Re: record PTR

[Ben Croswell]

The in-addr.arpa domain for your IP space will need to be delegated to your
DNS servers. That generally happens at the entity that assigned the block.
For instance ARIN, RIPE, or APNIC.

On Thu, Mar 14, 2024, 8:06 AM  wrote:

> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before creating
> a PTR record or not. In other words, if I want to create a PTR record on my
> authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to
> 41.226.22.50, should the range 41.226.22.0/24 be delegated to my
> authoritative DNS server ns1.mydomain.com?
>
> Regards Sami
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: record PTR

[Ben Croswell]

181.242.197.in-addr.arpa. 3600 IN NS douala0.orange.cm.
181.242.197.in-addr.arpa. 3600 IN NS nsbangui.orangerca.com.
181.242.197.in-addr.arpa. 3600 IN NS yaounde0.orange.cm.

The in-addr currently points to the DNS servers above. Those would need to
be changed to your servers or the owners of those servers would need to add
the PTR records.

On Thu, Mar 14, 2024, 8:19 AM  wrote:

> Thank you for your response.
>
> In my case, I have added a PTR record for mail.sami.tn pointing to
> 197.242.181.69, but it is still not visible from the outside. However, when
> I test 'dig @0 -x 197.242.181.69', it works. Do I need to request a
> delegation of 197.242.181.69 to the name servers ns1.sami.tn?
>
>
>
> *De :* Ben Croswell 
> *Envoyé :* jeudi 14 mars 2024 13:10
> *À :* RAHAL Sami SOFRECOM ; ML BIND Users <
> bind-users@lists.isc.org>
> *Objet :* Re: record PTR
>
>
>
> The in-addr.arpa domain for your IP space will need to be delegated to
> your DNS servers. That generally happens at the entity that assigned the
> block. For instance ARIN, RIPE, or APNIC.
>
>
>
> On Thu, Mar 14, 2024, 8:06 AM  wrote:
>
> Hello, please, I want to know if I need to delegate a range of IP
> addresses to my authoritative DNS server with my registrar before creating
> a PTR record or not. In other words, if I want to create a PTR record on my
> authoritative server (ns1.mydomain.com) for mail.mydomain.com pointing to
> 41.226.22.50, should the range 41.226.22.0/24 be delegated to my
> authoritative DNS server ns1.mydomain.com?
>
> Regards Sami
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: log for one domain

[Ben Croswell]

We rip the logs apart put them into a database with a web front end. We
watch for 6 months then remove ones with no traffic.
On Mar 11, 2012 6:12 PM, "hugo hugoo"  wrote:

>  Dear all,
>
> Is it possible to logs queries to a specific domain?
> I have a domain configured in my system but I do not know if it used and
> by who?
>
> I want to avoid a lot of logs, so the reason of my question: only have a
> query log for a specific domain.
>
> Thanks in advance for any help.
>
> Hugo,
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE:

[Ben Croswell]

If you do not delegate the subdomains with NS records you are not fully
delegating the subdomain.
It will work fine in the short term, but are setting up a landmine for
someone to step on later.
If decide to move that subdomain to other dns servers later it will
disappear without the NS records.

The best practice is to always put the NS records and not leave it to
chance.
On Mar 13, 2012 9:43 AM, "hugo hugoo"  wrote:

>  Thanks for the feedback.
> Is this a glue record? I do not have any IP defined in the NS record.
>
> What is the flow of a request to a subzone?
> Is the content of the zone checked before checking the subzone?
>
>
>  > Date: Tue, 13 Mar 2012 08:26:02 -0500
> > Subject: Re:
> > From: dan.mcdon...@austinenergy.com
> > To: hugo...@hotmail.com; bind-users@lists.isc.org
> >
> >
> >
> >
> > On 3/13/12 8:20 AM, "hugo hugoo"  wrote:
> >
> > > ==> do I have to create in zone "toto.be" the following NS record:
> > >
> > > titi.toto.be. TTL IN NS ns1.xxx.be
> > >
> > >
> > > I have found cases where this situation is present and other when it
> is not
> > > present...and both cases seems to work.
> > > What is the difference?
> >
> > The glue records aren't necessary when both the zone and subzone are on
> the
> > same server, although it is good to have them for completeness. When the
> > zones are on different servers you need the glue records.
> >
> >
> >
> > --
> > Daniel J McDonald, CCIE # 2495, CISSP # 78281
> >
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: external view recursion issue

[Ben Croswell]

If you are authoritative for a cname that points to an A elsewhere, your
server will resolve the cname and leave it to the client dns server to go
get the A from the server that hosts it.
On Mar 16, 2012 10:14 AM, "Samantha Steers"  wrote:

> Hi,
>
> I am getting prepped to migrate dns from one service to in-house servers.
> While going through the zone file to ensure I got everything, I found that
> we have CNAME in our domain pointing to a CNAME in another domain that is
> pointing to the A record in the other domain:
>
> host record.ourdomain.com
> record.ourdomain.com is an alias for record.client.otherdomain.com.
> record.client.otherdomain.com is an alias for otherhost.otherdomain.com.
> otherhost.otherdomain.com has address x.x.x.x
>
> To duplicate this exactly on our servers, it appears that I have to enable
> recursion but the provider said that they are not doing that. I get the
> feeling that I am not going to get the information from them on how they
> are accomplishing this without recursion.
>
> Right now I have replaced the CNAME with an A record pointing to the IP
> directly and am getting the proper results, but feel that this leaves me
> having to watch for changes that the otherdomain.com administrator might
> make.
>
> Am I missing something else that I can do to replicate? A separate
> external view?
>
> Thanks.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: TC Flag

[Ben Croswell]

The TC flag is set when the response is larger than your max udp packet
size. 512 bytes with no edns0 and up to 4096 bytes with edns0 fully
functioning.
On Apr 10, 2012 9:55 AM, "rams"  wrote:

> When I get TC flag for UDP query?
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Configuring CNAME for nosslsearch.google.com

[Ben Croswell]

What you are asking for can't be done.
If you load the google.com zone everything you don't load in the zone will
be black holed and not resolve.
If you try to load WWW.Google.com you will not be able to make WWW a cname
due to the no cname and other data rule.
 On Apr 15, 2012 5:39 PM, "Tobias Krais"  wrote:

> Hi together,
>
> I am a newbie to bind and wasted hours to create my first bind
> configuration. My target is simply creating a configuration with a CNAME
> for www.google.com to nosslsearch.google.com.
>
> First: I use Ubuntu Precise Pangolin with bind 9.8.1. I have a
> transparent proxy (Dansguardian + Squid) that I use for just this lonely
> copmuter.
>
> Now I read that I have to create a zone for google.com. Others said that
> it is OK to create a zone for www.google.com. But as far as I understand
> this won't be a great solution.
>
> Can you help me to create a zone for google.com that does only one
> thing: a CNAME for www.google.com to nosslsearch.google.com. It would be
> best, if all IP-addresses for other google.com subdomains like
> docs.google.com or even nosslsearch.google.com are taken from the
> "normal" nameserver, e.g. 8.8.8.8.
>
> Can anyone help me to create my /etc/bind/db.google.com file?
>
> Greetings,
>
> Tobias
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Configuring CNAME for nosslsearch.google.com

[Ben Croswell]

This is incorrect. It is illegal to have a cname and any other record on
the same name in dns. The ns and soa count as records.
 On Apr 16, 2012 9:41 AM, "Matthew Huff"  wrote:

> Actually, this can be done.
>
> Create a zone file for "www.google.com", not "google.com". The zone file
> should like this (replace THIS_HOSTNAME with the name of your nameserver:
>
>
> @   IN  SOA localhost   root@localhost. (
>2012041100
>7200
>1800
>1209600
>300 )
>
>IN NS THIS_HOSTNAME
>
>IN CNAME nosslsearch.google.com.
>
>
>
>
> 
> Matthew Huff | 1 Manhattanville Rd
> Director of Operations   | Purchase, NY 10577
> OTA Management LLC   | Phone: 914-460-4039
> aim: matthewbhuff| Fax:   914-460-4139
>
> > -Original Message-
> > From: bind-users-bounces+mhuff=ox@lists.isc.org [mailto:bind-users-
> > bounces+mhuff=ox@lists.isc.org] On Behalf Of Lyle Giese
> > Sent: Monday, April 16, 2012 8:50 AM
> > To: bind-users@lists.isc.org
> > Subject: Re: Configuring CNAME for nosslsearch.google.com
> >
> > On 4/16/2012 3:30 AM, Phil Mayers wrote:
> > > On 04/15/2012 11:40 PM, Tobias Krais wrote:
> > >> Hi Ben,
> > >>
> > >> hmm. How can I manage what google suggests:
> > >> "Information for school network administrators about the No-SSL
> > >> option
> > >>
> > >> To utilize the no SSL option for your network, configure the DNS
> > >> entry for www.google.com to be a CNAME for nosslsearch.google.com."
> > >> Source:
> > >>
> > http://support.google.com/websearch/bin/answer.py?hl=en&hlrm=en&answer=
> > 186669.
> > >>
> > >> You can find this quite at the end of the document.
> > >>
> > >> How can I realize such a configuration in bind?
> > >
> > > As you've been told, you can't. CNAMEs can't live at zone apex, so
> > you
> > > can't a CNAME at the zone apex of "www.google.com". And if you create
> > > "google.com" as a zone, all other hostnames will be blackholed,
> > > including "nosslsearch.google.com".
> > >
> > > I don't know why Google have made that suggestion; it's a bad
> > > suggestion, that's not supported by many nameservers.
> > >
> > > I personally think it's a bad idea to try and disable SSL search for
> > > your users too, but that's your decision.
> > >
> > > "unbound" might be able to to this, with a transparent local-zone and
> > > local-data override for "www.google.com".
> > > ___
> >
> > Or did they really mean, create a hosts file on the local machine that
> > contains...
> >
> > Or in your proxy server redirect www.google.com to
> > nosslsearch.google.com
> >
> > DNS server software is not very supportive of doing this for good
> > reasons.
> >
> > Lyle Giese
> > LCR Computer Services, Inc.
> >
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new here

[Ben Croswell]

You set a listen-on that does not include 127.0.0.1.
On Apr 22, 2012 11:08 PM, "David Milholen"  wrote:

>  I am a Wisp admin and I have just configured a couple of new Bind9
> servers.
> They will resolve using dig google.com @9x.1xx.104.14
> I am having some trouble getting them to answer themselves on 127.0.0.1
> for example:
>
> [root@ns4 named]# dig google.com @127.0.0.1 +trace
>
> ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5 <<>> google.com @127.0.0.1+trace
> ;; global options:  printcmd
> ;; connection timed out; no servers could be reached
> [root@ns4 named]#
>
> Here is an my config:
> //
> // named.conf for Red Hat caching-nameserver
> //
> controls {
> inet 127.0.0.1 allow { localhost; } keys { rndckey; rndc-key; };
> };
>
> options {
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> /*
>  * If there is a firewall between you and nameservers you want
>  * to talk to, you might need to uncomment the query-source
>  * directive below.  Previous versions of BIND always asked
>  * questions using port 53, but BIND 8.1 uses an unprivileged
>  * port by default.
>  */
>  // query-source address * port 53;
> version "Surely you must be joking";
> notify yes;
> allow-recursion {
> 127.0.0.1;
> 9x.1xx.104.0/22;
> 9x.1xx.108.0/23;
> };
> allow-transfer { 9x.1xx.104.22;
>};
> listen-on {
> 9x.1xx.104.14;
> };
>  };
> //
> logging {
> channel my_syslog {
> syslog kern;
> severity debug;
> };
> channel my_file {
> file "/var/named/chroot/var/named/log.msgs";
> severity dynamic;
> print-category yes;
> };
> category unmatched {
> null;
> };
> category queries {
> my_file;
> };
> category lame-servers {
> null;
> };
> category general {
> default_syslog;
> };
> };
>
>
> // a caching only nameserver config
> //
>
> zone "." IN {
> type hint;
> file "root.servers";
> };
>
>
>
> zone "104.1xx.9x.in-addr.arpa" {
> type master;
> file "/var/named/9x.1xx.104.rev";
> allow-transfer {
> 9x.1xx.104.22;
> };
> };
> zone "0.0.127.in-addr.arpa" {
> type master;
> file "/var/named/127.0.0.rev";
> };
> zone "localdomain" {
> type master;
> file "/var/named/localdomain.hosts";
> };
> zone "localhost" {
> type master;
> file "/var/named/localhost.hosts";
> };
> key rndc-key {
> algorithm hmac-md5;
> secret "wh6DFiuNGJHzHwvNTy8JEA==";
> };
>
> Here is my resolv.conf :
> nameserver 127.0.0.1
> nameserver 9x.1xx.104.14
>
> Not sure what I broke but it seems to work on some of my older servers.
> Thanks for any help.
>
> --
>
> David Milholen
> Project Engineer
> P:501-318-1300
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How to influence forwarder selection BIND 9.7.3

[Ben Croswell]

A certain percentage of queries will always go to all of the forwarders
listed.

