Bind DLZ and Postgres 8.4.8

Hello, by regarding the excellent guide of Jan Pit Mens, i have integrated Bind 9.8.1 DLZ with Mysql 5.x DB; everything is fine and fantastic. I cannot use Postgresql 8.4.8 backend; named correctly starts but, when first nslookup query take place, named crash with this dump:

R: Bind DLZ and Postgres 8.4.8

Hello, everything is fine, i patched the source tree! Thank you, regards! Francesco Da: bind-users-bounces+job=colliniconsulting...@lists.isc.org [mailto:bind-users-bounces+job=colliniconsulting...@lists.isc.org] Per conto di Job Inviato: lunedì 3 ottobre

Logging queries and answers

Hello Bind-Users ML, is there a way, a patch or something else, in order to log: - date/time - client - request (es www.site.comhttp://www.site.com) - reply (es. 1.1.1.1) in a file, without using debug log format, which writes lots of lines for a query? Thank you, regards. Francesco

Bind, rpz and views

Hello Bind ML, i am trying to setup some blacklists foqr some users. I have a file for every blacklist, example: blacaklistA blacklistB blacklistC. I have to assign different combination of A B C to users. I created dns bind view that, by matching source ip client, provide different answer

Bind, rpz and views

Hello Bind ML, i am trying to setup some blacklists foqr some users. I have a file for every blacklist, example: blacaklistA blacklistB blacklistC. I have to assign different combination of A B C to users. I created dns bind view that, by matching source ip client, provide different answer

Rndc reload hang

Hello, we are using in a production environment Bind-9.10.1 Since i install it, i had sometimes problems with dns resolution By typing rndc reload the system seems in hung: i have named process running, but i cannot have any dns resolution and i cannot kill the named process with -INT or -HUP.

R: Blocking if resolved ip is geolicalized

Hi Brown, oops... excuse me! :) You are right! Francesco Da: wbr...@e1b.org [wbr...@e1b.org] Inviato: martedì 3 febbraio 2015 15.37 A: Job Cc: bind-users@lists.isc.org Oggetto: Re: Blocking if resolved ip is geolicalized From: Job j

Blocking if resolved ip is geolicalized

Hello, i would like to ask this particular thing: i would like to block resolution if RESOLVED IP is geolocated in some country. As example, if 1.2.3.4 is geolocated in China and i want to block all Chinese website, if a resolve www.site.ch (that is 1.2.3.4), bind should give me an error or a

Reload a single view

Hello, is there a way to reload a single VIEW (not a zone, but a view), for example when i change the match-clients directive? I notice that, on huge load servers, issuing rndc reload is very heavy for the machine. If it should be possible to reload only this directives (match-clients), it

Thread or not thread

Hello, i read some document that say enabling threads (in Bind 9.x compiling), give less performance than disabling threads, in a 32 bit environment (with 2 cpu), using Bind DLZ (with Postgresql DB). I found something here: http://zaphods.net/~zaphodb/high-performance-bind9.html Do you

Use the $client$ token in findzone query - Bind-DLZ

Hello, regarding this post of some years ago: http://bind9-users.isc.narkive.com/aduGYTeB/dlz-client-parameter-segfault i would like is there is some hacks/workaround in order to use $client$ variable in other query, as example in the findzone query? Actually the source client token is

Use the $client$ token in findzone query - Bind-DLZ

Hello, regarding this post of some years ago: http://bind9-users.isc.narkive.com/aduGYTeB/dlz-client-parameter-segfault i would like is there is some hacks/workaround in order to use $client$ variable in other query, as example in the findzone query? Actually the source client token is

Bind RPZ and client-ip policy

Hello, i am looking to Bind DLZ and i would ask you if there is a way to specify, for a specific user, to block some domains and, for another user, to block other domains. By reading documentation i did not find the way to join ip-client trigger to some domain CNAME that can block basing on

Config large tuning and out of memory

Hello, i recompiled Bind 9.10.1-P1 with system large tuning enabled. I have some hundreds of view (with DLZ) in our system. With this feature compiled in, bind does not start: Mar 3 16:50:45 cloud02gw named[13338]: reloading configuration failed: out of memory I have 16 Gb of RAM, and about

R: Config large tuning and out of memory

, 2015 11:44 AM To: Job Cc: bind-users@lists.isc.org Subject: Re: Config large tuning and out of memory Job, I won't go in to this in detail, as it's more complicated than your 32 bit system can't address more than 4GB of RAM, but your 32 bit OS is almost certainly your problem. Most of your 16GB

