roof do you have that the CPU usage correlates, and that it's a problem?
What are the vendor's recommendations (for provisioning and operational
management), and are you following them?
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
I've found myself in situations in the past where NOTIFY has been
fetishized as "real time", and nobody ever ever asked which upstream
server was being queried as a result. So this has been an eye-opening
thread, and if I ever find myself in that situation again it'll give me
something else to
s not
picking up the updated include file and *nagesh3.com <http://nagesh3.com>* rpz
rule is not working.
Are you incrementing the SOA serial number?
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds t
Going forward, what is anticipated to be the proper configuration for that
scenario?
Thanks...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at
arate zones).
In terms of NXDOMAIN and SOA queries, both state.ak.us and
challenge.state.ak.us seem to do the right thing in terms of pretending to
be separate zones, e.g. in the first case returning the correct domain in
the AUTHORITY and in the second case returning the relevant SOA records
d
orate / mitigate SERVFAIL
utilizing RPZ.
I'll try to pay more attention and see if I can isolate a test case if the
problem recurs. (I was kind of hoping someone would have a solution!)
--
Fred Morris
On Fri, 16 Jun 2023, Crist Clark wrote:
That should return a NXDOMAIN. Returning SERVFAI
e
the best option regardless of the recursive server (BIND, Unbound, etc.)?
Thanks in advance...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact u
has any need to access the data in
the zone, whether directly or via BIND.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/co
the scenario was in someways
different, was idempotence: the updaters would continue to attempt to
update whatever the master was until it conformed to their ideal image,
and their ideal image could change in consideration of what the zone held.
--
Fred Morris, internet plumber
--
Visit https
Then "the usual" applies: set one of them to be a secondary and the master
to allow zone transfers from it. Configure Notify if desired.
Make sure it works, i.e. a zone transfer (AXFR / IXFR) occurs and the
correct serial number is represented in the SOA.
Pause for another scre
dary in real time: if you store the data in a file, simply redefine
the zone type and change type primary; to type secondary;.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support s
Hi Greg.
So somebody referenced this KB article because presumably it was
tangentially relevant, but I don't know that the OP is working with
standby infrastructure (good question!). All they say is that after an
upgrade all servers were masters.
The amount of direct relevance of the article
could get multicast (without a T/MG), but that doesn't allow for the
Dnstap overhead since DNS message sizes are already capped at the maximum
possible size of a UDP message.
Doing nothing is an option. ;-)
Thanks for all the work you do...
--
Fred Morris
--
Visit https://lists.isc.o
over what's in the MS DNS zone,
at least as seen when BIND is queried.
Rear View RPZ (https://github.com/m3047/rear_view_rpz/) watches (BIND)
Dnstap telemetry for A/ queries and uses it to update PTR records in
an RPZ, as an example.
--
Fred Morris
--
Visit https://lists.isc.org/mai
ve knobs in the zone data, the server, the networking stack
and all of intermediating routers to twiddle. You can throw "buffer bloat"
in there too.
It's interesting that Dig automagically tries TCP first with ANY queries,
since that is not the default behavior with e.g. A
Internetworking with TCP/IP, Volume 1_.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-use
ave a lot of them; and is there any
problem domain addressed by the DNS where that is more the case than name
to address mapping? (Counterexample: PTR records, now more than ever.)
I say go ahead, if nothing else consider it a "scream test". But can you
take a moment and tell us whi
I welcome birds of a feather. Need to define / refine the problem
statement first.
On 12/7/23 12:30 AM, Petr Špaček wrote:
> On 07. 12. 23 1:05, Fred Morris wrote:
>> On Wed, 6 Dec 2023, Evan Hunt wrote:
>> I say go ahead, if nothing else consider it a "scream test". But
uild
system, you went too far.
I looked for this just the other day in the KB. At the least you should
have a KB article. At least there's this post to the mailing list.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds th
On 12/21/23 10:08 AM, Ondřej Surý wrote:
> In the commit you referenced:
>
> https://gitlab.isc.org/isc-projects/bind9/-/commit/561a83a29182b00bda9237ae30343d76a68dcdf4#8ec9a00bfd09b3190ac6b22251dbb1aa95a0579d_147_147
>> On 21. 12. 2023, at 18:59, Fred Morris wrote:
>>
>&
ference Manual.
The checksums correct for that version of README.md.
I think I must have mistakenly cut & pasted from the source tree in
GitLab for 9.18.
On 12/21/23 10:50 AM, Fred Morris wrote:
> On 12/21/23 10:08 AM, Ondřej Surý wrote:
>
>> In the commit you referenced:
>>
&g
No, I was correct the first time, but I had the wrong version. It is a
9.18.9 tarball, not 9.18.21. Checksums are correct for that README.md.