If you have servers A B and C and A is the fastest SRTT, whenever A answers
the SRTT for B and C will be decremented by a small percentage. Eventually
they will be lower than A and get used. The likely result is that they will
be higher and it will go back to A.

This method is needed to ensure that a server that gets a high SRTT due to
being down is eventually used and gets back to it's normal SRTT.
On Apr 23, 2012 8:20 AM,  wrote:

>  Hello
>
> ** **
>
> I have this kind of forwarders configuration. 192.168.100.1 has 3ms RTT***
> *
>
> 192.168.200.1 has 150ms RTT
>
> ** **
>
> options {
>
> forwarders {
>
> 192.168.100.1;
>
> 192.168.200.1;
>
> };
>
> };
>
> ** **
>
> Usually all queries go to 192.168.100.1 but occasionally it experiences***
> *
>
> high load which obviously has effect on SRTT.
>
> This causes that 12% of the queries are forwarded to 192.168.200.1. 
>
> ** **
>
> I want that 192.168.200.1 is used only when 192.168.100.1 is down or is***
> *
>
> experiencing really high latency.
>
> ** **
>
> I tried adding 192.168.100.1 multiple times in forwarders section but
>
> it didn’t help.
>
> ** **
>
> Is there any way around this?
>
> Any way to manually tweak SRTT per server?
>
> ** **
>
> Regards,
>
> Antti-Jussi Korjonen
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: new here

[Ben Croswell]

Allow-transfer is not the same as forwarding.

Are they wanting to secondary from you?

If so you need to ensure they can do queries against your master for the
zones so they can request soa to check the serial number.

Also it appears they are trying to xfer the cidr block with a different
name than you are loading it as.
You load 104.16.98.in-addr.arpa. they are transferring
104-22.16.98.in-addr.arpa.
-Ben Croswell
On May 2, 2012 1:18 PM, "David"  wrote:

> **
> Hello All,
>  I am new here but have been watching the list for a while.
> I run a small WISP and we have just moved to a new carrier.
> They have provided us with a cdir ipv4 block of /22 and a /23.
> I am trying to get my reverse DNS working correctly but they will not point
> their servers to my authoritative servers to tell these blocks where to
> find
> their reverse. They told me to place forwards in my servers which I have
> done.
>
> FYI: I am running Bind 9 latest stable on my systems not sure what the
> carrier is running.
>
> Here is what they show on their logs:
>
> 01-May-2012 09:07:30.868 transfer of '104-22.16.98.in-addr.arpa/IN' from
> 98.16.104.14#53: connected using 207.91.5.70#40513
> 01-May-2012 09:07:30.971 transfer of '104-22.16.98.in-addr.arpa/IN' from
> 98.16.104.14#53: failed while receiving responses: NOTAUTH
> 01-May-2012 09:07:30.971 transfer of '104-22.16.98.in-addr.arpa/IN' from
> 98.16.104.14#53: end of transfer
>
> Here is what My logs show:
>
>  02-May-2012 15:28:29.979 security: client 162.40.117.250#6483: query
> (cache) '104-22.16.98.in-addr.arpa/SOA/IN' denied
> 02-May-2012 15:28:30.133 xfer-out: client 162.40.117.250#43378: bad zone
> transfer request: '104-22.16.98.in-addr.arpa/IN': non-authoritative zone
> (NOTAUTH)
>
> Here is what the named.conf zone looks like
>
> zone "104.16.98.in-addr.arpa" {
> type master;
> file "/var/named/98.16.104.rev";
> allow-transfer {
> 166.102.165.15;
> 162.39.164.14;
> 207.91.5.70;
> 162.40.117.250;
> };
> I placed the forwarders to allow transfer on this zone but I think the
> zone name is no good.
>
> Thanks
> Dave
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why does a non-delegated sub-domain work?

[Ben Croswell]

You are getting "lucky" that they are on the same server and when asked
about anything in the subdomain the server notices it loads it and answers
for it. It is however a landmine waiting for someone in thee future.  If
you move the subdomain to another server without fixing the delegation the
subdomain will disappear.

-Ben Croswell
On May 7, 2012 1:08 PM, "M. Meadows"  wrote:

>
> So ... if we have
>
> exacttarget.com delegated to ns1 and ns2.exacttarget.com nameservers
>
> and ... we manage the s6.exacttarget.com zone file from ns1 and
> ns2.exacttarget.com
>
> but we don't delegate s6 in the exacttarget.com zone file ... forgot to
> enter it in the zone file ...
>
> how is it that s6.exacttarget.com and its contents resolve properly from
> everywhere?
>
> Seems BIND is helping us out behind the scenes somehow. Right?
>
> Confused.
>
> Thanks,
> Marty
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How does a child find its parent?

[Ben Croswell]

The child doesn't know it's parent and goes up to the root like any other
server would.

-Ben Croswell
On May 8, 2012 2:13 PM, "Mike Bernhardt"  wrote:

> Reading the section on delegation in the O'Reilly book, I'm confused about
> something: The parent is configured to delegate the subdomain to the child
> with glue records, etc. But how does the child know who to ask if a host in
> the subdomain requests a record in the parent zone? They don't show any
> configuration example for that other than making the child a slave for the
> parent zone.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: How does a child find its parent?

[Ben Croswell]

Another option would be zone level forwarding on the child to point at the
parent or stub zones.

-Ben Croswell
On May 8, 2012 3:59 PM, "Mike Bernhardt"  wrote:

>  In this case, the root only knows the external public server, not the
> internal parent who is doing the delegating. So it would seem that slaving
> the internal parent is the only solution for resolving hosts in the
> internal parent domain, correct?
>
> ** **
>  ------
>
> *From:* Ben Croswell [mailto:ben.crosw...@gmail.com]
> *Sent:* Tuesday, May 08, 2012 12:21 PM
> *To:* Mike Bernhardt
> *Cc:* bind-users@lists.isc.org
> *Subject:* Re: How does a child find its parent?
>
> ** **
>
> The child doesn't know it's parent and goes up to the root like any other
> server would. 
>
> -Ben Croswell 
>
> On May 8, 2012 2:13 PM, "Mike Bernhardt"  wrote:
>
> Reading the section on delegation in the O'Reilly book, I'm confused about
> something: The parent is configured to delegate the subdomain to the child
> with glue records, etc. But how does the child know who to ask if a host in
> the subdomain requests a record in the parent zone? They don't show any
> configuration example for that other than making the child a slave for the
> parent zone.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: global forwarders - current BIND9 behaviour documentation

[Ben Croswell]

All forwarders in the list will tried at least some. Every time the fastest
forwarder responds the srtt of the remaining forwarders are decayed.
Eventually they will be lower and get tried. If they are slower than the
original fastest their srtt go back up and the original will be used again.
It's the method for retrying a forwarder after it was set high due to a
timeout etc.

-Ben Croswell
On Jul 25, 2012 2:36 PM, "ip admin"  wrote:

> Hi,
>
> anybody there who can provide a definitive answer on the current BIND 9.7
> (or higher) global forwarder behaviour?
>
> I did find the following info before on using multiple forwarders:
>
> https://lists.isc.org/pipermail/bind-users/2007-September/067830.html
>
> My expectation based on that is that the fastest responding forwarder will
> basically always be used until a timeout may occur, i.e. when specifying
> three forwarders one will be the prefered one based on SRTT and the others
> are only used if the prefered one goes down.
>
> First of all when doing 'rndc dumpdb -all' I cannot find my forwarders' IP
> addresses in the named_dump.db at all as explained in the posting above
> (BIND 9.7.3-P3 on Linux), so I cannot verify the SRTTs. 'rndc stats' /
> named.stats does not show any info on the forwarders as well.
>
> Also by doing a tcpdump I can see that all three forwarders I have
> specified are constantly used. However it is not a real round-robin but
> roughly a 3:2:1 ratio instead (i.e. one receives approx 3 times the number
> of queries compared to the third one, the other one receives 2 times the
> number of queries compared to the 3rd one). In fact the 3:2:1 distribution
> reflects the response time I can manually determine by running dig against
> all forwarders - the one which responds quickest gets the most queries and
> the one which is slowest gets the fewest queries.
>
> My server receives quite a few queries (approx 10.000 within a minute).
> Any idea if the DNS-Server will send every 10th query or so the slower
> forwarders?
>
> I also tried to set the logging level to debug 10 for category resolver
> but no luck at all in finding out which forwarder is used (and why).
>
> So . . . if somebody could explain what the current behaviour is supposed
> to be that would be helpful.
>
> Regards
>  Tom
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder is ignored when authoritative zone is added

[Ben Croswell]

The one thing I can think of off the top of my head is to ensure the child
subdomain is properly delegated in the parent. If you try to zone level
forward a child domain on a server that loads the parent it will ignore the
forward if  it can see the child doesn't exist as a true delegation.
I assume the logic is, why would I forward a subdomain I know doesn't exist.

-Ben Croswell
On Oct 26, 2012 2:17 AM, "Frank Even"  wrote:

> I've recently had an issue that I'm having some issues finding
> information on solving.
>
> I have internal DNS resolvers...they act as recursive name servers for
> general internet queries, but we have forwarders explicitly defined
> for specific internal zones being served by other name servers.
>
> My configuration has one particular zone configured as such:
>
> zone "internal.organization.com" IN { type forward; forward only;
> forwarders {172.x.x.x; 172.x.x.x; }; };
>
> I have our main zone, organization.com, hosted in an external area
> outside of a firewall with a wildcard record contained in it for
> anything that is not explicitly defined.  I have some services that I
> need to reach using names that are in this external zone internally.
> What I'm trying to do is to slave the organization.com zone to my
> internal recursive resolver to mitigate any possible network issues.
>
> So I setup the internal resolver as a slave for the "organization.com"
> zone and found that queries against "internal.organization.com" were
> getting answered with the wildcard for the external "organization.com"
> zone.  I can't seem to figure out why the forwarders are getting
> ignored.  Is it an order of precedence, say authoritative zones are
> respected over forwarders...or something else??
>
> Thanks for any assistance anyone can provide, or point me to some
> documentation I'm missing,
> Frank
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarder is ignored when authoritative zone is added

[Ben Croswell]

The thing that brings me back to a delegation issue is the statement of
slaving an external version of the second level domain the internal DNS
server. I know if I was splitting a domain I would not put internal only
delegations external.

-Ben Croswell
On Oct 26, 2012 7:23 AM, "Sten Carlsen"  wrote:

>
> On 26/10/12 12:56, Ben Croswell wrote:
>
> The one thing I can think of off the top of my head is to ensure the child
> subdomain is properly delegated in the parent. If you try to zone level
> forward a child domain on a server that loads the parent it will ignore the
> forward if  it can see the child doesn't exist as a true delegation.
> I assume the logic is, why would I forward a subdomain I know doesn't
> exist.
>
> I should think that internal.org... is properly delegated, so the forward
> will not be concerned about a subdomain, only about the domain, that is
> actually forwarded. internal.org... will then be looked up in the normal
> recursive way, so another forward statement might solve this issue.
>
> -Ben Croswell
> On Oct 26, 2012 2:17 AM, "Frank Even"  wrote:
>
>> I've recently had an issue that I'm having some issues finding
>> information on solving.
>>
>> I have internal DNS resolvers...they act as recursive name servers for
>> general internet queries, but we have forwarders explicitly defined
>> for specific internal zones being served by other name servers.
>>
>> My configuration has one particular zone configured as such:
>>
>> zone "internal.organization.com" IN { type forward; forward only;
>> forwarders {172.x.x.x; 172.x.x.x; }; };
>>
>> I have our main zone, organization.com, hosted in an external area
>> outside of a firewall with a wildcard record contained in it for
>> anything that is not explicitly defined.  I have some services that I
>> need to reach using names that are in this external zone internally.
>> What I'm trying to do is to slave the organization.com zone to my
>> internal recursive resolver to mitigate any possible network issues.
>>
>> So I setup the internal resolver as a slave for the "organization.com"
>> zone and found that queries against "internal.organization.com" were
>> getting answered with the wildcard for the external "organization.com"
>> zone.  I can't seem to figure out why the forwarders are getting
>> ignored.  Is it an order of precedence, say authoritative zones are
>> respected over forwarders...or something else??
>>
>> Thanks for any assistance anyone can provide, or point me to some
>> documentation I'm missing,
>> Frank
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing 
> listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users
>
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>"MALE BOVINE MANURE!!!"
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

RE: Performance tuning

[Ben Croswell]

I did digs to both names from my work DNS infrastructure.  The response was
58ms to resolve the WWW entry and 44ms for the non WWW entry. Would not
appear to be a resolution related slow down.
-Ben Croswell
On Nov 26, 2012 1:25 PM, "Lightner, Jeff"  wrote:

