DNS hiccups
Sorry for cross-posting -- mind it before replying. Hi, last night I sent 4 complaint messages to vodafone.com. The first one bounced like so: Your message to the following recipients cannot be delivered: : <<< No such domain. The bounce has Date: Tue, 15 Apr 2025 05:21:45 +0200, the query log says: 15-Apr-2025 05:21:34.546 queries: info: client @0x7ff24383d168 ::1#44623 (_mta-sts.vodafone.com): view internal: query: _mta-sts.vodafone.com IN TXT + (::1) 15-Apr-2025 05:21:34.658 queries: info: client @0x7ff24383d168 ::1#54836 (vodafone.com): view internal: query: vodafone.com IN MX + (::1) 15-Apr-2025 05:21:34.686 queries: info: client @0x7ff24224d168 ::1#52645 (vodafone-com.mail.protection.outlook.com): view internal: query: vodafone-com.mail.protection.outlook.com IN + (::1) 15-Apr-2025 05:21:35.526 queries: info: client @0x7ff24224d168 ::1#56049 (vodafone-com.mail.protection.outlook.com): view internal: query: vodafone-com.mail.protection.outlook.com IN A + (::1) 15-Apr-2025 05:21:40.534 queries: info: client @0x7ff2422f9168 ::1#56049 (vodafone-com.mail.protection.outlook.com): view internal: query: vodafone-com.mail.protection.outlook.com IN A + (::1) I guess the A queries failed. Isn't it possible to log the return code or something? There is no record. The A queries seem to have timed out after 5, although in resolv.conf I have "options timeout: 10". IIRC Courier does read resolv.conf. Why didn't it wait 10? This is BIND 9.18.33-1~deb12u2-Debian and courier-1.3.13.20241204. TIA for any comment. Best Ale -- -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Delivery error (Ref: Survey on the impact of software regulation on DNS systems)
Hi, I'll apologize in advance for pinging the whole list for this, but I currently have no other way I can think of to do this. Sorry for the noise. Peter, your mail server appears to be blocking mine. Could you look into your firewall and if/where it could be blocking my servers? My network edges (and with it my mail servers' public vantage points) are hosted on two servers, though practically only one of them is used outbound (both are used inbound). These are listed below. e1.nixmagic.com (active) 116.203.235.171 (/32) AS24940 (Hetzner) Nuremberg, Germany e2.nixmagic.com (fallback) 168.119.103.78 (/32) AS24940 (Hetzner) Falkenstein, Germany -- Met vriendelijke groet, Michael De Roover Mail: i...@nixmagic.com Web: michael.de.roover.eu.org--- Begin Message --- This is the mail system at host nixmagic.com. I'm sorry to have to inform you that your message could not be delivered to one or more recipients. It's attached below. For further assistance, please send mail to postmaster. If you do so, please include this problem report. You can delete your own text from the attached returned message. The mail system : connect to uucp.dinoex.org[185.220.148.12]:25: Connection timed out Reporting-MTA: dns; nixmagic.com X-Postfix-Queue-ID: 20B3DF600C X-Postfix-Sender: rfc822; isc@nixmagic.com Arrival-Date: Wed, 9 Apr 2025 20:57:21 + (UTC) Final-Recipient: rfc822; pmc@citylink.dinoex.sub.org Original-Recipient: rfc822;pmc@citylink.dinoex.sub.org Action: failed Status: 4.4.1 Diagnostic-Code: X-Postfix; connect to uucp.dinoex.org[185.220.148.12]:25: Connection timed out --- Begin Message --- Hi Peter, I really appreciate this discourse too. With what's happening in the world now and with this particular executive order affecting even something as niche as DNS, I like how it offers a vessel to have this public discussion. On Tuesday, April 8, 2025 7:40:44 PM CEST Peter 'PMc' Much wrote: > So what You are saying is, it might still work to just talk to these > people? > In earlier times that was usually my stance when discussing matters > in the underground - I might say, why do we not just make a date and > actually talk to the concerned people, as basically they're also > humans, like you and me? And occasionally things did indeed work > out pleasantly that way... > > But given the development of recent years, I mostly lost my > optimism. Like a fellow mystician put it: up upside down> and it is difficult to cope with sheer madness - I > even made it onto the death-list of some activists --- This is something I've been thinking about a lot recently, and does deserve some nuance. In one of the events that I previously mentioned, it was FSFE inviting me over and the rest of the practical bits essentially just lining up. The choice to rent out a hotel floor in Brussels, was quite smart. This meant that, just as I could easily go there from Antwerp, the politicians