On 12/21/23 12:18 PM, Fred Morris wrote:
>
> I'm sorry 9.18.9 was the version where I discovered that the build
> didn't build the PDF,
1> sum README.md 37785 11
m3047@sophia:/opt/downloads/bind-9.18.21> md5sum README.md
c4e08add5a135ce2573483eb0e5b1207 README.md
m3047@sophia:/opt/downloads/bind-9.18.21> sha256sum README.md
080e914decc2ed554d8887b0f719b82736c45380b987f23b3eba4ef7418f03f3 README.md
On 12/21/23 12:24 PM, Fre
Surý wrote:
> Are you really complaining about the lack of handholding because you
> want to build the documentation yourself and just can’t download it?
> Because it really seems like the case here.
I concerned you've lost control of your build. However it does look
correct in 9
There used to be an example in a directory in the BIND tarball, in
contrib/dnspriv/
Here's a link to it from 9.12.3: http://athena.m3047.net/pub/bind/dnspriv/
--
Fred Morris
On Sun, 11 Feb 2024, Andrew Latham wrote:
I have seen this question a few times so would a note or example in
love from here on out.
If shodohflo/agents/dnstap_agent.py or dnstap2json.py itself don't suit
your payload needs, you are of course welcome to subclass dnstap2json.py
yourself.
I couldn't do it without BIND! Cheers...
--
Fred Morris, internet plumber
http://consulting.m3047.n
vor of removing unused
features; emphasis is of course on "unused".
--
Fred Morris, internet plumber--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at ht
hich affects this behavior? NS? SOA?
Thanks in advance...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more inf
SOA record.
--
Fred Morris
On Fri, 5 Apr 2024, Fred Morris wrote:
When people think of "negative response caching" I suspect they're
thinking of NXDOMAIN, but there is another negative response: ANSWER:0.
To some extent this is indistiguishable from a referral, and I'm no
31
dig -x 131.191.85.31 +trace
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing
ke arguing over the particular weasels chosen
rather than the decision to stuff rabid weasels down your pants in the
first place.
--
Fred Morris
On Wed, 24 Apr 2024, tale wrote:
Hmm, I wonder if qname-minimisation is at issue here.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
tcurve hasn't seen fit to fix it or get back to me in
nearly a full business week I suspect they like it this way. However it
doesn't comport with the principle of least surprise. The City of Tacoma
doesn't seem to care that the licensee operating in a portion of their
/16 is impersonat
Although I see listen-on in your named.conf snippet, I don't see
query-source. You can listen on a different interface / address than the
one you issue queries from. If you need to issue queries selectively on
different interfaces, see the server stanza and put query-source in there.
--
27;ve ruled out the obvious conclusion you have to start
considering scenarios such as someone intentionally interfering in path
with port 53 traffic.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
It's incredibly hacky, but what about setting different nameservers
with different sets of addresses for the FQDN in question?
--
Fred
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users maili
did! Instead it
reports "Temporary failure in name resolution" in the ping example.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with p
r nonrouting addresses commonly used for gateways, things like
that.
This is not a DNS problem, it's a problem in what commonly used programs
aid and abet in the name of "freedom of commerce" or something.
--
Fred Morris
--
[0]
https://www.bleepingcomputer.com/news/securi
Plain-TCP (DoPT) forwarder
(see the README for why), but it was trivial to add TLS support.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software
rvers now running on Alpine (because super
lightweight), that blurs the lines a bit.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid su
Perhaps slightly OT, but here's a company which has a whole business model
based on one nonobvious (?) reason to compile from source:
https://polyverse.com/
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-use
loits which work across a large installed
base is exactly what they're aiming to prevent.
Disclosure: I've heckled their CTO in a friendly fashion for making better
idiots, but I paid for my own Old Fashioned.
--
Fred Morris
___
Please
my-outhouse-example.com" is NXDOMAIN.
In this case:
* "my-outhouse-example.com.example.com" will return NXDOMAIN (it does!)
* There should be /no/ upstream (pointless) query for
my-outhouse-example.com.example.com. (oops!)
Let's stop the leaks.
--
Fred Morris
Carl Byington wrote:
> On Wed, 2020-09-02 at 17:47 -0700, Fred Morris wrote:
> > how do I disable the (useless) resolution directed at upstream
> > servers?
>
> Isn't that just "qname-wait-recurse no;"
>
You are correct! I got confused and the doc didn
hat the TLD is, or if that
occurs that the choice of TLD mitigates in any fashion whatsoever.
There's always a way to make it happen, I just can't imagine it making
it sanely into production even by accident. (This applies to DLV.ISC.ORG
too, which returns an SOA, but they could make it NX
On Mon, 14 Sep 2020, Mark Andrews wrote:
[...] All
the queries to the recursive server with this configuration not answered by
the server will leak. The configuration needs “forward only;” to be added
to prevent the leak. We see this all the time.
zone “non-existant-tld” {
type forward
s.