>   For question 1:
>
> “Loading” is a function of the web site not DNS.  Your first question
> could have to do what the default site is in your web configuration and
> what kind of rewrite rules are getting you to the other.
>
> ** **
>
> If it were me I’d probably do some timed “host” or “dig” commands for the
> two records to verify name resolution itself wasn’t a problem.   
>
> ** **
>
> I guess it MIGHT be a minutely slower to resolve www if it is a CNAME to
> the other as opposed to both being A records.   However, since this is a
> fairly common practice I doubt it is likely to be of major importance in
> overall timing.
>
> ** **
>
> *From:* bind-users-bounces+jlightner=water@lists.isc.org [mailto:
> bind-users-bounces+jlightner=water@lists.isc.org] *On Behalf Of *Adamiec,
> Lawrence
> *Sent:* Monday, November 26, 2012 1:13 PM
> *To:* bind-users@lists.isc.org
> *Subject:* Re: Performance tuning
>
> ** **
>
> To the best of my knowledge, there are no problems with our DNS.  We only
> host 25 domains.
>
> ** **
>
> The report must also address these two specific questions:
>
> ** **
>
>1. Why does www.kentlaw.iit.edu load quicker than kentlaw.iit.edu in
>any browser?
>2. What happens if we remove the forwarders option from named.conf?
>
>  I can't duplicate the issue in Q1 and I'm trying to determine a way of
> testing Q2.
>
> ** **
>
> Larry
>
> ** **
>
> On Mon, Nov 26, 2012 at 11:39 AM, Doug Barton  wrote:
> 
>
> What a delightfully vague requirement. :)
>
> I would push back a bit on exactly what problems are attempted to be
> solved here. The BIND defaults are about as efficient as they can be,
> especially so in later versions.
>
> Doug
>
>
> On 11/26/2012 11:01 AM, Adamiec, Lawrence wrote:
> > Hi,
> >
> > I have been tasked with authoring a DNS report "to achieve optimal
> > performance."  The report must include:
> >
> > CPU usage
> > memory usage
> > bandwidth usage
> > throughput
> > latency
> >
> > I have found some information regarding the number of queries processed
> > per minute but nothing of value for the above areas.
> >
> > Is there some documentation that discusses the above areas?
> >
> > We are running BIND 9.6-ESV-R5-P1, Solaris 10 on a SPARC server.  My
> > report will include the fact we must upgrade from BIND 9.6-ESV-R5-P1
> >
> > Thank you in advance.
> >
> > Larry
> >
> > Lawrence Adamiec
> > UNIX Mgr
> > IIT Chicago-Kent College of Law
>
> ** **
>
>
>
>
>
>
>
>
>
> Athena®, Created for the Cause™
>
> Making a Difference in the Fight Against Breast Cancer
>
>
>
>
>
> *How and Why I Should Support Bottled Water!
> *Do not relinquish your right to choose bottled water as a healthy
> alternative to beverages that contain sugar, calories, etc. Your support of
> bottled water will make a difference! Your signatures count! Go to
> http://www.bottledwatermatters.org/luv-bottledwater-iframe/dswaters and
> sign a petition to support your right to always choose bottled water. Help
> fight federal and state issues, such as bottle deposits (or taxes) and
> organizations that want to ban the sale of bottled water. Support community
> curbside recycling programs. Support bottled water as a healthy way to
> maintain proper hydration. Our goal is 50,000 signatures. Share this
> petition with your friends and family today!
>
>
>
> -
> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or confidential
> information and is for the sole use of the intended recipient(s). If you
> are not the intended recipient, any disclosure, copying, distribution, or
> use of the contents of this information is prohibited and may be unlawful.
> If you have received this electronic transmission in error, please reply
> immediately to the sender that you have received the message in error, and
> delete it. Thank you.
> --
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind not forwarding all requests

[Ben Croswell]

It is probably related to forward first versus forward only. Forward first
is default but will fall back to no forwarding if the forwarders fail.
On Dec 7, 2012 12:06 PM, "Romgo"  wrote:

> Hello,
>
> I am currently running two bind9 server on Debian Squeeze.
>  1:9.7.3.dfsg-1~squeeze8
>
> Server 1 is internal dns server and serve some local zone. This server
> should forward all unknown requests to our  public DNS server. So I
> configured this server as follow :
> /etc/bind/named.conf.options
>
>   forward only;
> forwarders {
>   ip_server_2;
> };
>
>
> The second server is allowed to do DNS request on the internet, so there
> is no forwarder configured.
>
> The issue is that I see on my firewall that server1 is trying to do DNS
> requests on DNS ROOT server.
>
> Any idea why I do have this issue ? wrong configuration ?
>
> Regards,
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Name resolution fails if not forwarding

[Ben Croswell]

My first thought would be lack of firewall rules and connectivity to the
Internet.
On Jan 8, 2013 9:35 AM, "Daniele"  wrote:

> If I use BIND9 forwarding all the queries not belonging to my local zones,
> it works.
>
> But if I don't forward those queries, `dig` sometimes (and this is weird)
> fails (with "connection timed out; no servers could be reached") and the
> logs are full of "lame server", "FORMERR".
>
> Why?
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: MNAME not a listed NS record

[Ben Croswell]

There is no issue with a configuration like this. It is the very definition
of a stealth master and is a very common configuration. Any DDNS updates
will continue to reach the stealth master via the mname and no resolvers
will find the master via NS records so it won't be queried.
On Jan 16, 2013 3:42 PM, "Dave Warren"  wrote:

> Is there anything technically wrong with having a SOA MNAME field that
> isn't listed as a NS record?
>
> The server listed as MNAME will host the zone and is authoritative for the
> zone, but out of latency concerns it isn't ideal to have other resolvers
> querying this server.
>
> Various online DNS diagnostic tools throw warnings, but as far as I can
> tell from the RFCs, this is a valid configuration. Is it valid? Are there
> any operational gotchas to be aware of or can I ignore the "warnings"?
>
> --
> Dave Warren
> http://www.hireahit.com/
> http://ca.linkedin.com/in/**davejwarren
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Define an internal zone with only a couple of A records, then forward to an external dns server

[Ben Croswell]

If you load the zone your server will believe it knows everything about the
zone and not forward anything below it.

If you load foo.com with two records, nothing but those two records will
ever resolve on that server for foo.com.

One way to make it work would be to load two zones. Vpn1.foo.com and
vpn2.foo.com each with their A records. Then you would only blackhole
things below vpn1.foo.com and vpn2.foo.com.
On Jan 17, 2013 10:09 AM, "Alberto Zanon"  wrote:

> Hi all,
>
> I googled all the morning without success :( I'm using Bind 9.9.1 and i'm
> a newbie of Bind. This is my goal:
>
> - I want to define in my dns server a zone "external_partner.com", which
> is the domain of our partner who manages it with his dns public server "
> dns.external_partner.com".
> - I need to define into this zone a couple of servers ("vpn_host_1.
> external_partner.com", "vpn_host_2.external_partner.com") because we
> connect via vpn to our partner.
> - I want that the rest of the names, e.g. "www.external_partner.com", are
> resolved forwarding the requests to the dns of our partner.
>
> I tried this without success:
>
> - in "named.conf":
>
> zone "external_partner.com" {   type master;   file "master/
> external_partner.com.zon";   forwarders {xxx.xxx.xxx.xxx;}; };
>
> and I have "recursion yes" in the options.
>
>
> - in "external_partner.com.zon" I have only the two entries:
>
> $TTL300
> @   IN  SOA dns.edistar.com. admin.dns.edistar.com. (
> 2013011701  ; Serial
> 300 ; Refresh
> 300 ; Retry every hour
> 300 ; Expire after a
> week
> 300 )   ; Minimum ttl of 1
> day
>
> IN  NS  dns.edistar.com.
> TXT "vpn servers"
>
>
> vpn_host_1.external_partner.com.  IN  A
> xxx.xxx.xxx.xxx
> vpn_host_2.external_partner.com.  IN  A
> xxx.xxx.xxx.xxx
>
>
> I read about "forward first" option but is the opposite of my goal,
> correct?
>
>
>
>
> Thanks in advance for your responses.
>
>
>  Alberto Zanon
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What causes 'zone transfer setup failed' ?

[Ben Croswell]

A common issue is the secondary not being allowed to query the master for
the SOA of the zone. Ensure the master has an allow-query that includes the
secondary.
On Jan 25, 2013 6:06 AM, "Jan-Piet Mens"  wrote:

> Hello,
>
> I'm seeing quite a number of messages like
>
> xfer-out: debug 3: client 192.168.1.2#54688 (example.com): zone
> transfer setup failed
>
> BIND 9.9.2P1 here, configured with:
>
> request-ixfr no;
> transfer-format many-answers;
> transfers-in 100;
> transfers-per-ns 100;
> max-transfer-time-in 60;
>
> BIND has a lot of zones to transfer; does this have something to do with
> too many TCP connections?
>
> FWIW, BIND is running on Centos 6.3 in an OpenVZ container.
>
> Regards,
>
> -JP
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

[Ben Croswell]

You need to ensure if the resolver that is doing the forwarding also loads
the blank 10/8 that you have the smaller /24 delegated in the 10/8.
The reason being if it loads the /8 with no /24 delegation it will ignore
the forward because it believes the /24 doesn't exist.
On Feb 21, 2013 1:21 PM, "Nikita Koshikov"  wrote:

> Hello list,
>
>
> I'm trying to "cut" /24 network from the scope of /8 network, here is
> example:
>
> zone "11.2.10.in-addr.arpa" {
> type forward;
> forwarders { 192.168.1.23; 192.168.1.24; };
> };
>
> zone "10.in-addr.arpa" {
> type master;
> file "master/int/10.in-addr.arpa";
> };
>
> 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8ip 
> address. But I need to forward requests for
> 10.2.11.0/24 net to other dns servers and the above config not working.
> I got empty responses for 10.2.11.0/24 net.
>
> This is right: (192.168.1.8 - server with bind)
>
> $ host -t ptr 10.1.1.1 192.168.1.8
> Using domain server:
> Name: 192.168.1.8
> Address: 192.168.1.8#53
> Aliases:
> Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> This is wrong:
> $ host -t ptr 10.2.11.10  192.168.1.8
> Using domain server:
> Name: 192.168.1.8
> Address: 192.168.1.8#53
> Aliases:
> Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> This is expected answer from the forwarded server  - 192.168.1.23
> $ host -t ptr 10.2.11.10  192.168.1.23
> Using domain server:
> Name: 192.168.1.23
> Address: 192.168.1.23#53
> Aliases:
> 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.
>
> Can someone help with this ?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forward First on Master Zone (bypass SOA)

[Ben Croswell]

A server will not forward a zone it is also authoritative for.
On Mar 28, 2013 3:33 PM, "Ben-Eliezer, Tal (ITS)" <
tal.ben-elie...@its.ny.gov> wrote:

> Hello,
>
> ** **
>
> My organization is evaluating the use of split-view DNS in our environment.
> 
>
> One of the challenges I’ve yet to overcome in my trials, is the ability to
> minimize the administrative overhead of maintaining two copies of the zone.
> 
>
> Upon reviewing some of the BIND options, “forward first;” caught my eye.
> Below is the description of this feature I found on Zytrax:
>
> ** **
>
> *“forward is only relevant in conjunction with a valid forwarders
> statement. If set to 'only' the server will only forward queries, if set to
> 'first' (default) it will send the queries to the forwarder and if not
> answered will attempt to answer the query. This statement may be used in a
> zone, view or a global options clause.”*
>
> * *
>
> If I understand this correctly, BIND should handle a query for
> host.example.com by first passing it through the configured forwarder,
> which should succeed (the record exists on the Internet).
>
> However, I believe since this server is also authoritative for this domain
> (the internal copy), and the record is not in this “view” of the zone file,
> I receive an NXDOMAIN.
>
> ** **
>
> I’ve spent hours researching a way to accomplish this without any luck. Is
> there any way to accomplish what I’m trying to do?
>
> ** **
>
> Thanks,
>
> ** **
>
> Tal Ben-Eliezer
>
> 
>
> ** **
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Confused about a basic concept

[Ben Croswell]

Everything you listed is pretty close to accurate.
A couple points of clarification.

8) The master needs UDP/TCP 53 open to the slaves.  Before a zone transfer
can happen the slave needs to get the SOA RR from the master to see if the
serial number has changed.  This normally happens over UDP 53(see my point
on 9).  So The slaves need to also be in the allow-query ACL on the master,
if they cant query for SOA they can never determine the serial number and
cant transfer.
9) You should always have UDP/TCP 53 open to DNS servers.  "Normal" queries
happen on UDP 53, but if an answer is too large to fit in a single packet
the answer will be truncated and the TC bit will be set.  This bit tells
the client they didnt get the "full" answer and that they may want to try
the same query via TCP.

On you last points you are pretty much spot on the answer but are wondering
the mechanics. Most best practices state that you should not have recursion
and authoritative on the same DNS server. That is a should, but not a must.
 What you said is the normal answer you run DNS servers that host zones,
and you run DNS servers that serve direct client queries. The client
caching DNS servers would need to know where your authoritative servers are
via NS records or forwarding.