could also quite easily go there from their offices in "de Wetstraat / Rue de la Loi" (the street where their offices are located) to what was Hotel Le Grand Central at Rue Beillard 190. Being just 1.5km apart, it could even be walked to. The rest is really just a matter of pinging the right people. What it makes me think about in Europe right now though, is how much that proximity has affected my ability to be there. Or for that matter, how much being a Belgian resident - the host country of these administrative buildings - has affected my ability to reach out to these people in the correspondence about the Chips Act. Unlike the GitHub lobby, that was just me voicing my concerns in response to a press release. The reason why this is significant to me, is that when I visit Portugal (which I often do), suddenly I am a lot further away from these administrative affairs. It feels a lot more distant, because it is. Rather than 50km, suddenly it's 2000. And that is reflected in the media as well. So if I were born Portuguese and not just stay there for a couple of years, would I have the same beliefs about Brussels? Would I have the same access? In an ideal world, of course I should, every EU citizen should. But would that be reality? That is where I turn my gaze across the pond, and the various executive orders that have been ratified so far. Going back to what started this thread, that was one of them. The event called "Liberation Day" was another. In response to that, even the EU's executive branch themselves have attempted to enter dialogue, by undoing their 2% tariff to the US. And it was, unsurprisingly, met with more dismissal. From politicians to politicians, organizations that by all accords, should be on the same level. This was never about reciprocity. And not even just across the pond, even inside the US there are various concerned speeches from presidential figures like Bernie Sanders and Barack Obama now. Obama's presentation, as published by Hamil
Re: DNS hiccups
Thanks Sten > On 15 Apr 2025, at 14.54, Alessandro Vesely wrote: > > Sorry for cross-posting -- mind it before replying. > > > Hi, > > last night I sent 4 complaint messages to vodafone.com. The first one > bounced like so: > > Your message to the following recipients cannot be delivered: > > : > <<< No such domain. > > The bounce has Date: Tue, 15 Apr 2025 05:21:45 +0200, the query log says: > > 15-Apr-2025 05:21:34.546 queries: info: client @0x7ff24383d168 ::1#44623 > (_mta-sts.vodafone.com): view internal: query: _mta-sts.vodafone.com IN TXT + > (::1) > 15-Apr-2025 05:21:34.658 queries: info: client @0x7ff24383d168 ::1#54836 > (vodafone.com): view internal: query: vodafone.com IN MX + (::1) > 15-Apr-2025 05:21:34.686 queries: info: client @0x7ff24224d168 ::1#52645 > (vodafone-com.mail.protection.outlook.com): view internal: query: > vodafone-com.mail.protection.outlook.com IN + (::1) > 15-Apr-2025 05:21:35.526 queries: info: client @0x7ff24224d168 ::1#56049 > (vodafone-com.mail.protection.outlook.com): view internal: query: > vodafone-com.mail.protection.outlook.com IN A + (::1) > 15-Apr-2025 05:21:40.534 queries: info: client @0x7ff2422f9168 ::1#56049 > (vodafone-com.mail.protection.outlook.com): view internal: query: > vodafone-com.mail.protection.outlook.com IN A + (::1) All of this is the internal view. It suggests that there is some misconfiguration in that view. From my location I see no issue: carlsen@Silver9-106 ~ % dig vodafone.com mx ; <<>> DiG 9.10.6 <<>> vodafone.com mx ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29271 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;vodafone.com. IN MX ;; ANSWER SECTION: vodafone.com. 3600IN MX 10 vodafone-com.mail.protection.outlook.com. ;; Query time: 36 msec ;; SERVER: 192.168.16.20#53(192.168.16.20) ;; WHEN: Tue Apr 15 15:15:45 CEST 2025 ;; MSG SIZE rcvd: 97 carlsen@Silver9-106 ~ % dig vodafone-com.mail.protection.outlook.com ; <<>> DiG 9.10.6 <<>> vodafone-com.mail.protection.outlook.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3165 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;vodafone-com.mail.protection.outlook.com. IN A ;; ANSWER SECTION: vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.68.32 vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.68.27 vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.73.26 vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.73.22 ;; Query time: 114 msec ;; SERVER: 192.168.16.20#53(192.168.16.20) ;; WHEN: Tue Apr 15 15:18:56 CEST 2025 ;; MSG SIZE rcvd: 133 > > > I guess the A queries failed. Isn't it possible to log the return code or > something? > > There is no record. The A queries seem to have timed out after 5, > although in resolv.conf I have "options timeout: 10". IIRC Courier does read > resolv.conf. Why didn't it wait 10? > > > This is BIND 9.18.33-1~deb12u2-Debian and courier-1.3.13.20241204. > > TIA for any comment. > > Best > Ale > -- > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS hiccups