So which is it:
* Hi I'm Jason and I want to create a DNS record so that the world can
find my web server. How do I do that? (answer #1)
* Hi I'm Jason and I want to run my own nameservers for a bunch of
irrelevant reasons such as CentOS, web servers and stuff. How
Check your clock. Have you got NTP turned on? Is it working? If it's not,
flush cache/restart before you test again.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC fund
D problem with the pipe). But my grepping the strace
didn't catch anything opening the "dnstap.sock" pipe.
The way they did framestream initialization it requires the "optional"
handshake. I documented it (pydoc) here:
https://gith
rs, although that's perhaps better
handled in the mail filtering pipeline, which is where it really seems to
matter.
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the
in the QUERY section.
--
Fred Morris
--
#!/usr/bin/python3
# Copyright (c) 2021 by Fred Morris Tacoma WA
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#
didn't have a clever
story.
I suggest changing it to "953".
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subs
I suggest changing it to "953".
Correction: 853.
--
FWM
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at http
e the (UDP) response, they'll never try TCP. (1980s logic)
What you can do is force the clients to use TCP... or TLS.
https://github.com/m3047/tcp_only_forwarder
Good luck...
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/lis
Exactly!
On Thu, 30 Sep 2021, Carl Byington wrote:
On Thu, 2021-09-30 at 16:30 -0700, Fred Morris wrote:
https://github.com/m3047/tcp_only_forwarder
So what exactly are the media devices doing to screw up dns resolution
between the osx laptop and the local dns server?
Dropping UDP replies
c. Doesn't bother the media devices, but 1980s stub resolver logic
isn't up to competing with 100,000:1 packet contention and doesn't provide
any way to do traffic shaping.
--
Fred
On Fri, 1 Oct 2021, Fred Morris wrote:
On Thu, 30 Sep 2021, Carl Byington wrote:
On Thu, 2021-0
Grant Taylor's reply is good, but you might also look at the check-names
option. As he says, underscores are frowned on in hostnames but that's
about it in theory if not in practice.
You could also contemplate changing the logging destination and level...
or not.
--
Fred Morris
Is there a way to do this or should I bite the bullet and run two copies
of BIND?
Thanks in advance...
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of t
are utilized in the second view.
and the "lie" is that the "unused" RPZ is dynamically updated in the
first view (that's where update requests are sent); I suppose I could
jigger that so that the updates happen in the second view. But the
stopper is that error message,
er to live
on a different machine.
https://github.com/m3047/rear_view_rpz/blob/main/install/Optional_DNS_Service.md
--
Fred Morris
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the deve
tion
which ships BIND compiled with Dnstap support, please let me know!
Cheers...
--
Fred Morris
This is being posted to the Dnstap, RPZ and BIND Users mailing lists.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
I posted just such a thing a few weeks ago on the dnsrpz list at
redbarn. Hrm, seems to be down at the moment.
On 12/2/21 11:00 AM, Grant Taylor via bind-users wrote:
> On 12/2/21 9:59 AM, Fred Morris wrote:
>> Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
>
sponse you get here is going to involve changing your BIND server's
configuration and behavior, probably to convert it from forwarding to
caching... although grizzled veterans may tell you horror stories about
hotels and other public wifi.
--
Fred Morris
for sending this to another address, presumably
via TCP... socat? Too bad about the handshake, any best practices for
forwarding there?
Thanks in advance...
(Pure Python implementation of fstrm:
https://github.com/m3047/shodohflo/blob/master/shodohflo/fstrm.py
I should have included this in the first message, and I apologize.
What I'm looking at is trying to build a BIND kernel, like a nanokernel.
Socat won't work in this case, because because there's no "IPC" layer,
because there is only one process in the kernel.
One process. No users. I need to
serve to inform server implementers /
operators.
(I think the RFC has a number of biases towards server implementers /
operators, some plain, some more along the lines of moral hazard.)
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
d if they exist they
shouldn't) and I block them (e.g. *.com.com) to prevent information
leakage and garbage traffic.
HTH...
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this softwa
ens on 127.0.0.53.)
Maybe you should turn it off.
--
Fred Morris, internet plumber--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for
I would expect the information you seek to be available via Dnstap.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://w
his is veering
into the realm of what's possible (which is seldom actually technical);
this includes your means and ability to analyze the DNS traffic. If you
want to discuss further feel free to email me.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/b
postfix. Crikey, they can't even be bothered to get an LE cert for the
website and catch flak at least monthly. Honey badger don't care.