One big reason for the split is DNSSEC. An authoritative DNS server cant
validate DNSSEC for a query sent directly to it from a client.  There has
to be another step in between.  For instance if I ask you if you are Bryan
and you say yes, why should I believe you.  However, if I ask a trusted
friend if you are Bryan I will believe you because there is third party
verification.



On Wed, Jun 5, 2013 at 10:02 AM, Bryan Harris  wrote:

> Hi all,
>
> I think I may be confused about a very basic DNS concept.  Sorry if this
> has been asked before.
>
> 1. I have a master and two slaves.
> 2. The master server is the SOA for my zone.  The SOA record points to the
> master server.
> 3. Each of the two slaves are authoritative for my zone.
> 4. There are 2 NS records for my zone.  The first NS = slave1 and the
> second NS = slave2.
> 5. The Master server is not listed in the NS records for my zone.
> 6. The master does not receive any queries from the clients.
> 7. The slaves receive queries from the clients.
> 8. The master -> slaves relationship is via tcp/53 (notifies & zone
> transfers)
> 9. The slaves -> clients relationship is via udp/53 (queries)
>
> Is this correct so far?  I'm being told "our authoritative DNS servers
> should not receive any queries", as well as "DNS slaves respond to
> queries".  These statements seem like a conflict to me, but maybe I'm
> simply confused?
>
>
> I don't see how a slave could respond to a query unless it's
> authoritative.  The only thing I can imagine is adding some more caching
> servers just for queries and have them forward+recurse to the authoritative
> slave servers (but they're not slaves themselves).  But even in that case,
> the authoritative servers would still need to respond to queries, no?
>  Otherwise how would the caching servers get any answers in the first place?
>
> Bryan
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
-Ben Croswell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegation and Forwarding

[Ben Croswell]

The basic answer is that you use null forwarders for any domains that you
want to turn off the global forwarders.
If you have a global forwarder and then you have bob.com with a null
forwarder, bob.com and the domains below is will follow delegation.
On Dec 11, 2013 7:10 AM, "Bob McDonald"  wrote:

> I'm a bit confused on the need for a blank forwarders statement inside of
> a zone statement in the named.conf file.  Given an internal zone on a
> recursive server with global forwarders, what are the situations which
> would require me to code a blank forwarders statement inside of a zone
> statement in a named.conf?  I have internal zones which 1) do not delegate
> children, 2) delegate children on the same server, and delegate children on
> different servers (and different versions of bind).  I know that delegation
> is not affected on servers without global forwarders.  The documentation
> around this is not clear (at least to me ).
>
> Is there a difference if the parent is local and the child is forwarded?
>  (or both forwarded but to different addresses?)
>
> Thanks,
>
> Bob
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: I may be confused regarding sub delegated zone

[Ben Croswell]

A freshly started server with no cache will be directed to nd1 first which
will give a referral to ns2 for the subdomain. After that it will go to ns2
directly until the ns records time out in cache.
On Jan 23, 2014 12:30 PM, "Blason R"  wrote:

> Hello friends,
>
> I may sound like novice but have basic question regarding Sub-zone which
> is an delegated zone. lets say I have zone example.com whose NS are
> ns1.example.com and then I have delegated sub-zone subdom.example.comwhose ns 
> record would be say
> ns2.example.com.
>
> So people who will be querying to A record for subdom.example.com [which
> @] will first be forwarded to ns1.example.com and then from there ns
> record of subdom.example.com will be given?
>
> Or will it directly be forwarded to n2.example.com?
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to modify the cache

[Ben Croswell]

You can't modify cache.  If that was allowed you could cache poison any
domain you wanted.
On Feb 14, 2014 8:52 AM, "houguanghua"  wrote:

> Hi all,
> Bind provides rndc tools to operate the cache. But how to change a record
> in the cache. For example:
> to modify origin record " *www.abc.com* * A IN
> 219.142.3.1 *" into "*www abc.com  A IN 143.3.1.20*".
> I just know that using "rndc flush" to clear the cache, but don't know how
> to modify the cache.
>
> Who can tell me how to do?Thanks.
> Guanghua
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: how to modify the cache

[Ben Croswell]

What you say is true, but the OP wasn't clear in who owned the record he
wanted to override.  I assumed it was someone else's or you would just
change authoritative source that you own.
On Feb 14, 2014 10:20 AM, "Barry Margolin"  wrote:

> In article ,
>  Ben Croswell  wrote:
>
> > You can't modify cache.  If that was allowed you could cache poison any
> > domain you wanted.
>
> "poisoning" refers to putting incorrect records into the cache of some
> *other* server. If you operate the server itself, you can put anything
> you want into its memory. If you want to override a particular record
> that would normally be cached, just make the server authoritative for
> that name.
>
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Ben Croswell]

I guess I am missing why anyone on the internet should be able to open
queries against your caching resolver.

Why would in bound queries be allowed to servers that are for your people
to get out?
On Feb 27, 2014 10:13 AM, "Ivo"  wrote:

>  Hi Dmitry,
>
> We observed that similar requests are landing on our cache resolver mostly
> from various home routers running dns server as open resolver and that also
> masquerades the original request source.
> We have a collection of ~60 domains involved and most of them are related
> to China. The problem is that attacker selects few domains and generates
> queries with random hostnames which therefore are not in the cache and
> server has to perform recursion for each query. So each query will consume
> one udp or tcp socket for at least 10 seconds because remote DNS server is
> responding slowly or is down and based on a query volume it can effectively
> overload the cache server.
>
> Initially we thought we could fix it with " resolver-query-timeout", but
> after bind code analysis it seems that everything less that 10 seconds
> would be ignored, it would be great to mention this in the documentation.
> So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
> recompile named, but  it would be nice to understand why 10 seconds as
> minimum value were selected in the first place, see /lib/dns/resolver.c
>
> #define MAX_SINGLE_QUERY_TIMEOUT 9U
> #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)
>
> snip
>
> void
> dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
> REQUIRE(VALID_RESOLVER(resolver));
> if (seconds == 0)
> seconds = DEFAULT_QUERY_TIMEOUT;
> if (seconds > MAXIMUM_QUERY_TIMEOUT)
> seconds = MAXIMUM_QUERY_TIMEOUT;
> if (seconds < MINIMUM_QUERY_TIMEOUT)
> seconds =  MINIMUM_QUERY_TIMEOUT;
> resolver->query_timeout = seconds;
> }
>
> We also tried to create local dummy zones for all these domains but since
> domains change frequently we started to block most active open resolvers
> and coordinate with local CERT.
>
> It would be nice to have some kind of rate limits for query volume of
> different hosts inside a single zone.
>
> Best regards,
>
> Ivo
>
>
> On 2/27/14 7:59 AM, Dmitry Rybin wrote:
>
> Over 2 weeks ago begins flood. A lot of queries:
>
> niqcs.www.84822258.com
> vbhea.www.84822258.com
> abpqeftuijklm.www.84822258.com
> adcbefmzidmx.www.84822258.com
> and many others.
>
> Bind answers with "Server failure". On high load (4 qps) all normal client
> can get Servfail on good query. Or query can execute more 2-3 second.
>
> Recursion clients via "rnds status" 300-500.
>
> I can try to use rate limit:
> rate-limit {
> nxdomains-per-second 10;
> errors-per-second 10;
> nodata-per-second 10;
> };
> I do not see an any improvement.
>
> Found one exit in this situation, add flood zones local.
>
> What can we do in this situation?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind vs flood

[Ben Croswell]

Ah I see you are in provider situation.  Shows my assumption you were in an
enclosed enterprise environment.
On Feb 27, 2014 10:57 AM, "Ivo"  wrote:

>  Ben,
>
> No, our server is not an open resolver,  we have a large user community
> and the problem is that users install their own wifi box like Zyxel or
> similar which may have open resolver by default.
>
> Ivo
>
> On 2/27/14 5:18 PM, Ben Croswell wrote:
>
> I guess I am missing why anyone on the internet should be able to open
> queries against your caching resolver.
>
> Why would in bound queries be allowed to servers that are for your people
> to get out?
> On Feb 27, 2014 10:13 AM, "Ivo"  wrote:
>
>>  Hi Dmitry,
>>
>> We observed that similar requests are landing on our cache resolver
>> mostly from various home routers running dns server as open resolver and
>> that also masquerades the original request source.
>> We have a collection of ~60 domains involved and most of them are related
>> to China. The problem is that attacker selects few domains and generates
>> queries with random hostnames which therefore are not in the cache and
>> server has to perform recursion for each query. So each query will consume
>> one udp or tcp socket for at least 10 seconds because remote DNS server is
>> responding slowly or is down and based on a query volume it can effectively
>> overload the cache server.
>>
>> Initially we thought we could fix it with " resolver-query-timeout", but
>> after bind code analysis it seems that everything less that 10 seconds
>> would be ignored, it would be great to mention this in the documentation.
>> So one solution is to change MINIMUM_QUERY_TIMEOUT in resolver.c and
>> recompile named, but  it would be nice to understand why 10 seconds as
>> minimum value were selected in the first place, see /lib/dns/resolver.c
>>
>> #define MAX_SINGLE_QUERY_TIMEOUT 9U
>> #define MINIMUM_QUERY_TIMEOUT (MAX_SINGLE_QUERY_TIMEOUT + 1U)
>>
>> snip
>>
>> void
>> dns_resolver_settimeout(dns_resolver_t *resolver, unsigned int seconds) {
>> REQUIRE(VALID_RESOLVER(resolver));
>> if (seconds == 0)
>> seconds = DEFAULT_QUERY_TIMEOUT;
>> if (seconds > MAXIMUM_QUERY_TIMEOUT)
>> seconds = MAXIMUM_QUERY_TIMEOUT;
>> if (seconds < MINIMUM_QUERY_TIMEOUT)
>> seconds =  MINIMUM_QUERY_TIMEOUT;
>> resolver->query_timeout = seconds;
>> }
>>
>> We also tried to create local dummy zones for all these domains but since
>> domains change frequently we started to block most active open resolvers
>> and coordinate with local CERT.
>>
>> It would be nice to have some kind of rate limits for query volume of
>> different hosts inside a single zone.
>>
>> Best regards,
>>
>> Ivo
>>
>>
>> On 2/27/14 7:59 AM, Dmitry Rybin wrote:
>>
>> Over 2 weeks ago begins flood. A lot of queries:
>>
>> niqcs.www.84822258.com
>> vbhea.www.84822258.com
>> abpqeftuijklm.www.84822258.com
>> adcbefmzidmx.www.84822258.com
>> and many others.
>>
>> Bind answers with "Server failure". On high load (4 qps) all normal
>> client can get Servfail on good query. Or query can execute more 2-3
>> second.
>>
>> Recursion clients via "rnds status" 300-500.
>>
>> I can try to use rate limit:
>> rate-limit {
>> nxdomains-per-second 10;
>> errors-per-second 10;
>> nodata-per-second 10;
>> };
>> I do not see an any improvement.
>>
>> Found one exit in this situation, add flood zones local.
>>
>> What can we do in this situation?
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>>
>>
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which Name sever is selected?

[Ben Croswell]

RTT banding was removed in early versions of 9.8 due to the performance hit
being larger than any security benefit.
So it would depend what version of bind is being used in this case.
https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/

It is important to note that all ns records will take some percent of the
traffic even if they are not the fastest.  This is due to bind "decaying"
the RTT on the ns records that were not used when it gets a successful
query from the fastest ns. That way if there is a failure on a box it can
eventually be tried again and make back into the top position.
On Feb 28, 2014 11:07 AM, "Barry Margolin"  wrote:

> In article ,
>  houguanghua  wrote:
>
> > If there is a list of NS records, the local name server uses the RTT
> (round
> > trip time) algorithm to find the fatest, and queries that server.
> > But I found it's not right. In the testing, the local name server doesn't
> > query the fastest authority name server. Some one tells me that if the
> local
> > name server gets the RTT to one remote server is les than 30ms, it will
> not
> > test RTT to other remote servers, even if the RTT is more less. In other
> > words, the local server will only query the first remote server with the
> RTT
> > less than 30ms. Who would tell me the truth? Thanks! Guanghua
>
> I believe the RTT values are grouped into ranges, and it prefers servers
> that are in a better range. 30 ms might be in the lowest range, so
> another server can't be better.
>
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: which Name sever is selected?