R: Too many connections on the same IP

? Thank you again! Francesco Da: bind-users-boun...@lists.isc.org [bind-users-boun...@lists.isc.org] per conto di Job [j...@colliniconsulting.it] Inviato: martedì 3 marzo 2015 11.43 A: bind-users@lists.isc.org Oggetto: Too many connections on the same IP

R: Too many connections on the same IP

Hello Stefan, and thank you for the reply. Are you using iptables Firewall? Does the problem only occur on UDP connections to the problematic IP? Or also on TCP connections to the same IP? At the beginning, i thought was an iptables-behind-firewall problem and i made massive dns resolutions

Better debug of too many queries

Hello! I installed a 64bit Centos 6 operating system, with Postgresql 8.4.20 x64 and Bind, latest 9.10 version. I use Bind-DLZ in lots of view. In our lab we are simulating what happens with some hundred of queries per second. I notice that, when using BIND-DLZ, some queries does not resolve

Use the $client$ token in findzone query - Bind-DLZ

Hello, regarding this post of some years ago: http://bind9-users.isc.narkive.com/aduGYTeB/dlz-client-parameter-segfault i would like is there is some hacks/workaround in order to use $client$ variable in other query, as example in the findzone query? Actually the source client token is

Too many connections on the same IP

Hello, during a massive DNS utilization our Bind 9.10.1-P1 seems not to resolve anymore, neither local zone. We shutdown one of the two nodes and all queries arrived only on one node. CPU and memory load were not too overloaded, machine was quite fine. After some fast tests, i noticed that if

Bind RPZ and in-view clause

Hello, working with many views, we use the in-view directive in order to load once the table in the first view (sometime can be large), and reuse it in other views, by linking it with in-view zone. We appreciated RPZ to protect with dns firewall users; an rpz file can be long some hundreds of

R: Bind RPZ and in-view clause

Unfortunately, no. Thank you for the reply Evant. So, DLZ is still the better way if someone needs to share dns blacklists between lots of zone, i think. But, i noticed very useful the RPZ function that can block (or walled gardening) the resolution for those sites that are located into bad

R: RPZ and client matching

Hi Chris, Have that view forward to the main view, using any of a variety of methods. For example, forward to the loopback address, which doesn't match the new view's match-clients ACL. So do you think, without using the in-view clause because it not supports RPZ, is there a way to load

R: RPZ and client matching

Hello, You can use a combination of rpz-client-ip. trigger and rpz-passthru. action to achieve either effect. i notice i can define a policy and then, with rpz-passtru, i can make exceptions for client. But i did not find how to write a policy, for example resolve with 127.0.0.1 *.playboy.com,

RPZ and client matching

Hello, i noticed i can write a RPZ file for blocking some websites resolution, as example, and excluse come Client IP from this policy. I would like to do exactly the opposite: i want to define some blocking resolution policy and ASSIGN only to specific client. Is it possible with RPZ? Thank

R: R: R: RPZ and client matching

] Inviato: venerdì 15 maggio 2015 17.16 A: Job Cc: bind-users@lists.isc.org Oggetto: Re: R: R: RPZ and client matching Hi Job On Fri, May 15, 2015 at 04:56:07PM +0200, Job wrote: Hello, very interesting feature: We have prepared a branch that adds an rpz-skipzone. policy action that, when matched

R: R: RPZ and client matching

Hello, very interesting feature: We have prepared a branch that adds an rpz-skipzone. policy action that, when matched by the trigger, behaves as if the current policy zone is disabled, and proceeds to the next one. It is still in the early stages, but it may be released in 9.11. But, actually

Share zone files in RPZ

Hello, is there any workaround to use the in-view statement in RPZ in order to reuse the huge zone files between views (often they are some millions of records long)? Or something else, a part DLZ that, in small hardware, has got some slowdown with DB. Thank you, Francesco

Block propagation for a specific record A

Hello, for a test page purpuose, we would like to avoid propagation only for a specific record A, example: test.domain.com We need to test if users set up our DNS server in ethernet configuration, and they display correctly the test page. But, if test.domain.com propagate, we are not sure they

R: R: R: Three RPZ zone definition

y sentence, can i trigger the Client only for a zone and not for the other zone? Some Client would not have to match together the two zones! Thank you again! Francesco Da: Tony Finch [d...@dotat.at] Inviato: giovedì 19 maggio 2016 18.13 A: Job Cc: bind-u

RPZ logging

Hello, is it possible to log, regarding the RPZ responce policy, everything EXPECT the CLIENT PASS THROUGH events? I would like to log only what is matched. Thank you, Francesco ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

