Matus UHLAR - fantomas wrote:
> fail2ban should help not to see those messages
I expect there are probably only two people on the planet running BIND on
Windows: me, and the ISC Developer responsible for building the Windows
binaries
As part of a larger project I've been developing a series
On 16 June 2021 7:31 pm, ToddAndMargo wrote:
>
> Does this alteration at the top make it any clearer?
>
> Note: at the command prompt, I use the following terminology:
># means run as root
>$ means run as user
> Inside a file, "#" mean it is a comment
Others might have
Mainsh – I haven’t done any experimenting with DOT, but there’s a guide for
configuring DOH at the following page. It requires BIND 9.17.10 or higher (DOH
isn’t being backported to BIND 9.16): https://www.isc.org/blogs/doh-talkdns/
Walter – I’m not sure why you’d say DOH/DOT is dead and to
Hi Gary,
I have written a guide for that here:
https://www.winbind.org/guides/
I know you say you’ve already installed it, but I would still recommend
starting with the “Installation” guide to make sure you’ve followed current
best practice (well, *my* best practice, others may well chip-in
And what do you get when you run c:\BIND\named-checkconf ?
Richard.
From: bind-users On Behalf Of Peter via
bind-users
Sent: 19 June 2021 3:41 pm
To: bind-users@lists.isc.org
Subject: Re: Windows support has been discontinued in BIND 9.17+ (Was:
Important: A significant flaw is present in
is present in June BIND releases 9.16.17 and
9.17.14)
I getnothing which means good? installed back to the default path.
C:\Program Files\ISC BIND 9\bin>named-checkconf
C:\Program Files\ISC BIND 9\bin>
On 19/06/2021 5:53 pm, Richard T.A. Neal wrote:
And what do you get when you run c:\BIND
On 18/06/2021 2:48 pm, Peter wrote:
> Even BIND9.16.18 will not run on windows 10 same error
I can't reproduce this error - I've just successfully upgraded from BIND
9.16.15 to BIND 9.16.18 on my Windows (2019) server.
Do you see a more detailed error in Computer Management > Windows Logs >
bind coded to no
longer run in win 10?
On 18/06/2021 3:08 pm, Richard T.A. Neal wrote:
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support
The next Event Log entry on my system immediately after "using 1 UDP listener
per interface" is:
loading configuration from 'C:\BIND\etc\named.conf'
(because that's my BIND installation folder obviously).
If I intentionally make a typo in any of my config files (eg named.conf,
Evan Hunt wrote:
>> My understanding is BIND will still run fine under WSL; it's only the native
>> Visual Studio builds that we're removing.
>> For people who want to run named on windows, WSL seems like the best way to
>> go.
Sadly no. To quote myself from an earlier email on this topic:
solution.
Best,
Richard.
-Original Message-
From: Richard T.A. Neal
Sent: 29 April 2021 6:41 pm
To: BIND Users
Subject: RE: Deprecating BIND 9.18+ on Windows (or making it community improved
and supported)
The WSL2 option is an interesting one and not something I'd ever considered
Hi Jukka,
I spun-up a brand new Windows 2008 R2 Enterprise x64 server today to try and
replicate this, and unfortunately you're right - BIND 9.16.15 won't run on that
environment.
In fact if you simply try and run [dig] from the command line you will get this:
/
The procedure entry point
I'm running BIND 9.16.15 fine on Windows Server Standard 2019. What do you see
in the Event Viewer > Application log?
There'll be lots of entries in there of course, so just filter by Source
"named" and look for any Critical, Error, or Warning messages.
Richard.
From: bind-users On Behalf Of
DNS over HTTPS support appears to be steadily increasing and it looks like the
next version of Windows 10, Windows 10 21H2, will including support for DoH at
the operating system level.
I spent a little time this weekend setting-up BIND 9.17.13 on Ubuntu 21.04 and
configuring the system as a
Hi Eric,
When I initially looked at this I was using “rndc reload” whenever changing the
the cert. Artem Boldariev (Lead Developer for DoH at the ISC) suggested that
actually “rndc reconfig” would be the better way to do this since we only need
named to re-read the config file, we *do not*
Thanks Vicky and Ondrej for providing clarity. I'll be sad to see it when this
happens but as I said in my original post I don't underestimate the sheer
amount of effort required to maintain BIND for Windows going forwards so it's
completely understandable that you want to focus on platforms
To everyone who expressed an interest in this: my write-up has now been
published on the ISC Blog:
https://www.isc.org/blogs/doh-talkdns/
Thanks to Ondrej, Artem, Suzanne and Vicky for critiquing and reposting.
Best,
Richard.
___
Please visit
Could I ask if a conclusion has been reached regarding this? I know there was
quite a bit of chatter in April/May but it's not clear to me whether any
conclusions were reached.