[Ben Croswell]

By decaying I mean they take some percent of time off of the rtt of the
name servers that aren't used when there is a successful query to the
fastest.  Eventually the slower servers will be faster than the fastest and
get queried. That query will set the rtt again for that server and will go
back to being slower.
On Mar 3, 2014 8:24 AM, "houguanghua"  wrote:

> Hi Ben,
>
> What's the meaning of bind "decaying"? Where can I find the detailed
> description? Thanks!
>
> Guanghua
>
>
> ----
> Date: Fri, 28 Feb 2014 11:39:54 -0500
> From: Ben Croswell 
> To: bind-users@lists.isc.org
> Subject: Re: which Name sever is selected?
> Message-ID:
> 
> Content-Type: text/plain; charset="iso-8859-1"
>
> RTT banding was removed in early versions of 9.8 due to the performance hit
> being larger than any security benefit.
> So it would depend what version of bind is being used in this case.
> https://www.isc.org/blogs/rtt-banding-removal-from-bind-9/
>
> It is important to note that all ns records will take some percent of the
> traffic even if they are not the fastest. This is due to bind "decaying"
> the RTT on the ns records that were not used when it gets a successful
> query from the fastest ns. That way if there is a failure on a box it can
> eventually be tried again and make back into the top position.
> On Feb 28, 2014 11:07 AM, "Barry Margolin"  wrote:
>
> > In article ,
> > houguanghua  wrote:
> >
> > > If there is a list of NS records, the local name server uses the RTT
> > (round
> > > trip time) algorithm to find the fatest, and queries that server.
> > > But I found it's not right. In the testing, the local name server
> doesn't
> > > query the fastest authority name server. Some one tells me that if the
> > local
> > > name server gets the RTT to one remote server is les than 30ms, it will
> > not
> > > test RTT to other remote servers, even if the RTT is more less. In
> other
> > > words, the local server will only query the first remote server with
> the
> > RTT
> > > less than 30ms. Who would tell me the truth? Thanks! Guanghua
> >
> > I believe the RTT values are grouped into ranges, and it prefers servers
> > that are in a better range. 30 ms might be in the lowest range, so
> > another server can't be better.
> >
> > --
> > Barry Margolin
> > Arlington, MA
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind 9.9.1 forward zone "local"

[Ben Croswell]

I would imagine your issue is a lack of an NS delegation in the root zone
you are slaving.  If you load a parent and then try to forward a child of
that parent you must have a delegation in the parent. The delegation
doesn't have to match the forwarders but it must exist.
On Mar 25, 2014 1:57 PM, "Андрей Ветров"  wrote:

> Hello. I have a problem with forwarding zone "local" to ISP resolvers.
> My config is:
> options {
> directory "/tmp";
> disable-empty-zone ".";
> };
>
> zone "." {
> type slave;
> masters { 192.0.32.132; 193.0.14.129;};
> masterfile-format text;
> file "/etc/bind/db.root";
> allow-query { any; };
> };
>
> zone "local." IN {
> type forward;
> forwarders {DNS_IP_ISP;};
> forward only;
> };
>
> zone "opendns.com" IN {
> type forward;
> forwarders {208.67.222.222; 208.67.222.220; 208.67.220.220;
> 208.67.220.222;};
> forward only;
> };
> Forwarding to opendns works, dig +short myip.opendns.com returns ip
> address correctly.
> Forwarding to local doesnt works, dig return nxdomain.
> Commenting zone "." leads to correct work of zone "local"
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Slave zero-TTL on CNAMES

[Ben Croswell]

Cisco routers do have the ability to "doctor" DNS packets when doing NAT.
When it doctors it sets the TTL to 0 but I dont know why it would only do
it on CNAME records.
On Jun 5, 2014 12:43 PM, "Reindl Harald"  wrote:

>
>
> Am 05.06.2014 17:58, schrieb /dev/rob0:
> > On Thu, Jun 05, 2014 at 05:21:47PM +0200, Reindl Harald wrote:
> >> what the hell invents "$TTL 0  ; 0 seconds" lines before
> >> each CNAME block while on the master there is exactly
> >> one TTL line with 86400 on top of the file?
> >
> > The way named writes a zone file is not the way I would do it.
> > Records are strictly in alphabetic order, and $TTL blocks are made
> > around all RRSETs where TTL varies.
> >
> > The zone FILE is not your problem. I don't know exactly what the
> > problem might be. It seems that something is intercepting and
> > filtering the zone transfers?
> >
> > You could try transfers manually from the slave:
> >
> > dig [key auth if required] rhsoft.net. axfr @91.118.73.16
> >
> > Does that show any zero TTLs? If so I suggest you place a couple of
> > sniffers at strategic spots, one leaving the master, another entering
> > the slave, and force a zone transfer.
>
> as yolu can see clearly below any CNAME record comes with a zero TTL
> the dotted line are a lot of CNAMES, all with zero TTL
> after them the first A-record has again the desired 86400
>
> the SOA at the end comes also with 86400 and the CNAME
> block before again has a TTL of zero
>
> i can't imagine anyhting which would sit between the
> transfer and change things - h wait there was a
> Zyxel router in front of ns1 which was exploitable
> and now is replaced by a small Cisco from the ISP
>
> oh, no, don't tell me that my ISP clutters DNS again :-(
>
> [root@ns2:~]$ dig rhsoft.net. axfr @91.118.73.16
>
> ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-15.P2.fc19 <<>> rhsoft.net.
> axfr @91.118.73.16
> ;; global options: +cmd
> rhsoft.net. 86400   IN  SOA ns2.thelounge.net.
> hostmaster.thelounge.net. 1226095186 3600 1800
> 1814400 3600
> rhsoft.net. 86400   IN  MX  10 barracuda.thelounge.net
> .
> rhsoft.net. 86400   IN  TXT "v=spf1 ip4:91.118.73.0/24
> ip4:89.207.144.27 ip4:62.178.103.85 -all"
> rhsoft.net. 86400   IN  SPF "v=spf1 ip4:91.118.73.0/24
> ip4:89.207.144.27 ip4:62.178.103.85 -all"
> rhsoft.net. 86400   IN  NS  ns2.thelounge.net.
> rhsoft.net. 86400   IN  NS  ns1.thelounge.net.
> rhsoft.net. 86400   IN  A   91.118.73.4
> **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
> **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
> 
> testserver.rhsoft.net.  86400   IN  A   84.113.92.77
> **.rhsoft.net.  0   IN  CNAME   **.rhsoft.net.
> rhsoft.net. 86400   IN  SOA ns2.thelounge.net.
> hostmaster.thelounge.net. 1226095186 3600 1800
> 1814400 3600
> ;; Query time: 22 msec
> ;; SERVER: 91.118.73.16#53(91.118.73.16)
> ;; WHEN: Do Jun 05 18:35:08 CEST 2014
> ;; XFR size: 58 records (messages 1, bytes 1545)
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Diagnostic help

[Ben Croswell]

The default for allow query is local host local nets.  Basically the server
itself and directly connected networks
On Sep 29, 2014 8:03 PM, "Bill Christensen" 
wrote:

>  Hi folks,
>
> Something got sideways on one of my DNS servers, and I would appreciate
> some help in figuring out what's going on.
>
> I'm running BIND 9.10.1.  This server is authoritative master for a number
> of domains.
>
> First off, I may have the allow-query set incorrectly.  Currently I have:
>
> acl query-permit {
> (range of IP address on the local LAN which are allowed to use this
> server as their query server)
> };
>
> acl recursive-permit {
> (range of IP address on the local LAN which are allowed to use this
> server for recursive queries)
> };
>
> acl transfer-permit {
> (IP addresses of a couple other name servers allowed to do transfers
> with this one)
> };
>
> and at the beginning of the options  section:
>
> allow-recursion { recursive-permit; };
>  allow-transfer { transfer-permit; };
> // allow-query { query-permit; };
>
> Allow-query is commented out, which I assume will allow anyone to query
> this server for the domains for which it has master or slave records, but
> does not allow the general public to do recursive queries or queries on
> domains not hosted here.
>
> Let me know if I've got that right, or how to correct it if I don't.
>
> If this part is correct I'll continue the questioning.
>
> Thanks!
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About CVE-2015-5477 ("An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure")

[Ben Croswell]

Is it safe to say the only vulnerable hosts would be those accepting
queries from the outside world, or would this also pertain servers getting
responses from the outside world with no inbound queries?
 On Jul 28, 2015 5:42 PM, "Michael McNally"  wrote:

> As the security incident manager for this particular vulnerability
> notification, I'd like to say a little extra, beyond our official
> vulnerability disclosure (https://kb.isc.org/article/AA-01272)
> about this critical defect in BIND.
>
> Many of our bugs are limited in scope or affect only users having
> a particular set of configuration choices.  CVE-2015-5477 does not
> fall into that category.  Almost all unpatched BIND servers are
> potentially vulnerable.  We know of no configuration workarounds.
> Screening the offending packets with firewalls is likely to be
> difficult or impossible unless those devices understand DNS at a
> protocol level and may be problematic even then.  And the fix for
> this defect is very localized to one specific area of the BIND code.
>
> The practical effect of this is that this bug is difficult to defend
> against (except by patching, which is completely effective) and will
> not be particularly difficult to reverse-engineer.  I have already
> been told by one expert that they have successfully reverse-engineered
> an attack kit from what has been divulged and from analyzing the code
> changes, and while I have complete confidence that the individual who
> told me this is not intending to use his kit in a malicious manner,
> there are others who will do so who may not be far behind.
>
> Please take steps to patch immediately.  This bug is designated
> "Critical" and it deserves that designation.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: About CVE-2015-5477 ("An error in handling TKEY queries can cause named to exit with a REQUIRE assertion failure")

[Ben Croswell]

Absolutely there is a division of traffic. One set of servers hosting
domains for the outside and another set with no inbound port 53 other than
stateful replies to internally generated queries.

Just looking to prioritize patching schedules.
On Jul 28, 2015 7:33 PM, "/dev/rob0"  wrote:

> On Tue, Jul 28, 2015 at 07:06:16PM -0400, Ben Croswell wrote:
> > Is it safe to say the only vulnerable hosts would be those
> > accepting queries from the outside world, or would this also
> > pertain servers getting responses from the outside world with
> > no inbound queries?
>
> I would ask where does the "outside world" begin?  Many sites serve
> users with vulnerabilities.  Have you ever had botnet traffic
> originating from your network?  (I have, not fun.)
>
> Otherwise your premise is valid; the malicious query comes to your
> named via port 53 UDP or TCP, not as a reply from another server.
> But if you're thinking it's okay because you're going to deny the
> query, no!  This happens before named gets to that point.  Your
> nameserver must be closed to ALL potentially hostile queries.
> --
>   http://rob0.nodns4.us/
>   Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CVE-2015-7547: getaddrinfo() stack-based buffer overflow

[Ben Croswell]

Cyber folks asked if there was any way for the DNS servers to "protect" the
vulnerable clients.
The only thing i  could see from the explanation  was disabling or limiting
edns0 sizes. That is obviously not a long term option.
On Feb 17, 2016 11:39 AM, "Alan Clegg"  wrote:

> On 2/17/16, 11:34 AM, "Reindl Harald"  behalf of h.rei...@thelounge.net> wrote:
>
> >Am 17.02.2016 um 17:22 schrieb Dominique Jullier:
> >> Are they any thoughts around, how to handle yesterday's glibc
> >> vulnerability[1][2] from the side bind?
> >>
> >> Since it is a rather painful task in order to update all hosts to a new
> >> version of glibc, we were thinking about other possible workarounds
> >
> >Fedora, RHEL and Debian as well as likely all other relevant
> >distributions are providing a patched glibc - dunno what is "rather
> >painful" to apply a ordinary update like kernel security updates and
> >restart all network relevant processes or reboot
>
> While I agree that the "major distributions" (and even the minor ones) are
> getting patches out, I'd like to point out something that Alan Cox posted
> over on G+:
>
> "You can upgrade all your servers but if that little cheapo plastic box on
> your network somewhere has a vulnerable post 2008 glibc and ever does DNS
> lookups chances are it's the equivalent of a trapdoor into your network."
>
> https://plus.google.com/+AlanClegg/posts/R1UkJjHMMB6
>
> There does need to be something a bit deeper than "patch your servers"..
>
> AlanC
> >
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re:

[Ben Croswell]

In this case a zone level forwarder takes priority over the global
forwarder. Abc.com would go to 1.1.1.1

On Sat, Jun 27, 2020, 11:44 PM baalchina  wrote:

> Hi all,
>
> I had a bind 9.16.4 as recursive name server. I want to forward all
> queries to a specific dns server out of my net such as 8.8.8.8. While I
> have a new domain( such as abc.com) I want to forward to a new dns server
> such as 9.9.9.9.
>
> Here is my named.conf:
>
>
> options {
> listen-on port 53 {192.168.1.1;};
> recursion yes;
> allow-recursion {any;};
> forwarders {
> 8.8.8.8;
> };
> };
>
> zone "abc.com" {
> type forward;
> forwarders {1.1.1.1;};
>
> };
>
> So, in this configuration, the abc.com will be forward to 8.8.8.8 or
> 1.1.1.1?
>
> Thanks.
>
>
>
>
> --
> from:baalchina
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME / TXT

[Ben Croswell]

If you uncomment that mg CNAME you end up with a CNAME mx and TXT at the
same node in to the DNS tree and that is illegal. That is why you get the
error "cname and other data". The mx and txt are the other data.

