Re: bind-users Digest, Vol 2842, Issue 2

2018-02-21 Thread SIMON BABY 
Thanks a lot Warren .

Can you please write me the steps to make the bind only as a resolver . It
will be great if you could send me if there is any document .

Rgds
Simon

On Wednesday, February 21, 2018, Warren Kumari  wrote:

> On Wed, Feb 21, 2018 at 3:06 PM, SIMON BABY  wrote:
> > Hi,
> >
> >
> > 1. Can I use  BIND9, for implementing only the client resolve/validation
> > part?  My system has limited memory and CPU power.
>
> Yup, sure can. BIND isn't the smallest / lowest CPU software out
> there, but you can definitely set it up to be just a DNSSEC validating
> resolver (and not an authorative server).
>
> > 2. In the client resolution part, can i send the queries directly to any
> of
> > the root servers? Instead of any public name server.
>
> Your question is a bit vague, I'm assuming you mean "Have BIND do the
> normal resolution (e.g for www.example.com ask the root, and then
> follow the referral to example.com's name servers, and then asks them
> for www.example.com (and not e.g forward to Google Public DNS)?" If
> so, then, yes, definitely -- this is the default behavior. Having BIND
> forward queries to another recursive (like 8.8.8.8, OpenDNS, Quad9)
> requires special configuration (with the "forward" command).
>
> I'd suggest reading Cricket's "DNS and BIND"
> (http://shop.oreilly.com/product/9780596100575.do) as a good intro to
> this.
>
> W
>
> >
> >
> > Rgds
> > Simon
> >
> >
> > On Wed, Feb 21, 2018 at 11:09 AM, 
> wrote:
> >>
> >> Send bind-users mailing list submissions to
> >> bind-users@lists.isc.org
> >>
> >> To subscribe or unsubscribe via the World Wide Web, visit
> >> https://lists.isc.org/mailman/listinfo/bind-users
> >> or, via email, send a message with subject or body 'help' to
> >> bind-users-requ...@lists.isc.org
> >>
> >> You can reach the person managing the list at
> >> bind-users-ow...@lists.isc.org
> >>
> >> When replying, please edit your Subject line so it is more specific
> >> than "Re: Contents of bind-users digest..."
> >>
> >>
> >> Today's Topics:
> >>
> >>1. Re: questions on allow-query (Tony Finch)
> >>2. Re: questions on allow-query (Bob Harold)
> >>3. Re: questions on allow-query (Barry Margolin)
> >>4. Help  (PENG, JUNAN)
> >>5. Re: Help  (Tony Finch)
> >>
> >>
> >> --
> >>
> >> Message: 1
> >> Date: Wed, 21 Feb 2018 13:18:09 +
> >> From: Tony Finch 
> >> To: Evan Hunt 
> >> Cc: "Darcy Kevin (FCA)" ,
> >> "bind-users@lists.isc.org" 
> >> Subject: Re: questions on allow-query
> >> Message-ID: 
> >> Content-Type: TEXT/PLAIN; charset=US-ASCII
> >>
> >> Evan Hunt  wrote:
> >> >
> >> > One thing to keep in mind, though, is that the two services will share
> >> > each
> >> > other's fates.  If I were deploying a really big high-traffic server,
> I
> >> > might consider whether I wanted my recursive service to have to wait
> for
> >> > all the zones to load before it could function, or whether I wanted to
> >> > have
> >> > to update my authoritative server because it was vulnerable to a crash
> >> > bug
> >> > in the recursive code.
> >>
> >> On our recursive servers we have authoritative copies of all our local
> >> zones so that they can give answers for on-site stuff even when bits of
> >> the network are broken. (Downstream validating resolvers will probably
> be
> >> out of luck tho.) This is about 70 zones, average size about 2MB,
> biggest
> >> about 30MB. But, we also have RPZ and the biggest blocklist is about
> half
> >> a gig and this dominates the startup time (it takes nearly 20 seconds).
> >> This isn't an availability problem, tho, because the recursive servers
> are
> >> in an HA cluster using keepalived and the health checker won't bring a
> >> node into service until it has finished starting.
> >>
> >> Our authoritative servers are separate. Probably the main reason for not
> >> turning them into views on the recursive servers is that the auth
> servers
> >> have to be more exposed to attack from the Internet. Our recursive
> servers
> >> can do things like firewall off external TCP connection attempts, to
> avoid
> >> connection pool exhaustion attacks. I've done less HA engineering on our
> >> auth servers, and I'm relatively relaxed about patching them, because I
> >> (foolishly?) trust other resolvers out on the Internet to make effective
> >> use of my secondaries.
> >>
> >> Tony.
> >> --
> >> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h
> >> punycode
> >> Rockall: Southerly, 5 at first in far southeast, otherwise 6 to gale 8,
> >> increasing severe gale 9 at times, veering westerly 5 or 6 later in
> >> northwest.
> >> Rough or very rough, occasionally high in

Re: bind-users Digest, Vol 2842, Issue 2

2018-02-21 Thread Warren Kumari 
On Wed, Feb 21, 2018 at 3:06 PM, SIMON BABY  wrote:
> Hi,
>
>
> 1. Can I use  BIND9, for implementing only the client resolve/validation
> part?  My system has limited memory and CPU power.