R: Three RPZ zone definition

-boun...@lists.isc.org] per conto di Job [j...@colliniconsulting.it] Inviato: giovedì 19 maggio 2016 14.33 A: bind-users@lists.isc.org Oggetto: Three RPZ zone definition Hello, within in a view i have added the third rpz zone (i take it separately), it is loaded but the RPZ policy does not act

Three RPZ zone definition

Hello, within in a view i have added the third rpz zone (i take it separately), it is loaded but the RPZ policy does not act. If i leave only two zones, it works perfectly. Is there a limit of two zone consequentially? How can i avoid it? Here is my configuration: response-policy { zone

R: R: Three RPZ zone definition

>>That's how passthru is supposed to work. Hi Tony, is there a way to define more response-policy in Bind or the possibility to apply a response-policy only to certain client ip? Thank you again! Francesco Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode

Concatenating more RPZ

Hi guys, i have this situation with RPZ zones (and can grow up with more RPZ zones): response-policy { zone "policy1.lan"; zone "policy2.lan"; }; Within polici1.lan and policy2.lan i have included the client IP that must not load the policy (passthrough). If a Client IP needs to have enabled

Concatenating more RPZ zones?

Hi guys, i have this situation with RPZ zones (and can grow up with more RPZ zones): response-policy { zone "policy1.lan"; zone "policy2.lan"; }; Within polici1.lan and policy2.lan i have included the client IP that must not load the policy (passthrough). If a Client IP needs to have enabled

Concatenating more RPZ zones

Hi guys, i have this situation with RPZ zones (and can grow up with more RPZ zones): response-policy { zone "policy1.lan"; zone "policy2.lan"; }; Within polici1.lan and policy2.lan i have included the client IP that must not load the policy (passthrough). If a Client IP needs to have enabled

Recognizing remote IP in shared connections

Hi, for policies purpuose, we need to know which remote site is resolving a Bind 9.x public DNS Server. The problem occurs when some carriers "share" the same IP address between more customers and they surf behind a shared NAT. Is there a way? Perhaps with DNS crypt o dnssec? Thank you! /F

Bind and DLZ strange loop

Hello, we use Bind with DLZ, Postgres 8.4.8 as RDBMS support. Everything works but, with DLZ query, i notice (in Postsgresql log), that Bind calls two times the same queries. For example, to resolve with Bind-DLZ www.fiorino.it, it should make three queries (to descend until Top level

Load balancer for Bind

Hello, which is the best load balancer for two or more Bind DNS Server, located in the same farm? I read something about HAProxy but it does not manage udp connection and the interesting security proxy/balancer DnsDist does not pass original client ip for Bind-DLZ... Thank you, regards!

R: Postgresql 8.4 optimize heavy load

Thank you to everybody and excuse me, first of all. I wrote requests for postgresql (even if connected with Bind-DLZ) in the wrong Group! Thank you! Francesco Da: Sten Carlsen [st...@s-carlsen.dk] Inviato: domenica 18 settembre 2016 0.03 A: Job Cc: bind-users@lists.isc.org Oggetto: Re

R: Minimal responses and speeding up queries

m 22.09.2016 um 22:41 schrieb Job: > >>> If you want to avoid additional queries, turn minimal_responses off. > > > > I thought setting minimal_responses = yes should lower the number of querie > s > > Do you think it is the opposite? > > it's not about thin

R: Minimal responses and speeding up queries

Hi Tony, excellent answer, thank you very much. My first goal, since i use Bind 9.10 in conjunction with DLZ (old driver), is limiting additional queries to reduc load into backend database system. By tuning the minimal-responses i have few database queries less than before; it is a good step,

Minimal responses and speeding up queries

Hello, in Bind 9.10 we tried minimal-responses = yes to limit "additional queries" when resolving. I notice that resolution is faster. Actually, dig @host some_url still shows an additional query, maybe not needed for a caching-only resolver: ; (1 server found) ;; global options: +cmd ;; Got

R: Minimal responses and speeding up queries

s-boun...@lists.isc.org] per conto di Matus UHLAR - fantomas [uh...@fantomas.sk] Inviato: giovedì 22 settembre 2016 17.07 A: bind-users@lists.isc.org Oggetto: Re: Minimal responses and speeding up queries On 22.09.16 16:41, Job wrote: >in Bind 9.10 we tried minimal-responses = yes to limit &q

Postgresql 8.4 optimize heavy load

Hello, i would please like to have some suggestions to optimize Postgres 8.4 for a very heavy number of select (with join) queries. The queries read data, very rarely they write. Thank you! Francesco ___ Please visit

Reloading match-clients

Hello, in Bind 9.10.x we need, often, to reload configuration due to dynamical IP changes. We need to update the "match-clients" zone section. Under heavy load, Bind9 stop responding to queries for some seconds and generate a lots of queue in the request. is there a way to update/change this

R: Reloading match-clients

Da: Anand Buddhdev [ana...@ripe.net] Inviato: venerdì 14 ottobre 2016 12.03 A: Job; bind-users@lists.isc.org Oggetto: Re: Reloading match-clients On 14/10/16 11:48, Job wrote: Hi Job, > is there a way to update/change this section without reloading or > with a very-soft reload

Slow recursion with ipv6 enabled?

