2012 Network Solutions, LLC. All rights reserved. Thanks for any advice you can offer, I'm still reading and trying to learn DNSSEC. Bill Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: dnsmasq+named together (was: Re: Forward Domain)
rob0 wrote on 01/19/2012 04:05:26 PM: ... server=127.0.0.1#1053 # to use nameserver 127.0.0.1 in resolv.conf(5) no-resolv ... listen-on port 1053 { 127.0.0.1; }; Are both of these listening on port 1053? That ain't gonna work. Put one of them back on 53 or on some other port such as 2053. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: DNSSEC made simple, is this possible?
I took the ISC 2 day Intro to DNS and BIND class. The instructor made a good point that building from source frees you from the dependance on the distro's package maintainer. As part of the class, we had to compile bind from scratch. It was very straight forward ./configure, make, make install. Options to the configure step allowed customization of the install if needed, but the defaults are pretty good. In Ubuntu LTS versions, they do not update versions, other than minor revs for bug fixes. I have some that are running Ubuntu 8.04LTS with bind 9.4. I was worried with the recent vulnerability, but they quickly backported the fix. But they're still runniing 9.4. :( I am building new servers to replace them and I'm going with abare bones distro install and adding packages (compilers, etc) as I find I need them. But the servers will be much leaner in terms of what is on them. Perhaps other distros/flavors of *nix handle new versions differently. bind-users-bounces+wbrown=e1b@lists.isc.org wrote on 01/11/2012 11:50:01 AM: Now if FreeBSD would just add 9.9 to the ports collection, it would save me from having to build it by hand.. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: About root zones
micho...@cisco.com wrote on 01/03/2012 04:54:51 PM: Maybe it's because I started in networking... But TCP/IP (or IPv6 these days) is quite the subsystem to avoid. Really, like it or not, you are actually responsible for understanding interactions with subsystems your managed system must interact with. ;-) Yes, unfortunately we sometimes have to rely on systems and sub-systems maintained by others. But in order to stick to the Principles of Least Astonishment, it is easier to rely on those systems under our own control. Otherwise someone else will astonish us with their brilliance. I manage the DNS and the spam filters here. Without warning (I know a separate issue), the network was changed causing problems between the spam filters and the DNS servers. Took me 2 days to figure out what was casing email to fail. I cannot chose what network to use. I can choose what resolver to use. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind as a service on windows -c option not working
How to tell the named running as a service to read the config file from the path specified with -c option? Try changing path to executable by moving quote: D:\bind9\bin\named.exe -c D:\bind_config\etc\named.conf Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind as a service on windows -c option not working
No luck: The following information is part of the event: none:0: open: C:\WINDOWS\system32\etc\named.conf: file not found So why not put the configuration file there. Then use the directory option to direct BIND to look for all the zone files on the D: drive. options { directory D:\bind_config; other options as required } Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind as a service on windows -c option not working
This is not the answer I am looking. If the parameter exists, it's must working. Have you tried issuing the command from a command prompt? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Botnet Malware issue on bind BIND 9.7.1-P2
jagan padhi wrote on 12/05/2011 12:16:19 PM: First of all i would like to know what all these .ws domians.due to this junk domain query CDNS servers load are getting very high. Yes There is a limit set in my CDND server,however out of 100 query 60 queries are coming for these junk domains. Without the RPZ feature of bind 9.8, you could add a bogus zone for the .ws domain to your servers. Either return an answer for *.ws as whatever you want, or have just the SOA record. Either way, you're not waiting for a recursive query to time out. What kind of host is the source of the queries? Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
RE: Bind 9.9.0b2 inline signing...
Todd wrote on 11/24/2011 11:29:14 AM: I don't understand why Windows doesn't include dig by default, even now. Free software hate? And grep and logrotate! At least the GnuWin32 project has a good version of grep. Confidentiality Notice: This electronic message and any attachments may contain confidential or privileged information, and is intended only for the individual or entity identified above as the addressee. If you are not the addressee (or the employee or agent responsible to deliver it to the addressee), or if this message has been addressed to you in error, you are hereby notified that you may not copy, forward, disclose or use any part of this message or any attachments. Please notify the sender immediately by return e-mail or telephone and delete this message from your system. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users