e, not
the actual
domain on the internet. The only major issue I've been facing with this so far,
is that AXFR
to secondary and tertiary name servers has some issues, and at least Windows 10
Home
will query those when the primary name server does not give a satisfactory
answer.
--
Met v
};
};
My apologies for not double-checking earlier, but I think this should be
everything.
--
Met vriendelijke groet / Best regards,
Michael De Roover
signature.asc
Description: This is a digitally signed message part.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
implementation in named by the end of
this year.
In the meantime, there are DoH proxies that can run BIND as the back-end.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
9/20 10:19 PM, Tony Finch wrote:
Michael De Roover wrote:
On that subject, how about DoT?
DoT is easier since you only need a raw TLS reverse proxy, and there are
lots of those, for example, nginx:
http://dotat.at/cgi/git/doh101.git/blob/HEAD:/roles/doh101/files/nginx.conf#l48
Note that if you
rsally. There’s
nothing they can do about DoH.
Not that it is all sunshine and rainbows in DoH-land, of course. Use of cookies
is “discouraged” but not prevented, most obviously.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please v
ing but
that requires a list to be hardcoded in every web browser that supports
it. It doesn't scale up at all. At that point we might as well go back
to hosts files.
On 5/2/20 9:28 AM, Reindl Harald wrote:
Am 02.05.20 um 09:00 schrieb Michael De Roover:
That's actually my biggest co
even many
(non-enterprise) business customers can't use port 25.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bin
it good? No, email sucks. If you can get
away with not running a mail server, don't run one. They suck so much.
But if you do, a home IP is not where you'll want to start regardless.
Get a VPS if anything.
On 5/2/20 3:51 PM, Reindl Harald wrote:
Am 02.05.20 um 15:41 schrieb Michae
port numbers.
On Sat, 2 May 2020 15:51:58 +0200
Reindl Harald wrote:
Am 02.05.20 um 15:41 schrieb Michael De Roover:
In my experience and from what I've heard, very few.
if that would be true how comes that most mail clients still default to
25 for submission and years after closing po
way.
Assuming that I check whether my ISP allows 25 in- and outbound first,
that could work.
On 5/2/20 6:25 PM, Brett Delmage wrote:
On Sat, 2 May 2020, Michael De Roover wrote:
Even if your ISP allows it, chances are that other mail servers will
reject it
Nope, not always.
My residential-cl
ney[*] for small issues like this. They (and other wealthy companies)
should be paying money only for original security research and not this
nonsense.
* $100 is a helluva money in some economies...
Ondrej
--
Ondřej Surý
ond...@isc.org
--
Met vriendelijke groet / Best regards,
Michael
et vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at http
stead. These are not the people I
want to support in my effort to end racism, which I /do/ support, and
quite heavily so.
On 6/15/20 8:00 PM, DeCaro, James John (Jim) CIV DISA FE (USA) wrote:
Or you can call the slave servers 'secondary' servers.
--
Met
suggested alternative too, and it's
nicely terse.
https://www.thesaurus.com/browse/master?s=t
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this lis
s=t>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bin
ptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit h
e not very well documented online (or more likely my
search terms aren't right), so yeah... I wonder why the idea of
recursion became associated with a vulnerable server in the first place.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
tion
from the DNS servers higher up the chain. And another query if needed,
saves traffic either way I suppose.
Thanks a lot for the detailed reply, I really appreciate it :)
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit
t to send mails) that your IP has
a sane PTR and that the name maps back to the IP the dns system couldn't
care less
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users
ou
want to set your PTR records to not match at least one of your A records?
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the d
from amplification attack so is there
any method in bind to stop DNS Amplification attack.
I am thinking to stop or drop ANY type queries from our DNS Recursive
resolver , so please tell me how can we drop or stop ANY type queries
from bind.
--
Met vriendelijke groet / Best regards,
Michael De
ote:
Speaking about things to be annoyed over ..
I am still ticked that FreeBSD dropped BIND from the distribution for something
called unwinding or whatever it is.
John
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://l
ribe the same thing. It's
extremely confusing.
On 7/20/20 9:05 PM, Ted Mittelstaedt wrote:
On 7/20/2020 11:23 AM, Michael De Roover wrote:
If that is true, I hereby lost all faith in humanity.. well whatever
faith I had left. This has been going on for like half a decade now.
Nobody ever we
s when a handful of dedicated
compilation servers can do exactly that, and a million times better?
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from thi
tro to turn into a Gentoo for increased merit or
reasons like that. If the distro makes compiling from source (be it
upstream or their downstream version) easy, either to compare or to
actually put it to use, all the better.
(My preferred term for for crashin
se with those
leaked databases and whatnot.
On 7/23/20 2:39 PM, Fred Morris wrote:
Perhaps slightly OT, but here's a company which has a whole business
model based on one nonobvious (?) reason to compile from source:
https://polyverse.com/
--
Fr
repository and will look further into it.