Yup, sure can. BIND isn't the smallest / lowest CPU software out
there, but you can definitely set it up to be just a DNSSEC validating
resolver (and not an authorative server).

> 2. In the client resolution part, can i send the queries directly to any of
> the root servers? Instead of any public name server.

Your question is a bit vague, I'm assuming you mean "Have BIND do the
normal resolution (e.g for www.example.com ask the root, and then
follow the referral to example.com's name servers, and then asks them
for www.example.com (and not e.g forward to Google Public DNS)?" If
so, then, yes, definitely -- this is the default behavior. Having BIND
forward queries to another recursive (like 8.8.8.8, OpenDNS, Quad9)
requires special configuration (with the "forward" command).

I'd suggest reading Cricket's "DNS and BIND"
(http://shop.oreilly.com/product/9780596100575.do) as a good intro to
this.

W

>
>
> Rgds
> Simon
>
>
> On Wed, Feb 21, 2018 at 11:09 AM,  wrote:
>>
>> Send bind-users mailing list submissions to
>> bind-users@lists.isc.org
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>> https://lists.isc.org/mailman/listinfo/bind-users
>> or, via email, send a message with subject or body 'help' to
>> bind-users-requ...@lists.isc.org
>>
>> You can reach the person managing the list at
>> bind-users-ow...@lists.isc.org
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of bind-users digest..."
>>
>>
>> Today's Topics:
>>
>>1. Re: questions on allow-query (Tony Finch)
>>2. Re: questions on allow-query (Bob Harold)
>>3. Re: questions on allow-query (Barry Margolin)
>>4. Help  (PENG, JUNAN)
>>5. Re: Help  (Tony Finch)
>>
>>
>> --
>>
>> Message: 1
>> Date: Wed, 21 Feb 2018 13:18:09 +
>> From: Tony Finch 
>> To: Evan Hunt 
>> Cc: "Darcy Kevin (FCA)" ,
>> "bind-users@lists.isc.org" 
>> Subject: Re: questions on allow-query
>> Message-ID: 
>> Content-Type: TEXT/PLAIN; charset=US-ASCII
>>
>> Evan Hunt  wrote:
>> >
>> > One thing to keep in mind, though, is that the two services will share
>> > each
>> > other's fates.  If I were deploying a really big high-traffic server, I
>> > might consider whether I wanted my recursive service to have to wait for
>> > all the zones to load before it could function, or whether I wanted to
>> > have
>> > to update my authoritative server because it was vulnerable to a crash
>> > bug
>> > in the recursive code.
>>
>> On our recursive servers we have authoritative copies of all our local
>> zones so that they can give answers for on-site stuff even when bits of
>> the network are broken. (Downstream validating resolvers will probably be
>> out of luck tho.) This is about 70 zones, average size about 2MB, biggest
>> about 30MB. But, we also have RPZ and the biggest blocklist is about half
>> a gig and this dominates the startup time (it takes nearly 20 seconds).
>> This isn't an availability problem, tho, because the recursive servers are
>> in an HA cluster using keepalived and the health checker won't bring a
>> node into service until it has finished starting.
>>
>> Our authoritative servers are separate. Probably the main reason for not
>> turning them into views on the recursive servers is that the auth servers
>> have to be more exposed to attack from the Internet. Our recursive servers
>> can do things like firewall off external TCP connection attempts, to avoid
>> connection pool exhaustion attacks. I've done less HA engineering on our
>> auth servers, and I'm relatively relaxed about patching them, because I
>> (foolishly?) trust other resolvers out on the Internet to make effective
>> use of my secondaries.
>>
>> Tony.
>> --
>> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h
>> punycode
>> Rockall: Southerly, 5 at first in far southeast, otherwise 6 to gale 8,
>> increasing severe gale 9 at times, veering westerly 5 or 6 later in
>> northwest.
>> Rough or very rough, occasionally high in northwest. Rain or showers.
>> Moderate
>> or good.
>>
>>
>> --
>>
>> Message: 2
>> Date: Wed, 21 Feb 2018 09:16:23 -0500
>> From: Bob Harold 
>> To: Tony Finch 
>> Cc: Evan Hunt , "bind-users@lists.isc.org"
>> 
>> Subject: Re: questions on allow-query
>> Message-ID:
>>
>> 
>> Content-Type: text/plain;

Re: bind-users Digest, Vol 2842, Issue 2

2018-02-21 Thread SIMON BABY 
Hi,


1. Can I use  BIND9, for implementing only the client resolve/validation
part?  My system has limited memory and CPU power.
2. In the client resolution part, can i send the queries directly to any of
the root servers? Instead of any public name server.