If 9.16 is to be the last officially supported Windows version then have you
decided yet which features from 9.17
Hi Bruce,
Here you're specifying a distinct TTL for those records which overrides the
default TTL for this zone (which you will have set towards the top of the file
with the rest of the defaults)
1m = 60 seconds:
I would personally be very sad to see the end of BIND for Windows, but I don’t
underestimate the challenges the ISC Team has in maintaining it.
Unfortunately I'm a VB.NET hobbyist programmer rather than a C/C++ developer so
I can't speak to the usefulness of the following statement, but the
Hi all,
I mentioned a while ago that I run BIND on Windows and have written a few tools
to assist me in monitoring and reporting on my BIND query logs. I'm pleased to
announce that I've now packaged these and released them as free to use, with
the unimaginative name of "WinBIND".
WinBIND
Carsten Strotmann wrote:
> does anyone know about the status of the zytrax.com website and the excellent
> "DNS for Rocket Scientists" guide?
> The webpage first had a x509 certificate error (expired) in December
> 2020 and now the web server is unreachable.
> I (and colleagues) have tried to
Julien Salort wrote:
> Do you block specifically the dns queries in the firewall, or straight out
> block the IP?
I specifically block both UDP 53 and TCP 53, but that's essentially a full
block because these servers are only running BIND, nothing else.
> Reading this thread, I considered
> In the particular case of the .sl denied queries, I don't think these are
> forged queries from the attack victim. Something else is going on here. We
> see queries from systems like these, almost exclusively consumer endpoints:
[snipped]
> It seems unlikely that someone is trying to attack
Paul Kosinksi wrote:
> Interesting observation. I just did lookups on 4 recent (< 24 hrs ago)
> 'sl/ANY/IN' queries logged by our BIND and got:
> ...1 OVH Hosting IP (Montreal)
> The whois info for the OVH IP contains the line:
> Comment: Failover IPs
Just out of interest, because I run some
Grant Taylor wrote:
> You might be able to apply the same methodology to filter unwanted inbound
> queries to completely avoid sending the reply code at all.
That's exactly what I do - I have some code that's watching for a frequent
occurrence of these sorts of queries and then adds a firewall
Hi Sami,
There's presently an issue where the ISC BIND service (v9.16.19) won't start on
a Windows server with either 8 or 12 vCPUs. How many CPUs (or vCPUs) are in
this Windows Server?
I didn't find that older versions were exhibiting the same issue so it might
not be that, but it's at least
.
From: Sami Leino
Sent: 19 August 2021 6:48 am
To: Richard T.A. Neal ; bind-us...@isc.org
Subject: VS: BIND 9.16.19 or any version newer than 9.16.15 does not start on
Windows Server 2019
Hi Richard, and thanks for your reply.
This Windows server 2019 runs on VMware and has 8 vCPU 's. Although
nced above, and I've confirmed that it
works on an 8-core test VM that I created:
C:\> sc start named -n 7
Best,
Richard.
From: Sami Leino
Sent: 08 September 2021 8:13 am
To: Richard T.A. Neal ; bind-us...@isc.org
Subject: VS: BIND 9.16.19 or any version newer than 9.16.15 does not start on
W
On 9/9/21 06:35 PM, Grant wrote:
>> I think the rndc reconfig should pick the new cert/key, but I am not
>> sure if we have actually implemented this.
> Drive by comment:
> Should BIND /need/ to take any action for a /reconfig/ if it's configuration
> hasn't change? -- To me the
>
I agree! BIND 9.16.21 is working just fine for me on Windows Server 2019 with
either 8 or 12 vCPUs.
Thanks, ISC BIND team.
Richard.
From: Sami Leino
Sent: 17 September 2021 8:49 am
To: Richard T.A. Neal ; bind-us...@isc.org
Subject: VS: BIND 9.16.19 or any version newer than 9.16.15 does
Swapneel wrote:
> For DoH, please have a look at the following page[1] and BIND9
> documentation[2] and for DoT[3]
> [1]: https://www.isc.org/blogs/bind-implements-doh-2021/
> [2]:
> https://bind9.readthedocs.io/en/latest/reference.html?highlight=DoH#http-statement-definition-and-usage
> [3]:
There's a very good article on the ISC website which discusses BIND logging:
https://kb.isc.org/docs/aa-01526
I recommend reading and implementing the logging as per their suggestion
(backup or make a note of your current logging configuration options in case
you want to revert in future) and
Ondřej Surý said:
> Hi Richard,
> this is not the case.
> slack.com botched their DS/DNSKEY deployment (there’s a thread on
> dns-operations about it).
Thanks for the correction, my mistake. Apologies for the list spam!
Richard.