On Sat, Aug 22, 2020, 8:19 PM Jukka Pakkanen  wrote:

> Cannot figure out what is wrong here… must be something simple but after
> sitting in airplanes the last 40 hours and it’s 2am…
>
> Only when I comment out the two lines in the end of the named.harriot, it
> goes through and BIND load the zone. With those two lines, get the
> following:
>
> C:\DNS\etc\namedb>named-checkzone harriot.fi named.harriot
>
> dns_master_load: named.harriot:33: mg.harriot.fi: CNAME and other data
>
> dns_rdata_fromtext: named.harriot:35: syntax error
>
> zone harriot.fi/IN: loading from master file named.harriot failed: CNAME
> and other data
>
> zone harriot.fi/IN: not loaded due to errors.
>
> ;
>
> ;File:  named.harriot
>
> ;
>
>
>
> $TTL 864
>
>
>
> @IN SOA  ns1.qnet.fi. helpdesk.qnet.fi.
> (
>
>  202008243  ; serial number
>
>  28800  ; refresh every 12 hours
>
>   7200  ; retry after 2 hours
>
> 604800  ; expire after 2 weeks
>
>   3600) ; default ttl is 2 days
>
>
>
> harriot.fi.   IN A  35.214.111.143
>
>   IN MX 10
> qntsrv8.qnet.fi.
>
>   IN MX 10
> qntsrv9.qnet.fi.
>
>  IN NS
> ns1.qnet.fi.
>
>  IN NS
> ns2.qnet.fi.
>
>  IN NS
> ns3.qnet.fi.
>
>   IN NS
> ns1.z.fi.
>
>   IN NS
> ns2.z.fi.
>
>
>
> wwwIN A 35.214.111.143
>
> api IN A 35.214.111.143
>
> webmailIN CNAME mail.qnet.fi.
>
> _autodiscover._tcp  IN SRV 0 5 443 mail.qnet.fi.
>
>
>
> dev
> IN A  35.214.111.143
>
>
>
> ;
> mg
> IN CNAME eu.mailgun.org.
>
> mg
> IN MX 10 mxa.eu.mailgun.org.
>
> mg
> IN MX 10 mxb.eu.mailgun.org.
>
> mg
> IN TXTv=spf1 include:eu.mailgun.org ~all
>
>
>
> ; smtp_domainkey.mg IN TXT "k=rsa; p=MII-AQAB"
>
>
>
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

BIND OS tuning

[Ben Croswell]

Does BIND take advantage of net.core.rmem_max on Linux boxes?
If I set the rmem_max to 12.5mb but leave the rmem_default as the OS
default will I see a benefit on a high QPS DNS server?

Or does BIND look to the rmem_default and ignore the rmem_max?

-- 
-Ben Croswell
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding zone, setup

[Ben Croswell]

Are you loading the parent domain and trying to zone forward a child domain
on the same DNS server? I.e. loading somedomain.local and trying to forward
ab.somedomain.local

If so an NS delegation is required in every instance I have done in my
environment. The NS doesn't need to be "right" but it needs to exist. I
don't know the internal BIND logic for that but I have always taken it as
"I load the parent and I know the child doesn't exist because there isn't a
delegation to make it exist so why would I forward something that doesn't
exist".


On Tue, Mar 1, 2022, 1:18 PM Gregory Sloop  wrote:

> Static-sub fixes the issue.
>
>
>
> Any idea why static-sub works when forwarder doesn't?
>
>
>
> (Again, the server is using recursion. Dig queries return the RA flag, so
> I know it's actually offering recursion in reality.)
>
>
>
> I can live with static-sub just fine, since it works - but I'd really love
> to understand why forwarder didn't - just so I can avoid getting bitten by
> it in some other situation.
>
>
>
> Thanks Andrej!
>
> -Greg
>
>
>
>
> Is static-stub something you are looking for?
>
>
> Reference documentation:
>
> https://bind9.readthedocs.io/en/v9_18_0/reference.html?highlight=static-stub#zone-types
>
>
> And in human terms:
> https://jpmens.net/2011/01/25/binds-new-static-stub-zone-type/
>
>
> Ondrej
> --
> Ondřej Surý (He/Him)
> ond...@isc.org
>
>
> My working hours and your working hours may be different. Please do not
> feel obligated to reply outside your normal working hours.
>
>
> On 28. 2. 2022, at 21:47, Gregory Sloop  wrote:
>
> So, I want to forward all queries for
> *.ab.somedomain.local to some other internal DNS servers.
> (Records in *.ab.somedomain.local actually are our active domain servers)
>
> (Yes, I know .local is reserved now, but we've been using it a long time
> and changing would be rather painful. Unless there's some horrible
> consequences, I think we'll just continue for now. We won't ever use mDNS.)
>
> zone "ab.somedomain.local" {
> type forward;
> forward only;
> forwarders { 10.0.0.1; 10.0.0.2; 10.0.0.3; };
> };
>
> But this doesn't appear to do what I want.
>
> If I add the above to my regular BIND servers configuration, it doesn't
> return results like it's forwarding them. (I get NXDOMAIN for
> abc.ab.somedomain.local.)
>
> If I do a dig @10.0.0.1 abc.ab.somedomain.local from the BIND server, I
> get a proper result. (force dig to use the AD name servers directly,
> instead of relying on the forward.)
>
> (And yes the resolv.conf file has the ip addresses of the main internal
> BIND servers in it, and those only.)
> I've looked and while I think I'm doing it right, I'm not entirely sure.
> I figured before I beat my head against the wall for too long, I'd ask the
> real experts! :)
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I can't speak definitively for stub zones, but I would assume it works the
same as NS delegations or forwarding.
A DNS server maintains a listing of smoothed round trip times (SRTT) for
each potential destination.  It uses the SRTT with the lowest value, and
after each successful response all of the SRTTs with a higher value are
decremented.  This is the self-healing mechanism.  Eventually a higher
value will be reduced far enough so it is the lowest and it will be used
and readjusted.  The readjusting will likely make it higher and it would go
back to the original server.  This is a long winded way of saying all of
the servers in the list will take a certain percentage of the overall query
volume.

On Sat, May 7, 2022 at 10:20 AM Bob McDonald  wrote:

> Forgive my ignorance if this is a trivial question.
>
> Supposing I have an internal IP network (rfc1918)  where there atr local
> caching servers (recursive) which clients connect to and scattered around
> are several authoritative servers  which provide answers for internal only
> zones. Those internal only zones are defined on the caching servers via
> stub zones.
>
> My question is this; how do the recursive servers determine from
> the information in the stub zone which name server to query? And, is that
> the closest (network wise)? Do I need to put anycast into the mix?
>
> TTFN,
>
> Bob
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
-Ben Croswell
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I would concur that internally Anycast is best for client facing edge nodes
to reduce client configuration complexity as well as reducing impact of a
first resolver outage.

On Sun, May 8, 2022, 7:59 AM Tony Finch  wrote:

> Bob McDonald  wrote:
> >
> > My question is this; how do the recursive servers determine from
> > the information in the stub zone which name server to query?
>
> As well as what Bob Croswell said about SRTT (which is entirely correct),
> there's a subtlety with stub zones in particular.
>
> A stub zone works a bit like the root zone hints, in that the name servers
> that you configure are just used to find the zone's NS records. This means
> that stub zones don't override where queries are routed for these zones.
> If you want your resolver to ignore the NS records on your internal zones,
> you should use static-stub instead.
>
> Regarding anycast, it isn't necessary for internal authoritative servers
> unless your organization is really huge (and probably not even then): it
> is simpler to just use the DNS's standard reliabilty features. All you
> need to do is have more than one authoritative server for each zone.
> On the other hand, anycast is a good way to improve the availability and
> maintainability of your resolvers, because your users' devices talk
> directly to them, and if they don't work there might as well not be an
> Internet connection.
>
> --
> Tony Finch(he/they)  Cambridge, England
> Selsey Bill to Lyme Regis: East or southeast, veering south later, 2
> to 4. Smooth or slight, occasionally moderate for a time offshore.
> Fair. Good.
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use (Bob McDonald)

[Ben Croswell]

On the closest server question it will prefer the closest but a certain
percentage will go to servers further away. Additionally depending on the
version of BIND and the distance it could lead to the servers further away
taking more traffic in high QPS situations.

If you are getting high QPS you could fire off a large amount of queries to
the "slower" server before it responds and resets its SRTT. I believe newer
BIND versions have moved away from a static decrement value and has fixed
the issue but even fixes some queries will go out of region.


On Sun, May 8, 2022, 12:47 PM Bob McDonald  wrote:

> Thanks for the answers. A couple more questions and then I'll stand down.
>
> First, it's Ben Croswell. Just pointing that out.
>
> Second, my reading of the definition of a static-stub zone in the Bvarm
> indicates that its use is to allow a local copy of the NS list which may
> differ from the primary zone. I'm not sure that's what I'm looking for. I
> think I'm ok with the NS list from the primary zone. Lei me take another
> swing and try to be a bit more pedantic to see if that helps.
>
> I wish to define a global internal DNS environment.
>
> At the level closest to the client would be a global network of recursive
> DNS servers which would handle all internal and external DNS requests. The
> internal DNS zones would be housed on a global network of authoritative
> only DNS servers. The NS list for the internal DNS zones on these
> authoritative only servers would be known to the recursive servers via stub
> zones. My question is, if a client in Mumbai submits a DNS request to his
> local recursive server for an internal authoritative only zone defined by a
> stub zone statement, which authoritative only server does the recursive
> server pick from the NS list and will that eventually be the "closest"
> server. I'm assuming a global distribution of the authoritative servers.
> E.g. Hong Kong, London, US East, US West, South Amer, etc. The use of the
> stub zones in this case is to eliminate the need for an internal root. I
> want to avoid lookups for example from clients in Asia being sent to
> authoritative only servers in South Amer.
>
> Bob
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Determining Which Authoritative Sever to Use

[Ben Croswell]

I will say edge DNS servers reduce client config complexity, even if you
have DHCP, and increase resiliency of the initial resolver.

Where it's true with DHCP you can change the DHCP server options it doesn't
help if someone just got a 4 day lease and then the DNS server dies.

Additionally the abstraction layer makes patching and decom of DNS servers
much easier. No config to chane just kill the box. Perhaps this is less of
a concern I'd you are running a smaller environment but when you are
running 400 to 500 servers in a variety of roles globally it becomes a
valuable resource.

On Tue, May 10, 2022, 5:49 PM Grant Taylor via bind-users <
bind-users@lists.isc.org> wrote:

> On 5/8/22 5:58 AM, Tony Finch wrote:
> > Regarding anycast, it isn't necessary for internal authoritative
> > servers unless your organization is really huge (and probably not
> > even then): it is simpler to just use the DNS's standard reliabilty
> > features. All you need to do is have more than one authoritative
> > server for each zone.
>
> I don't know if it's a requirement for the OP or not, but Windows used
> to reach out to the MName server to perform dynamic updates.  So there
> might be some merit to the name of the MName server to be a pseudo name
> that resolves to an anycasted address, thus clients try to perform the
> dynamic update to the closest instance of the anycast / (pseudo) MName
> server.
>
> Aside:  Years ago, BIND secondaries would happily forward such dynamic
> updates the real primary MName server.
>
> Further aside:  The last time I looked, MS-DNS ADI zones would forge the
> local server's name as the MName to cause this type of client redirection.
>
> > On the other hand, anycast is a good way to improve the availability
> > and maintainability of your resolvers, because your users' devices
> > talk directly to them, and if they don't work there might as well
> > not be an Internet connection.
>
> I agree that anycasted service points make administration somewhat
> simpler.  However I do question the /need/ for such flexibility when
> things like DHCP are likely used for client configuration and can
> therefor manage most things automatically.
>
>
>
> --
> Grant. . . .
> unix || die
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Question about Records not authoritative for

[Ben Croswell]

This is exactly what we have done in the past to mitigate malware.  Just
load somebaddomain.com with no A records or with a wildcard pointing to
127.0.0.1.
-- 
-Ben Croswell


On Thu, Dec 11, 2008 at 11:29 AM, Baird, Josh  wrote:

>  You could just create an authoritative zone for the domain on your
> internal view to override recursion.  You can then create a wildcard 'A'
> record or such to resolve to 127.0.0.1, etc.
>
>
>
> Josh
>
>
>
> *From:* bind-users-boun...@lists.isc.org [mailto:
> bind-users-boun...@lists.isc.org] *On Behalf Of *Casartello, Thomas
> *Sent:* Thursday, December 11, 2008 10:25 AM
> *To:* 'bind-us...@isc.org'
> *Cc:* Childs, Aaron
> *Subject:* Question about Records not authoritative for
>
>
>
> I was wondering if Bind allows you to override certain records for zones we
> are not authoritative for. Essentially we have a virus that some users have
> been infected with, and we want to temporarily blockout the domain name of
> the server that this virus connects to to send its information out.
> (Basically by having this domain name point to 127.0.0.1) I know it is a
> protocol violation, but I was just wondering if it is possible to do this
> and what would be the best way of going about it. We essentially have two
> servers with two views. One view serves our DNS zones to the outside world
> (With recursion disabled) and the other performs recursive queries for our
> on campus users. Obviously we would only be doing this on our internal view.
>
>
>
> Thomas E. Casartello, Jr.
>
> Staff Assistant - Wireless Technician/Linux Administrator
>
> Information Technology
>
> Wilson 105A
>
> Westfield State College
>
> (413) 572-8245
>
>
>
> Red Hat Certified Technician (RHCT)
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: recursion for reverse/in-addr.arpa zones

[Ben Croswell]

Are there NS records and/or zone forwarding for the 10.131.10.0?
If there is the servers will look to the most specfic domain.