> On 15 Apr 2025, at 18.03, Alessandro Vesely wrote: > > On Tue 15/Apr/2025 15:54:05 +0200 Stephane Bortzmeyer via bind-users wrote: >> On Tue, Apr 15, 2025 at 02:54:33PM +0200, >> Alessandro Vesely wrote >> a message of 46 lines which said: >>> last night I sent 4 complaint messages to vodafone.com. The first one >>> bounced like so: >> Note that the name servers for mail.protection.outlook.com (the target >> of the MX record) are quite broken, they return FORMERR for EDNS >> questions. It may create problems. >> % dig @ns2-proddns.glbdns.protection.outlook.com. >> vodafone-com.mail.protection.outlook.com A >> ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> >> @ns2-proddns.glbdns.protection.outlook.com. >> vodafone-com.mail.protection.outlook.com A >> ; (1 server found) >> ;; global options: +cmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20571 >> ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 >> ;; WARNING: recursion requested but not available >> ;; WARNING: EDNS query returned status FORMERR - retry with '+noedns' >> ;; Query time: 12 msec >> ;; SERVER: 104.47.72.81#53(ns2-proddns.glbdns.protection.outlook.com.) (UDP) >> ;; WHEN: Tue Apr 15 15:53:29 CEST 2025 >> ;; MSG SIZE rcvd: 12 > > > Hm... so perhaps those were not timeouts but FORMERRs? However, the other > three messages, following at a few minutes apart, were sent all right. > > My other concern is why I cannot understand it from the query log. You could look at the mail log - that may state why that message was not sent. Potentially state that the receiver was not found or something like that or something else. Also the first message could have happened upon a worse DNS server than the next. > > > Many thanks, also to Sten and Michael. > Best > Ale > -- > > > > > > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: DNS hiccups
On Tue, Apr 15, 2025 at 02:54:33PM +0200, Alessandro Vesely wrote a message of 46 lines which said: > last night I sent 4 complaint messages to vodafone.com. The first one > bounced like so: Note that the name servers for mail.protection.outlook.com (the target of the MX record) are quite broken, they return FORMERR for EDNS questions. It may create problems. % dig @ns2-proddns.glbdns.protection.outlook.com. vodafone-com.mail.protection.outlook.com A ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @ns2-proddns.glbdns.protection.outlook.com. vodafone-com.mail.protection.outlook.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20571 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; WARNING: EDNS query returned status FORMERR - retry with '+noedns' ;; Query time: 12 msec ;; SERVER: 104.47.72.81#53(ns2-proddns.glbdns.protection.outlook.com.) (UDP) ;; WHEN: Tue Apr 15 15:53:29 CEST 2025 ;; MSG SIZE rcvd: 12 % dig +noedns @ns2-proddns.glbdns.protection.outlook.com. vodafone-com.mail.protection.outlook.com A ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> +noedns @ns2-proddns.glbdns.protection.outlook.com. vodafone-com.mail.protection.outlook.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57194 ;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;vodafone-com.mail.protection.outlook.com. IN A ;; ANSWER SECTION: vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.73.4 vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.68.16 vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.73.11 vodafone-com.mail.protection.outlook.com. 10 IN A 52.101.68.18 ;; Query time: 16 msec ;; SERVER: 104.47.72.81#53(ns2-proddns.glbdns.protection.outlook.com.) (UDP) ;; WHEN: Tue Apr 15 15:53:34 CEST 2025 ;; MSG SIZE rcvd: 282 -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple views (more than 2)
Sorry for numerous misspelled words. Too many spellcheckers active ;-)
BTW: mydomain-private1.zone (and mydomain-private2.zone respectively) on
the Primary look like:
;
$INCLUDE mydomain-public.zone
nfs IN A 192.168.127.1
printer IN A 192.168.1.1
ldapIN A 172.16.1.16
; etc
;
On 4/15/25 8:43 AM, Marek Kozlowski wrote:
OK,
1. The sceniario:
For the clients: 192.168.1/24:
nfs.mydomain -> 192.168.127.1
printer.mydomain -> 192.168.1.1
ldap.mydomain -> 172.16.1.16
...