___
Please visit
For those of you facing a curious issue with BIND failing to resolve records
for some zones today it’s not necessarily BIND having “a Friday moment”
It looks like the LetsEncrypt root certificate expiry is even impacting some
DNSSEC zones that have used a LetsEncrypt certificate to sign their
Hi Peter,
I remember you having this problem before with 9.16.18, did you ever get that
version to work?
I’ve just upgraded from 9.16.18 to 9.16.19 on Windows Server 2019 without issue
but I don’t have any VLANs configured nor am I using an additional network card
management application.
Hi Peter,
I’ve run a few tests based on your observations regarding the number of vCPU
cores and my own findings are that it is specifically 8 vCPUs and 12 vCPUs
which exhibit this behaviour. I haven’t been able to test beyond 12 vCPUs
because that’s my hardware limit.
With 1-7 vCPUs, or with
I run BIND on Windows as well but I've been unable to upgrade to 9.16.25 - I
get an error stating "Error Validating Account. Unable to install service using
this account.". So I'm presently running 9.16.21.
What are the last few things in the Application Event Log (Source: named)
before it
Hi Hal,
In addition to this you might also want to look into Response Rate Limiting.
This may help to reduce the load on your DNS servers from bad actors without
having to play a cat & mouse game of spotting and blocking them.
Response Rate Limiting is explained in detail in the BIND ARM here
Hi Roberto,
You need to prefix it with “a:” to indicate that this is an A-record, i.e.:
a:relay.company.com
Best,
Richard.
From: bind-users On Behalf Of Greg Choules
via bind-users
Sent: 08 July 2022 4:45 pm
To: Roberto Carna
Cc: ML BIND Users
Subject: Re: Can't modify an existing SPF
J wrote:
> I'm looking to have my: queries.log (which logs all the queries my Bind
> 9.16.30 recursive resolver resolves), rotated at the end of the day and I'd
> like to keep 7 days worth of those logs.
{snip}
> I still want any daily log *before* it's being rotated to be a maximum size
>
For some time now I've been wanting to create my first DNSSEC-enabled zone, but
I struggled to find an up-to-date guide that would walk me through the process.
So to that end I finally bit the bullet and spent some time this weekend
creating my first DNSSEC zone and writing a HOWTO article
Jan-Piet Mens wrote:
>> A Beginner's Guide to DNSSEC with BIND 9.
> Well done! A few comments, if I may:
{snip}
Thanks JP, I really appreciate the feedback. I'll take all of that onboard,
change my zones and guide from master/slave to primary/secondary, and take a
look at TSIG as well.
As
>> Any best practices on this?
>>
>> I am running bind 9.11.4
>>
>> thanks
> You could think about adding fail2ban to your server with some custom rules.
> Helped us in a similar situation.
You could also take advantage of BIND's built-in Response Rate Limiting which
is explained here:
Hi Bruce,
This is something I'm presently battling with as well. My current previously
tested plan is:
1. Create all user accounts (with NEW email addresses) on the new email system
2. Setup a temporary forwarder on an existing *temporary* email server (we use
hMail) which forwards all email
all the problems, REM'ing it out has fixed
it:
category delegation-only { auth_servers_log; default_debug; };
Thanks again for your help Darren,
Richard.
-Original Message-
From: Darren Ankney
Sent: Monday, July 10, 2023 9:07 PM
To: Richard T.A. Neal
Cc: bind-users@lists.isc.org
Thanks Peter, I shall pay more attention to those release notes next time!
Best,
Richard.
-Original Message-
From: Peter Davies
Sent: Tuesday, July 11, 2023 9:25 AM
To: Richard T.A. Neal
Cc: bind-users@lists.isc.org
Subject: Re: Unable to upgrade BIND v9.19.11 on Ubuntu without
Thanks Ondrej, that's a really good suggestion to run named-checkconf when
doing upgrades.
Richard.
-Original Message-
From: Ondřej Surý
Sent: Tuesday, July 11, 2023 9:33 AM
To: Richard T.A. Neal ; ML BIND Users
Subject: Re: Unable to upgrade BIND v9.19.11 on Ubuntu without error
For the past few releases I've been unable to successfully upgrade my BIND
v9.19.11 on Ubuntu 22.04.2 LTS.
The upgrade appears to go OK at first but then it stumbles at the following
line. I've had to re-type this because my console tool can't copy/paste this
segment for some reason:
Process:
Hi Florian,
This feature doesn’t yet exist but is tentatively planned for the 9.19.x
timeframe. You can see more about it here:
https://gitlab.isc.org/isc-projects/bind9/-/issues/2748
Best,
Richard.
From: bind-users On Behalf Of Ritterhoff,
Florian
Sent: Wednesday, August 2, 2023 7:43 AM
50 matches
Mail list logo