Rgds
Simon


On Wed, Feb 21, 2018 at 11:09 AM,  wrote:

> Send bind-users mailing list submissions to
> bind-users@lists.isc.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.isc.org/mailman/listinfo/bind-users
> or, via email, send a message with subject or body 'help' to
> bind-users-requ...@lists.isc.org
>
> You can reach the person managing the list at
> bind-users-ow...@lists.isc.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of bind-users digest..."
>
>
> Today's Topics:
>
>1. Re: questions on allow-query (Tony Finch)
>2. Re: questions on allow-query (Bob Harold)
>3. Re: questions on allow-query (Barry Margolin)
>4. Help  (PENG, JUNAN)
>5. Re: Help  (Tony Finch)
>
>
> --
>
> Message: 1
> Date: Wed, 21 Feb 2018 13:18:09 +
> From: Tony Finch 
> To: Evan Hunt 
> Cc: "Darcy Kevin (FCA)" ,
> "bind-users@lists.isc.org" 
> Subject: Re: questions on allow-query
> Message-ID: 
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> Evan Hunt  wrote:
> >
> > One thing to keep in mind, though, is that the two services will share
> each
> > other's fates.  If I were deploying a really big high-traffic server, I
> > might consider whether I wanted my recursive service to have to wait for
> > all the zones to load before it could function, or whether I wanted to
> have
> > to update my authoritative server because it was vulnerable to a crash
> bug
> > in the recursive code.
>
> On our recursive servers we have authoritative copies of all our local
> zones so that they can give answers for on-site stuff even when bits of
> the network are broken. (Downstream validating resolvers will probably be
> out of luck tho.) This is about 70 zones, average size about 2MB, biggest
> about 30MB. But, we also have RPZ and the biggest blocklist is about half
> a gig and this dominates the startup time (it takes nearly 20 seconds).
> This isn't an availability problem, tho, because the recursive servers are
> in an HA cluster using keepalived and the health checker won't bring a
> node into service until it has finished starting.
>
> Our authoritative servers are separate. Probably the main reason for not
> turning them into views on the recursive servers is that the auth servers
> have to be more exposed to attack from the Internet. Our recursive servers
> can do things like firewall off external TCP connection attempts, to avoid
> connection pool exhaustion attacks. I've done less HA engineering on our
> auth servers, and I'm relatively relaxed about patching them, because I
> (foolishly?) trust other resolvers out on the Internet to make effective
> use of my secondaries.
>
> Tony.
> --
> f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h
> punycode
> Rockall: Southerly, 5 at first in far southeast, otherwise 6 to gale 8,
> increasing severe gale 9 at times, veering westerly 5 or 6 later in
> northwest.
> Rough or very rough, occasionally high in northwest. Rain or showers.
> Moderate
> or good.
>
>
> --
>
> Message: 2
> Date: Wed, 21 Feb 2018 09:16:23 -0500
> From: Bob Harold 
> To: Tony Finch 
> Cc: Evan Hunt , "bind-users@lists.isc.org"
> 
> Subject: Re: questions on allow-query
> Message-ID:
>  g...@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> On Wed, Feb 21, 2018 at 8:18 AM, Tony Finch  wrote:
>
> > Evan Hunt  wrote:
> > >
> > > One thing to keep in mind, though, is that the two services will share
> > each
> > > other's fates.  If I were deploying a really big high-traffic server, I
> > > might consider whether I wanted my recursive service to have to wait
> for
> > > all the zones to load before it could function, or whether I wanted to
> > have
> > > to update my authoritative server because it was vulnerable to a crash
> > bug
> > > in the recursive code.
> >
> > On our recursive servers we have authoritative copies of all our local
> > zones so that they can give answers for on-site stuff even when bits of
> > the network are broken. (Downstream validating resolvers will probably be
> > out of luck tho.) This is about 70 zones, average size about 2MB, biggest
> > about 30MB. But, we also have RPZ and the biggest blocklist is about half
> > a