For the clients: 10/8:
nfs.mydomain -> 10.10.10.10
printer.mydomain -> 10.10.1.1
ldap.mydomain -> 172.16.1.17
...
For client with public IPs all obowe addresses should not be resolved.
2. A single server setup (fragments of the /etc/named.conf):
view private1 {
match clients { 192.168.1/24; };
zone "mydomain" in {
type master;
file "mydomain-private1.zone";
};
};
view private2 {
match clients { 10/8; };
zone "mydomain" in {
type master;
file "mydomain-private2.zone";
};
};
view public {
match clients { any; };
zone "mydomain" in {
type master;
file "mydomain-public.zone";
};
};
3. Now imagine that in addition to that Primary NS I have my own
Secondary NS that uses the same configuration (three views) and two
external Secondary NS, not managed by me that should use only mydomain-
public.zone for all queries. The problem is how to define zone transfers
(that my Secondary can distinguish there are three separate zone
description files for mydomain). AFAIK that's the point the TSIG keys
come into play..?
Best regards,
Marek
On 4/14/25 10:34 PM, Greg Choules wrote:
Hi.
That KB article shows you how to use TSIG keys as a view selector for
zone transfer.
If you want a single DNS server to give different answers to the same
question based on client IP then you *could* (though I'm NOT
recommending this, especially since it will be deprecated at
some point) use "sortlist".
Or you will have to have multiple versions of that name, each in a
separate zone, each associated with a different view. Maintaining
multiple versions will be a big overhead and, IMHO, this way madness
lies.
If it were my network I'd advise the team who designed this
application to rethink their delivery mechanism. so that the
requirement for one_name == multiple IPs goes away.
/soapbox
If you absolutely *must* do this, some actual examples would help
please, rather than generalisations.
Cheers, Greg
On Mon, 14 Apr 2025 at 20:05, Marek Kozlowski
mailto:m.kozlow...@mini.pw.edu.pl>> wrote:
:-)
Till now I've been using sth. like this for a single private and a
single public views:
https://kb.isc.org/docs/aa-00851
For my clients I provided information on all my resources and
recursive
resolution, for external ones - about my public hosts and no
recursive
resolution. Trivial.
But there is a new concept:
For some reasons (its not my decision) workstations cloned from a
single
image (precisely: a few images of Windows, Linux and other systems)
connected to different subnets should refer to different hosts for
numerous services based on their CIDR prefixes. Don't ask me why not
use
/etc/hosts nor distribute parameters via DHCP - it's not my
decision. I
am responsible, as a DNS server administrator, for providing
different
answers to queries about A records based on client's IP (CIDR
prefix).
That is what views can do.
Defining views for a single DNS server itself is trivial. The
problem is
setting up zone transfers of different zone description files (from
different views) between many name servers. In my case:
Zone description files from public view should be transferred from
Primary to all three Secondary DNS servers (I'm supervising only
two of
them). All zone description files from all private views should be
transferred from my Primary to my (internal) Secondary (into
respective
views) and NOT to external secondaries.
AFAIK such a configuration of view transfers requires TSIGs for
avoiding
zone transfer overwriting.
Best regards,
Marek
On 4/14/25 5:27 PM, Greg Choules wrote:
> Hi Marek.
> Please can you show the config that used to work?
> Please can you also explain why it is desired to create more
views?
> Maybe give an example of what you're trying to achieve.
>
> In general, matching views is done top down - test clients
against the
> criteria in the first view. If they don't match, try the next
view etc.