Hello, on Bind 9.10 (latest version of this stable branch), i notice in some cases a relevant slowdown when resolving (for the first time) hostname, when named is launched with both ipv4 and ipv6. It use recursion to fetch for the first time the information and i have, often, about 2000/3000ms

DNS and cache-expiration modification

Hello, for heavy-use cache improvements, i was thinking to "alter" the expire time of cache records. I would like to try to "alter" the expiration of records present in cache. Do you know if with Bind is possible? Thank you, /F ___ Please visit

Bind DLZ on a 64 bit environment

Dear guys, I would like to ask you an help on this. We are using since some years, with success, Bind DLZ (the first implementation of 2004 i think). We use Postgresql 9.6.1 as backend server and still a 32bit system with CentOS 5. Bind is compiled with enable threads; we put 64 as drivers

Match destinations (port)?

Hi guys, is it possible to match "destination port" in view clauses, instead of "destination ip"? We use already destination IP to split view between called bind IP. I would like to know if there is a way to distinguish view between called TCP/UDP port. Thank you, /F

Stop Reverse resolution query Logging

Dear guys, is there a way in Bind 9 to stop logging (to bind.log standard file) all the in-addr.arpa queries? We would like to log everything else but not the reverse resolution queries. Thank you! F ___ Please visit

R: Logging resolved IP

>Or (on 9.11 and later) use dnstap, which should be a good deal faster. Dear Tony, thank you. It seems like a "bridge" that permit resolved IP logging. Do you also know if it can slow down performances or it is fully transparent? Thank you again! F

Logging resolved IP

Hi guys, is there a way to log resolved IP in Bind log files? Example: www.google.com 4.3.2.1 I am able to do it with tcpdump, but i do not like a "sniffering" solution! Best, F ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to

Forcing external domains TTL value

Dear guys, Due to heavy traffic caching performance, i would like to force external domains TTL - for external domains - to at least 600 seconds. Is there a way to do it, maybe by recompiling the package? Thank you, very best! /F ___ Please visit

R: Forcing external domains TTL value

Hi Reindl, thank you! >>not with named - unbound as resolver support's it Perhaps do you know if DjbDns support this directive? I thought putting a frontend DNS server before Bind... Thank you, /F ___ Please visit

Max-Socks

Hello, under important traffic average, raising up the options (-S) max-socks in named startup parameters, could help? Or it would be better to tune the (-n) cpus worker and the (-U) listeners? Thank you, best regards! /F ___ Please visit

Scaling Bind-DLZ

Hi, we are using with a quite good satisfaction Bind-DLZ (with Postgresql 9.6.4) on Bind9. I know, it is a quite old driver, but we know very well how does it work. Due to traffic increase, we are experiencing some visible delays when the number of concurrent queries per second reach the

RPZ-zone and AAAA queries

Hi, is there a way to avoid RPZ answering to "" queries, leaving the reply only for A queries? In my RPZ zone file, i have: domain.abc A 1.2.3.4 I cannot understand why the reply - also - arrive for the query. Thank you! F ___

R: RPZ-zone and AAAA queries

nviato: lunedì 26 marzo 2018 13.01 A: Job Cc: bind-users@lists.isc.org Oggetto: Re: RPZ-zone and queries Job <j...@colliniconsulting.it> wrote: > > is there a way to avoid RPZ answering to "" queries, leaving the > reply only for A queries? I'm afraid not. The poli

R: R: RPZ-zone and AAAA queries

Hi Tony, thank you again! Regarding: Yes, see "local data" under https://ftp.isc.org/isc/bind9/9.12.1/doc/arm/Bv9ARM.ch05.html#rpz I tried but i did not understand how to create the "local data" policy only for . Thank you! F ___ Please visit

RPZ for A and AAAA queries

Dear Guys, is it possible to configure two different replies, related to A or query? For example, in a RPZ zone, i would like this scenario: www.site.com A 1.2.3.4 www.site.com (CNAME to www.site.com) -> in order to resolve regularly the query Is there a way to