--
Met vriendelijke groet / Best regards,
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid sup
__Please visit
> https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
> this list
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> informat
are signed by
putting a green square around it (useful for signed emails from e.g.
security mailing lists), and so on. Definitely recommended!
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
m this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mich
just have one server for DNS and that tutorial is about
> secondary DNS server too. Can you show me another tutorial with one
> server and same goal?
> The Internet DNS server for my goal is "Authoritative DNS" ?
--
Michael De Roover
___
walls are cheap and the level of effort to run a bastion host
> > are
> > significant.
>
> Firewalls are useful when you want to protect unamanaged printers and
> Windows boxes (or Web servers with a lot of crappy PHP) but a BIND
> server on a reasonably managed Unix
they are usually UDP based, and every new query is going
> to create state. Read up on state table exhaustion.
>
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/
e:
> Absolutely right; I wrote this Linux-centric article about it:
>
> https://kb.isc.org/docs/aa-01183
>
> It has not been updated to cover nftables.
>
> Note also that this is a good reason NOT to use the NAT that
> other posters
something like that).
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.or
here that the DNS protocol has no
> means to distinguish among different types of NS host. (Yes, there
> is
> the SOA MNAME, but that is not used by resolvers.) One NS is as good
> as any other NS.
These (SOA and behavior for resolvers) probably describe where I got
confused, thanks
rg/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Michael De Roover
___
Please visit https://lists.isc.org/mailman/listinfo/bin
For my servers I'm using iptables rules to achieve ratelimiting. They
look as follows:
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW -m recent --
update --seconds 600 --hitcount 4 --name DEFAULT --mask 255.255.255.255
--rsource -j DROP
-A INPUT -p tcp -m tcp --dport 25 -m state --state NEW
s/ch7/xfer.html
Thank you so much for taking your time to read this, and thanks in advance for
any insights.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this
ts are set according to
algorithm and usage (ZSK or KSK)
[1] https://www.cyberciti.biz/faq/unix-linux-bind-named-configuring-tsig/
Thanks again for your time to read this email, and for your insights.
--
Met vriendelijke groet / Best regards,
Michael De Roover
--
Visit https://lis
Hello,
I have been running BIND 9 on my external and internal networks for a
few years now -- as such I have a basic understanding of the most
common RR types and activities such as zone transfers. However, I have
been seeing something that's been baffling me for quite a while now.
Somehow there a
On Thu, 2022-12-22 at 05:19 +, Michael De Roover wrote:
> Hello,
>
> I have been running BIND 9 on my external and internal networks for a
> few years now -- as such I have a basic understanding of the most
> common RR types and activities such as zone transfers. However, I
>
to make? If
so, to what extent? And if authenticity is to be enforced from those with
authoritative servers, to circumvent that problem if identified as such,
wouldn't that just move the ball for ISP's to employ more intrusive methods to
comply with the law?
--
Met vriendelijke
the Council) too, but they tend to separate
that into their press releases. It's interesting to be able to peek behind the
curtains at how each of these world-leading governments approaches this PR
matter.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: micha
f that is an undesirable status quo, then perhaps the matter of
actual collaboration is what deserves foreground attention.
For a long time, I've considered the IETF's standards in particular, to be the
"laws of the internet". Perhaps it wouldn't be a bad idea to
On Wednesday, 29 January 2025 11:40:50 CET Michael De Roover wrote:
> Granted, for my own domains, doing zone transfers in plain TLS over a VPN
> connection like WireGuard has never failed me either.
TCP, I meant TCP! Goodness gracious, doing an all-nighter was not a good idea.
-
On Wednesday, 29 January 2025 11:07:51 CET Stephen Farrell wrote:
> Hiya,
>
> On 29/01/2025 02:58, Michael De Roover wrote:
>
> > I appreciate the confirmation of this being about DoT/DoH
>
>
> Do we have any opinions as to whether the document (which
> I've
ve seen a lot
in both tablets and laptops, and that kind of hostile engineering is something
I strongly object to. Heh, maybe I should just go ahead and do that myself
too. Electronics, sysadmin, development... shit never ends, does it.
--
Met vriendelijke groet,
Michael De Roover
Mail: i..
r everything else. Additionally,
this is separated into 3 servers for the network I'm thinking of.. with 1
master and 2 slaves. It's really just a matter of slicing. Your given server
can certainly be a master for one slice, and a slave for another.
--
Met vriendelijke gr
.##;
192.168.##.##;
};
// Masters
// Source: https://www.zytrax.com/books/dns/ch7/masters.html
masters satellite {
192.168.##.#;
};
Hope this helps.
--
Met vriendelijke groet,
Michael De Roover
Mail: i...@nixmagic.com
Web: michael.de.roover.eu.org
--
Visit https://lists.isc.org/mailman/li
50 matches
Mail list logo