>
> "match-cli
Re: DNS hiccups
On Tue 15/Apr/2025 15:54:05 +0200 Stephane Bortzmeyer via bind-users wrote: On Tue, Apr 15, 2025 at 02:54:33PM +0200, Alessandro Vesely wrote a message of 46 lines which said: last night I sent 4 complaint messages to vodafone.com. The first one bounced like so: Note that the name servers for mail.protection.outlook.com (the target of the MX record) are quite broken, they return FORMERR for EDNS questions. It may create problems. % dig @ns2-proddns.glbdns.protection.outlook.com. vodafone-com.mail.protection.outlook.com A ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> @ns2-proddns.glbdns.protection.outlook.com. vodafone-com.mail.protection.outlook.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: FORMERR, id: 20571 ;; flags: qr rd; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; WARNING: recursion requested but not available ;; WARNING: EDNS query returned status FORMERR - retry with '+noedns' ;; Query time: 12 msec ;; SERVER: 104.47.72.81#53(ns2-proddns.glbdns.protection.outlook.com.) (UDP) ;; WHEN: Tue Apr 15 15:53:29 CEST 2025 ;; MSG SIZE rcvd: 12 Hm... so perhaps those were not timeouts but FORMERRs? However, the other three messages, following at a few minutes apart, were sent all right. My other concern is why I cannot understand it from the query log. Many thanks, also to Sten and Michael. Best Ale -- -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Multiple views (more than 2)
OK,
1. The sceniario:
For the clients: 192.168.1/24:
nfs.mydomain -> 192.168.127.1
printer.mydomain -> 192.168.1.1
ldap.mydomain -> 172.16.1.16
...
For the clients: 10/8:
nfs.mydomain -> 10.10.10.10
printer.mydomain -> 10.10.1.1
ldap.mydomain -> 172.16.1.17
...
For client with public IPs all obowe addresses should not be resolved.
2. A single server setup (fragments of the /etc/named.conf):
view private1 {
match clients { 192.168.1/24; };
zone "mydomain" in {
type master;
file "mydomain-private1.zone";
};
};
view private2 {
match clients { 10/8; };
zone "mydomain" in {
type master;
file "mydomain-private2.zone";
};
};
view public {
match clients { any; };
zone "mydomain" in {
type master;
file "mydomain-public.zone";
};
};
3. Now imagine that in addition to that Primary NS I have my own
Secondary NS that uses the same configuration (three views) and two
external Secondary NS, not managed by me that should use only
mydomain-public.zone for all queries. The problem is how to define zone
transfers (that my Secondary can distinguish there are three separate
zone description files for mydomain). AFAIK that's the point the TSIG
keys come into play..?
Best regards,
Marek
On 4/14/25 10:34 PM, Greg Choules wrote:
Hi.
That KB article shows you how to use TSIG keys as a view selector for
zone transfer.
If you want a single DNS server to give different answers to the same
question based on client IP then you *could* (though I'm NOT
recommending this, especially since it will be deprecated at some point)
use "sortlist".
Or you will have to have multiple versions of that name, each in a
separate zone, each associated with a different view. Maintaining
multiple versions will be a big overhead and, IMHO, this way madness lies.
If it were my network I'd advise the team who designed this application
to rethink their delivery mechanism. so that the requirement for
one_name == multiple IPs goes away.
/soapbox
If you absolutely *must* do this, some actual examples would help
please, rather than generalisations.
Cheers, Greg
On Mon, 14 Apr 2025 at 20:05, Marek Kozlowski
mailto:m.kozlow...@mini.pw.edu.pl>> wrote:
:-)
Till now I've been using sth. like this for a single private and a
single public views:
https://kb.isc.org/docs/aa-00851
For my clients I provided information on all my resources and recursive
resolution, for external ones - about my public hosts and no recursive
resolution. Trivial.
But there is a new concept:
For some reasons (its not my decision) workstations cloned from a
single
image (precisely: a few images of Windows, Linux and other systems)
connected to different subnets should refer to different hosts for
numerous services based on their CIDR prefixes. Don't ask me why not
use
/etc/hosts nor distribute parameters via DHCP - it's not my decision. I
am responsible, as a DNS server administrator, for providing different
answers to queries about A records based on client's IP (CIDR prefix).
That is what views can do.
Defining views for a single DNS server itself is trivial. The
problem is
setting up zone transfers of different zone description files (from
different views) between many name servers. In my case:
Zone description files from public view should be transferred from
Primary to all three Secondary DNS servers (I'm supervising only two of
them). All zone description files from all private views should be
transferred from my Primary to my (internal) Secondary (into respective
views) and NOT to external secondaries.
AFAIK such a configuration of view transfers requires TSIGs for
avoiding
zone transfer overwriting.
Best regards,
Marek
On 4/14/25 5:27 PM, Greg Choules wrote:
> Hi Marek.
> Please can you show the config that used to work?
> Please can you also explain why it is desired to create more views?
> Maybe give an example of what you're trying to achieve.
>
> In general, matching views is done top down - test clients
against the
> criteria in the first view. If they don't match, try the next
view etc.
>
> "match-clients" is used to test whether the source address of the
client
> falls within the range allowed by the address match list specified.