-- 
-Ben Croswell

On Thu, Dec 11, 2008 at 4:38 PM, Todd Snyder  wrote:

> Good day,
>
> We are working on an odd issue.  I can provide more detail as necessary,
> but don't want to fill this email with snips of useless stuff.  All
> IP's/names provided are made up, as they don't matter in this problem as
> far as I can tell.  This is more a functional question than a specific
> operating question.
>
> We have 2 servers acting as a slave for the zone "10.in-addr.arpa".  The
> master(s) for this server are 2 Windows AD servers.  Our servers (all
> bind9.4 of some variety) are doing zone transfers fine, and we're
> getting whatever is in the zone.
>
> We've run in to a couple IP's that when we dig them on these slaves,
> they are timing out.  They are in a specific location, which we have
> determined are firewalled differently.
>
> For example, we are doing a dig for 10.131.10.1 against these 2
> different locations.  In one location, we get an answer quickly.  In the
> other, it times out.  The problem in our case is that in one location,
> the slave we're querying can't reach anything but the masters.
>
> What we've figured out is that the 10.in-addr.arpa zone doesn't contain
> EVERY 10. address we thought, but is missing some.  In this case, our
> slaved zone doesn't have 10.131.10.1.  But, instead of the slave server
> (which should be authortative) returning an "I don't know" error, it
> appears to be doing a recusive query.  Against what, we're not 100% sure
> of yet.  Well, we know which server, because DIG tells us, but we aren't
> sure why that one.
>
> When I look at the 10.in-addr.arpa zone, there are approximately 20 NS
> records for other AD servers.  My speculation is that the slave we're
> querying is recusively looking to one of the servers returned in the
> additional section?  This behaviour seems odd to us, and therein lies my
> question.
>
> Does doing a reverse lookup (dig -x) cause the queried server to behave
> differently than a forward lookup?  My slave server is technically
> authoritative for the 10.in-addr.arpa zone, but it is still recusively
> going to another server to find an answer.  Why?  Is this because we
> have defined the zone as 10.in-addr.arpa instead of creating/slaving
> more specific zones (ie: 10.131.10.in-addr.arpa)?  How can we control
> this behaviour?
>
> Thank you for any light you can shed on this - we're confident we know
> what is going on, but we can't figure out why the server behaves
> differently for reverse zones than it would for forward zones.
>
> Cheers,
>
> Todd.
>
>
> --
> Todd Snyder
> Data Networks Tools
> bb.226.338.2617
> Always On, Always Connected.
>
>
> -
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from your
> system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Issue with case changing from master on BIND 9 to slave on BIND 8

[Ben Croswell]

I reaching out to the list on what appears to be a very odd issue that
happened over the weekend.
We had an issue where some internal domains had the TLD capitalized after
the zone transfer.
i.e. foo.bar.com on the master became foo.bar.COM on the slave.
I know that DNS is case insensitive but it caused an issue with apps that
were misbehaving.

The master is BIND 9.2.1 and the slaves in question are 8.2.3.
The master zone has everything lower case, and BIND 9 slaves show them as
lower case as well.
A manual zone xfer on the 8.2.3 boxes to a different local directory than
the actual named directory shows .COM.

I was wondering if anyone had experienced an issue like this.

And I understand both of those version are ancient and need to be removed
from the environment.

-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: DNS spoofing

[Ben Croswell]

He states in his messasge that he only wants to change one host in the
domain and that all other information for the domain needs to remain intact.
If he loads or forwards the domain on his servers nothing other than what he
loads will be resolved.

-- 
-Ben Croswell

On Fri, Jan 16, 2009 at 1:24 PM, Josh Kuo  wrote:

> One of the ways you can try is to setup a zone for somedomain.com on
> your DNS server, assuming your users will query your DNS servers for
> any outbound recursive lookups. Just create the entries you want in
> somedomain.com, and your users will get those answers.
>
> If your main DNS server is different from the DNS resolver that users
> point to, you will need to create a forward zone on the resolver to
> point anything in somedomain.com to your main DNS server (where your
> own version of the somedomain.com data resides).
>
> Hope this helps.
>
> On Fri, Jan 16, 2009 at 10:11 AM, Rob Z  wrote:
> > Hello,
> > we need to deliberately point some of our DNS clients to a host with a
> > different IP.
> > Basically, when a client on a certain subnet asks for a
> host.somedomain.com
> > they should get an address for host.mydomain.com.
> > All other DNS information for somedomain.com must be valid for all of my
> > clients.
> > I have no control over somedomain.com DNS but I have full controll over
> our
> > DNS servers.
> > What is the best way of doing this with bind?  What are other ways of
> doing
> > this (eg modify local resolvers)?
> > Any ideas are greatly appreciated.
> > --
> > Rob
> >
> > ___
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> >
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind cname for corporate web

[Ben Croswell]

This is not possible.  It is against RFC, and BIND enforces it, to have
CNAME and any other data at the same branch of the DNS tree.
In this case you are trying to put a CNAME at the second level domain
example.com.  However example.com also has an SOA record, several NS
records, and possibly MX records.

You will need to make example.com an A record or use www.example.com IN
CNAME someother.site.com.

-- 
-Ben Croswell

On Sun, Jan 18, 2009 at 12:37 PM, Dhaval Thakar <
dhaval.tha...@networthdirect.com> wrote:

>
>
> Hi,
>
> I am using bind 9.6.0.
>
> I want to configure cname for corporate web (example.com).
> When I mention following my company site opens without sub domain. e.g
> example.com I dont need to mention www.example.com.
>
> @  IN  A  x.x.x.x
>
> I have two ISP with radware link proof. Radware device has its own dns e.g
> abc.com
> I have web record on link proof e.g www.abc.com (ip x.x.x.1 & y.y.y.1)
>
> Now when I am trying to configure following my domain doesn't resolve.
> @  IN  CNAME www.abc.com.
> OR
> example.com.  IN  CNAME  www.abc.com.
>
> Kindly guide me to create example.com aliased to www.abc.com
>
> Thanks & Regards
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

[Ben Croswell]

I have never heard of there being any downside to a large number of NS
records for a domain.
I know internally to my company we have large numbers of NS records for the
internal domains.

-- 
-Ben Croswell

On Sun, Feb 1, 2009 at 7:51 PM, shulkae  wrote:

> How may NS entries typically is allowed per zone? Is there a bind
> limit or does it cause any side effects if the
> slaves are geographically distributed ?
>
> We would like to setup one zone for my new group who have offices all
> over the world ? We are planning
> to use BIND 9 over FreeBSD. There may be few SUN/Solaris hosts as
> well.
>
> We would like to start with around 16 Slaves per master per zone. Is
> this too much? My tests did not reveal any side effect fortunately.
>
> Anyone with experience of setting up DNS slaves all around the globe
> please advise..
>
> Warm regards
> Shal
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: How many nameservers?

[Ben Croswell]

That was my understanding.  It would only overflow if you actually had
enough NS records that the NS records themselves couldn't fit in the answer
section.

-- 
-Ben Croswell

On Tue, Feb 3, 2009 at 1:00 AM, Barry Margolin  wrote:

> In article , bsfin...@anl.gov wrote:
>
> > One downside - if you have many NS records, then they might not all
> > fit in one UDP packet (the Authority and/or Addition sections of a
> > response to a DNS query).  This will cause the protocol to revert
> > to TCP.
>
> Truncation isn't supposed to happen if you overflow in the Additional
> section, is it?  These records are already optional, so they can be left
> out if it would cause the packet to exceed the maximum UDP size.
>
> --
> Barry Margolin, bar...@alum.mit.edu
> Arlington, MA
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: possible noob question - @ CNAME?

[Ben Croswell]

You can not have a CNAME at the "domain" level.  It is against RFC to have a
CNAME and any other data at the same level of a given domain tree.
i.e. the following is illegal
wwwin CNAME www.blah.com
wwwin MX 10 mail.blah.com

This will cause BIND to throw the zone and not load it because it is
illegal.

If you put a CNAME at the domain level you are causing the CNAME to collide
with an SOA records, and 1 or more NS records at the very minimum.

-- 
-Ben Croswell

On Thu, Feb 5, 2009 at 12:36 PM, RJValenta  wrote:

> forever ago, i set myself up with a solid bandwidth and static IPs and
> started to host websites for my friends & their small businesses.
> basically, they covered the cost of my internet access.
>
> so for 10 years i've been hosting my own name, mail, and web servers
> allowing me to '@ A xxx.xxx.xxx.xxx' and then to make life easy i
> would 'www IN CNAME mywebserver.mydomain.com.'  i say easy, because
> that way in the event that i changed ISPs and got new IP addresses,
> there was less chance of my screwing up a www and MX record if i made
> sure to change the two primary machines' A records properly.
>
> however, the '@ IN xxx.xxx.xxx.xxx' would always need to be changed
> manually.
>
> Is there a way around this?  is it possible in some fashion to '@ IN
> CNAME my.server.com' ?
>
> I ask because I'm trying to trim back here, and move my NS hosting to
> NetSol and subsequently trim back on what i have to manage.  at this
> stage in the game i'd rather have more time to not worry about my
> friend's personal website about their kids, and still be confident
> that their wife's home business website will still stay up.
>
> any ideas on how i can CNAME their @ record so their http://whatever.com
> will still work, but in the end, i'm only managing one domain's IP
> records?
>
> thanks,
>
> richard
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: time.windows.com and download.windowsupdate.com

[Ben Croswell]

You certainly load the zone you don't own, but be aware the downside will be
every downstream domain or host under the two domains you load will be
blackholed.
In your examples:
1) Everything under time.windows.com will not be resolvable other than
time.windows.com.  i.e. someotherhost.time.windows.com won't work
2) Everything under windowsupdate.com will not be resolvable other than
download.windowsupdate.com i.e. someotherhost.windowsupdate.com

As long as you are aware of and ok with those caveats you should be fine.

-- 
-Ben Croswell

On Sun, Feb 8, 2009 at 6:03 PM,  wrote:

> Hi,
>
> I've just started with Bind and DNS, so...
>
> 1 I'm on a LAN where external ntp and Window$ update sites are denied.
> 2 we have, on this LAN a wsus and a ntp server
> 3 a fresh Window$ XP pro try download.windowsupdate.com for update and
> time.windows.com for synctime...
>
> Can I play with these two zones on my NS ?
>
> zone "time.windows.com" IN { type master; file "time.windows.com"; };
>
> @   IN  SOA fake admin ( 20090201 8H 1H 2W 5D )
>IN  NS  fake
> fakeIN  A   172.20.0.2
> time.windows.com.   IN  A   172.20.0.2
>
> zone "windowsupdate.com" IN { type master; file
> "windowsupdate.com"; };
>
> @   IN  SOA fake admin ( 20090201 8H 1H 2W 5D )
>IN  NS  fake
> fakeIN  A   172.20.0.2
> download.windowsupdate.com.   IN  A   172.20.0.2
>
> Thanks for help.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding subdomain to internal box

[Ben Croswell]

The zone forwarder you put in the conf of ns1/ns2 are only going to work for
people actually using ns1/ns2 as their resolver.  This is why when you get
on a remote client and actually dig ns1 for the subdomain it works.
However, when someone on the Internet as a whole asks for
something.sub.company.com they will be referred to ns1 or ns2 and your
external servers will respond that the correct NS server(s) to talk to would
be your internal box.  At that point they would try to reach it and fail.