They're very clear about postconf output. If you pasted postconf output
from the manual (or Stack Overflow) I think the response would
If you need something for POC / smoke:
https://github.com/m3047/shodohflo/blob/master/examples/dnstap2json.py
Assuming you can figure out how to get Splunk to consume log oriented json
over UDP...
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind
Self explanatory? Maybe it's the nomenclature but I can't spot this in
the manpage; search engines haven't been much help. I might have to read
code! :-o
Thanks in advance, whoever you are; I owe you a beer.
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinf
eople give a better
answer.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
Nearly identical to what was posted to the unbound list. -- FWM6
On Fri, 23 Sep 2022, JAHANZAIB SYED wrote:
I am trying to get some basic ideas on dns/hosting.
[...]
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this sof
Why are you forwarding at all?
On Fri, 23 Sep 2022, Philip Prindeville wrote:
I've changed locations (moved houses) and consequently ISPs (now on
Sparklight, used to have CTC) and I'm seeing a slew of DNS issues I
didn't have before [...]
As you can see, a LOT of noise.
[...]
// If y
s which can be queried as well as the
types of allowed queries.
Here is my contribution to ensuring employment for DNS subject matter
experts:
* https://github.com/m3047/rkvdns -- DNS proxy for Redis
* https://github.com/m3047/rkvdns_examples -- examples
--
Fred Morris, internet plumbe
d purposes.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users ma
Ok. This is public address space. Delegation for reverse zones is separate
from forward zones.
Kind of depends on where the connectivity failure is, as to whether or not
clients can walk the delegation tree (or need to). Then there's the effect
of TTLs expiring.
--
Fred Morris, int
n-addr.arpa.rearview.m3047.net. 600 IN TXT
"depth=1,first=1665810308.1564665,last=1667535958.6280398,count=152,trend=11758.670145495724,update=1667540875.2953703,score=5.3302068902418895"
;; AUTHORITY SECTION:
REARVIEW.M3047.NET. 600 IN NS LOCALHOST.
;; SERVER: 10.0.0.
ric, or customer
centric; I can also make arguments for outright lying. Hey, choose your
own adventure; other people will judge you accordingly.
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development o
ir ilk the likely use case for resources
under in-addr.arpa. There are some things I would avoid as a courtesy to
others if I was so inclined: escape, completion and wildcard characters in
shells and SQL implementations...
--
Fred Morris
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
requested them.
From my vantage most PTR records are demonstrably garbage.
Caching exists because if you requested it once you might request it
again. Who knows, maybe you didn't believe it the first time. In any case,
that's why the aphorism "garbage in garbage out" is a thing
get ahead of it and bring ShoDoHFlo up to spec. I'll compile
from source.
(Although it would be nice if somebody from Fedora could speak to
support for Dnstap in the available BIND package...)
--
Fred Morris, internet plumber
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to un
fun arguing about whether or not a server which is "authoritative"
should have an NS record in the zone, once you have something which
demonstrably works.
I don't have a lot of patience for "experts" who can't demonstrate a
working system, so I probably won
Errata..
On Thu, 1 Dec 2022, Fred Morris wrote:
"authoritative" zone served by an authoritative server configured to return
complete 1024/1025 responses look like?
1034/1035
--
FWM
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC
as specified.
(The MSG SIZE is also a clue.)
Searching the intertubes wasn't much help. When I tried to search the
list archives I got a Gateway Timeout. :-( Anyway, it's been a minor
personal annoyance for a while; hopefully this helps somebody else with
a problem they didn't know th
Hello Petr:
On 12/5/22 4:35 AM, Petr Špaček wrote:
> On 05. 12. 22 3:49, Fred Morris wrote:
>> If the UDP query returns TC=1 DiG retries with TCP. I want to see the
>> UDP results and am unable to. Specifying +notcp makes no difference.
>> The correct option is +ig
the
modules above (dnspython).
If the output of the sample program and the protobuf implementation
itself look a bit Scapy-like, that's because I originally implemented it
as a Scapy dissector several years ago. Unlike Scapy, this software is
released under an Apache license.
--
Fred M
Look in the BIND ARM for dump-file:
dump-file
The pathname of the file the server dumps the database to when
instructed to do so with rndc dumpdb. If not specified, the default is
named_dump.db.
Regards...
--
Fred Morris
On Wed, 27 Nov 2019, isc-bind-us...@ics-il.net wrote
ss is something to do with NSCD.
There is a tension between the protocol ("any octet") vs what you can
register ("valid hostnames") vs what's sent to the public DNS ("case
insensitive").
--
Fred Morris
___
Pl
ient
from the full impact of the large record set. But if you're exposing large
rrsets to the public (regardless whether they trigger this particular
behavior) it's worth reviewing your server posture to make sure your
limits on what's allowed via UDP are reasonable.
--
Fred
91 matches
Mail list logo