> "match-destinations" is used to test the destination address the
> incoming query was sent to. It is not unusual to have a server
listen-on
> several addresses, each for a different set of clients.
> Both of the above can be used together to make view selection even
> tighter - clients must match against both their source
Re: DNS hiccups
Same here, A returns 147.75.40.150 while returns nothing. MX has records to Microsoft, as addressed by Sten. My chain is recursive to Cloudflare from vantage points at Hetzner, and from there follows the usual public chain. *v...@ideapad.lan* [*~*] $ dig vodafone.com ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> vodafone.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7639 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: ec6f757e9f681d46010067fe5cd257a173f4c18ef0a6 (good) ;; QUESTION SECTION: ;vodafone.com. IN ;; AUTHORITY SECTION: vodafone.com. 900 IN SOA ns1.vodafone.com. hostmaster.vodafone.com. 2008108109 28800 7200 604 800 900 ;; Query time: 56 msec ;; SERVER: 192.168.10.4#53(192.168.10.4) (UDP) ;; WHEN: Tue Apr 15 15:19:14 CEST 2025 ;; MSG SIZE rcvd: 120 Command completed on 2025-04-15 15:19 CEST (exit 0). *v...@ideapad.lan* [*~*] $ dig a vodafone.com ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> a vodafone.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20497 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 9fdf8476c27d3c0c010067fe5cde99940403446944dc (good) ;; QUESTION SECTION: ;vodafone.com. IN A ;; ANSWER SECTION: vodafone.com. 3563IN A 147.75.40.150 ;; Query time: 4 msec ;; SERVER: 192.168.10.4#53(192.168.10.4) (UDP) ;; WHEN: Tue Apr 15 15:19:26 CEST 2025 ;; MSG SIZE rcvd: 85 Command completed on 2025-04-15 15:19 CEST (exit 0). *v...@ideapad.lan* [*~*] $ dig mx vodafone.com ; <<>> DiG 9.18.33-1~deb12u2-Debian <<>> mx vodafone.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27159 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ; COOKIE: 95311fe7ea087ec6010067fe5f578027ba78e436d6f2 (good) ;; QUESTION SECTION: ;vodafone.com. IN MX ;; ANSWER SECTION: vodafone.com. 3600IN MX 10 vodafone-com.mail.protection.outlook.com. ;; Query time: 60 msec ;; SERVER: 192.168.10.4#53(192.168.10.4) (UDP) ;; WHEN: Tue Apr 15 15:29:59 CEST 2025 ;; MSG SIZE rcvd: 125 Command completed on 2025-04-15 15:29 CEST (exit 0). On Tuesday, 15 April 2025 15:20:01 CEST Sten Carlsen wrote: > Thanks > > Sten > > > On 15 Apr 2025, at 14.54, Alessandro Vesely wrote: > > > > Sorry for cross-posting -- mind it before replying. > > > > > > Hi, > > > > last night I sent 4 complaint messages to vodafone.com. The first one > > bounced like so: > > > > Your message to the following recipients cannot be delivered: > > > > : > > <<< No such domain. > > > > The bounce has Date: Tue, 15 Apr 2025 05:21:45 +0200, the query log says: > > > > 15-Apr-2025 05:21:34.546 queries: info: client @0x7ff24383d168 ::1#44623 > > (_mta-sts.vodafone.com): view internal: query: _mta-sts.vodafone.com IN > > TXT + (::1) 15-Apr-2025 05:21:34.658 queries: info: client > > @0x7ff24383d168 ::1#54836 (vodafone.com): view internal: query: > > vodafone.com IN MX + (::1) 15-Apr-2025 05:21:34.686 queries: info: client > > @0x7ff24224d168 ::1#52645 (vodafone-com.mail.protection.outlook.com): > > view internal: query: vodafone-com.mail.protection.outlook.com IN + > > (::1) 15-Apr-2025 05:21:35.526 queries: info: client @0x7ff24224d168 > > ::1#56049 (vodafone-com.mail.protection.outlook.com): view internal: > > query: vodafone-com.mail.protection.outlook.com IN A + (::1) 15-Apr-2025 > > 05:21:40.534 queries: info: client @0x7ff2422f9168 ::1#56049 > > (vodafone-com.mail.protection.outlook.com): view internal: query: > > vodafone-com.mail.protection.outlook.com IN A + (::1) > All of this is the internal view. It suggests that there is some > misconfiguration in that view. > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