I haven't specifically tried this to see if it works, but you could try
delegating the subdomain to ns1/ns2 as far as the Internet is concerned then
have your zone forwarder in place.   I don't know for sure how ns1/ns2 would
react to having a zone forwarder statement and then recieving an iterative
query for it.
-- 
-Ben Croswell, RHCE GSEC

On Fri, Feb 13, 2009 at 1:31 PM, Wim Livens  wrote:

>
> I'm trying to delegate a subdomain to a server that is not directly
> accessible from the internet, yet be able to resolve names in the
> subdomain from the internet.  I understood 'forwarding' would be the
> solution but I can't get it to work completely:
>
> I have on both ns1 and ns2 which are authoritive for company.com
> (irrelevant parts ommited):
>
> zone "company.com" {
>   type master;
> }
>
> zone "sub.company.com" {
>   type forward;
>   forwarders { 10.0.0.10; }; //devbox
> };
>
> options {
>   allow-recursion { any; };  //temporary, just to test
> };
>
> And the company.com zonefile:
> NS  ns1.company.com.
> NS  ns2.company.com.
> subNS  devbox.company.com.
> devbox.company.com A 10.0.0.10
>
> devbox is an internal box running a specialized DNS server written in
> Perl that answers:
>  stuff.sub.company.com.A  X.X.X.X
>  sub.company.com. NSdevbox.company.com.
>
> ns1/ns2 are dual homed (internet/intranet). devbox is accessible from
> ns1/ns2 but not from the internet.
>
> Resolving from a client somewhere outside on the internet seems to work:
>
> client:~$ dig stuff.sub.company.com a @ns1.company.com
>
> ;; ANSWER SECTION:
> stuff.sub.company.com.  1M IN A  X.X.X.X
>
> ;; AUTHORITY SECTION:
> sub.company.com.1H IN NSdevbox.company.com.
>
> ;; ADDITIONAL SECTION:
> devbox.company.com.  1H IN A 10.0.0.10
>
> However:
>
> client:~$ dig stuff.sub.company.com a
> ...times out
>
> I tried from various known-to-work clients with various nameservers in
> resolv.conf, none work except for ns1/ns2 itself.
>
> Any ideas what I'm doing wrong ? How is it possible that a direct query
> from anywhere in the world to ns1/ns2 works, but a caching/forwarder is
> unable to resolve it ?
>
> Thanks,
>
> Wim.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind replication

[Ben Croswell]

What technical problem are you trying to solve with rsync? It seems like you
are making the process more complex, instead of just letting BIND do it's
job.
On Dec 31, 2010 9:02 AM,  wrote:
> Torinthiel writes:
>
>
>>
>> If you know which zone has changed, than you can do "rndc reload
zonename".
>> If you don't, than "rndc reload" reloads all zones.
>> You could also try "rndc reconfig", but I think it will only load new
zonesm
>> the ones just added in configuration, not never wersions of old zones).
>>
>
> What I'm not sure is, given I have two hosts A and B, A is master, B is
> slave.
> B fetches the zone files from A via rsync.
> But, how B knows that the zone files have been changed and then run "rndc
> reload" to tell bind reload the zones?
>
> Thanks & Happy New Year!
>
> Regards.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: cache server with authoritative answer

[Ben Croswell]

That is no longer the case.  It doesn't respond authoritative on the first
query.

-Ben Croswell
On Jan 30, 2011 10:01 AM, "Kevin Oberman"  wrote:
> On Sat, 2011-01-29 at 14:49 +0800, p...@mail.nsbeta.info wrote:
>> The book "Pro DNS and BIND" says:
>>
>> If the caching server obtains its data directly from an authoritative
DNS,
>> then it too will respond as authoritative. Ohterwise, if the data is
>> supplied from its cache, the response is nonauthoritative.
>>
>> So this means even for a cache only server it can answer with
authoritative
>> response? I have been thinking the cache only server shouldn't do this.
>>
>> Regards.
>> ___
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> If the caching-only server does not have an answer to a query in its
> cache and recurses and gets an authoritative response, it, too, will set
> the AA bit. If it gets another query for the name that is now cached,
> the AA bit will not be set. Further, if any host responding to a query
> already has the information in cache, the AA bit will not be set.
>
> In simple terms, if the response to a query comes directly from
> information at an authoritative source, the AA bit is set.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: RE: what's a valid domain name?

[Ben Croswell]

In that case technically you are creating undelegated subdomains for each
router.
The dot is a delimiter and can't be part of a hostname.

-Ben Croswell
On Jan 31, 2011 11:19 AM, "Vyto Grigaliunas"  wrote:
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what's a valid domain name?

[Ben Croswell]

The rfc you quote clearly states when used as a delimiter of a domain as I
stated.

-Ben Croswell
On Jan 31, 2011 8:58 PM,  wrote:
> Ben Croswell writes:
>
>> In that case technically you are creating undelegated subdomains for each
>> router.
>> The dot is a delimiter and can't be part of a hostname.
>>
>
> I was thinking you are wrong.
> Period is somewhat permitted in a hostname.
>
> From RFC 952
>
> A "name" (Net, Host, Gateway, or Domain name) is a text string up
> to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
> sign (-), and period (.). Note that periods are only allowed when
> they serve to delimit components of "domain style names".
>
> No blank or space characters are permitted as part of a
> name. No distinction is made between upper and lower case. The first
> character must be an alpha character [Relaxed in RFC 1123] . The
> last character must not be a minus sign or period.
>
>
> regrads.
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dots in hostnames problem

[Ben Croswell]

The dots delineate domains even if you don't view it as a new domain.

-Ben Croswell
On Mar 9, 2011 1:13 PM, "Matt Rae"  wrote:
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns RR method is not equal balanced?

[Ben Croswell]

First and foremost you shouldn't be running any version of BIND 8. That is
way out of date and open to a lot of exploits.

That being said if by some
-Ben Croswell
On Mar 29, 2011 4:55 AM, "Kay"  wrote:
> Dear my friends.
>
> I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains.
>
> In my case ;
> some domain has 12 IPs but traffic of the server is not equal.
> The traffic of 11 IPs is same and just 1 IP is higher than others.
>
> Today, I moved the dns that is not equal to GSLB(F5) and set
> address-return 2(Maximum Addresses Returned).
> And then, it's disappeared, equal traffic incoming completely.
>
> Is there some kind of bugs in bind that I use?
> or any idea?
>
> Thanks.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: dns RR method is not equal balanced?

[Ben Croswell]

I apologize for the cut off reply. I accidently hit send before I was
complete.

If by some domains have 12 ips you mean a 12 A record round robin, then it
is important remember that BIND doesn't have any way of telling the load on
the 12 servers. So it's load sharing not load balancing.
The f5  is load balancing so you would see a more even load across the 12
servers.

-Ben Croswell
On Mar 29, 2011 4:55 AM, "Kay"  wrote:
> Dear my friends.
>
> I use bind 8.4.7-REL on RHEL 4.4 OS and have thousands of domains.
>
> In my case ;
> some domain has 12 IPs but traffic of the server is not equal.
> The traffic of 11 IPs is same and just 1 IP is higher than others.
>
> Today, I moved the dns that is not equal to GSLB(F5) and set
> address-return 2(Maximum Addresses Returned).
> And then, it's disappeared, equal traffic incoming completely.
>
> Is there some kind of bugs in bind that I use?
> or any idea?
>
> Thanks.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: multiple IP address in Address Record in BIND

[Ben Croswell]

In the bind 8 days people would put the same address multiple times and then
other addresses as well to "weight" the responses.

-Ben Croswell
On Apr 17, 2011 2:45 PM, "Eivind Olsen"  wrote:
>> Hi,
>>   we have internal domain called sva.com and address record for this
>> sva.com is pointed to many IP addresses. When i do nslookup, i am getting
>> below output.  I would like to enable the same configuration in bind.
>>  Let us know how this can be acheived.
>> #nslookup sva.com
>> Name:   sva.com
>> Addresses:  10.10.10.10, 10.10.10.10, 10.10.10.10,
10.10.10.10,10.10.10.10
>
> You would like it to point to the same IP-address many times? Why?
>
> Regards
> Eivind Olsen
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Strange behaviour resolving CNAME's via a forwarder.

[Ben Croswell]

I believe your original issue is due to the fact that you are sending a
recursive query via the forward to a device you said won't do recursive
queries.  The cname you are asking for is not in the domain hosted by the
second server. Since it won't do recursive queries it won't resolve the end
point of the cname chain.
If you specifically ask for cname first, it caches the cname and then
further queries don't go  to the second box and your first box just resolves
the end of the chain.

-Ben Croswell
On Apr 20, 2011 7:23 AM, "Adam Goodall"  wrote:
> On 20 April 2011 10:42, Chris Buxton  wrote:
>
>> On Apr 20, 2011, at 2:19 AM, Adam Goodall wrote:
>>
>> However if a client queries server A for mail.testdomain.com (type any)
>> the request is not answered. From the logs on server B i can see that
server
>> A is only forwarding on a request of type A. As an A record for
>> mail.testdomain.com does not exist on server B it does not resolve.
>>
>> If i then specifically query Server A for mail.testdomain.com of type
>> CNAME, it resolves as expected. Subsequent requests against server A for
>> mail.testdomain.com of type any then resolve, presumably because it is
>> already in the cache.
>>
>> Hopefully that makes sense! Has anyone had a similar issue and did you
come
>> up with a work around? Is this expected behaviour or a bug?
>>
>>
>> This is an excellent example of why you should not forward to an
auth-only
>> server. Use a stub zone instead. You might need to give it an empty
>> forwarders list, to override forwarding set in either the options or view
>> statements.
>>
>> For example:
>>
>> zone "testdomain.com" {
>> type stub;
>> masters { 192.168.1.1; };
>> forwarders { };
>> };
>>
>> Try it, you'll like it.
>>
>
> Chris
>
> This certainly seems to have solved the problem. I'm not convinced i
> understand why it didn't work they way i was trying but this is a
perfectly
> acceptable alternative - thanks for your help!
>
> Adam
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: monitoring BIND

[Ben Croswell]

Nagios is a very move tool for synthetic transaction monitoring. You put in
whatever hosts and host names to resolve and it  does it.

-Ben Croswell
On Jul 13, 2011 11:01 AM, "Karl Auer"  wrote:
> We have some nameservers :-) that are used by quite a few thousands of
> people. Every now and then someone comes to us and complains that the
> DNS is responding slowly. Sometimes they are right, and we find the
> problem and fix it. But most of the time everything runs fine, and the
> DNS is not, in fact, responding slowly when that someone comes to
> complain. It turns out to be their PC, or a local network issue, or
> whatever.
>
> So we have a homegrown system in place that watches the traffic to and
> from the nameservers, matches queries to answers, ignores everything
> else, and notes how long it was between the question going past and the
> answer going past in the opposite direction. It writes summarised
> information second by second into a database so we can see exactly when
> problems with response times happen, how long they happen for, and how
> bad they are when they happen.
>
> Our system has two faults (well, two that we are actually concerned
> about): It only watches UDP, and it can't deal with fragmented packets.
>
> So I was wondering if there is a better solution out there?
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h)
> http://www.biplane.com.au/kauer/ +61-428-957160 (mob)
>
> GPG fingerprint: DA41 51B1 1481 16E1 F7E2 B2E9 3007 14ED 5736 F687
> Old fingerprint: B386 7819 B227 2961 8301 C5A9 2EBC 754B CD97 0156
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: bind weighted round robin not working

[Ben Croswell]

That doesn't work with recent versions. BIND discards the duplicates.

-Ben Croswell
On Jul 16, 2011 4:28 PM,  wrote:
> Hi,
>
> I’ve got a problem getting weighted round robin dns to work. What I need
is
> ip adress 1 getting twice the hits of ip address 2, however making
multiple
> entries of ip address 1 in my zonefile (according to
> https://lists.isc.org/mailman/htdig/bind-users/2007-April/066196.html )
does
> not seem to help. See below for my troubleshooting configuration and
> testing, can anyone tell what’s going wrong ?
>
> root@Kiwi:/var/named]# cat /etc/named.conf // // named.conf // // Provided
> by Red Hat bind package to configure the ISC BIND named(8) DNS // server
as
> a caching only nameserver (as a localhost DNS resolver only).
> //
> // See /usr/share/doc/bind*/sample/ for example named configuration files.
> //
>
> options {
> listen-on port 53 { 127.0.0.1; };
> listen-on-v6 port 53 { ::1; };
> directory   "/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
> allow-query { localhost; };
> recursion yes;
>
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
>
> /* Path to ISC DLV key */
> bindkeys-file "/etc/named.iscdlv.key";
>
> managed-keys-directory "/var/named/dynamic"; };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity dynamic;
> };
> };
>
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> zone "test.nl" {
> type master;
> file "test.nl.hosts";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> root@Kiwi:/var/named]# cat /var/named/test.nl.hosts $TTL 3600 test.nl
.
> IN  SOA localhost. dns.cornholio.nl. (
>   2011061406
>   1800
>   14400
>   604800
>   3600 )
> test.nl. NS localhost.
> test.nl. A  80.57.38.19
> test2   IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   1.1.1.1
> IN  A   2.2.2.2
>
> root@Kiwi:/var/named]# nslookup test2.test.nl
> Server: 127.0.0.1
> Address:127.0.0.1#53
>
> Name:   test2.test.nl
> Address: 1.1.1.1
> Name:   test2.test.nl
> Address: 2.2.2.2
>
> root@Kiwi:/var/named]# nslookup test2.test.nl
> Server: 127.0.0.1
> Address:127.0.0.1#53
>
> Name:   test2.test.nl
> Address: 2.2.2.2
> Name:   test2.test.nl
> Address: 1.1.1.1
>
> root@Kiwi:/var/named]# nslookup test2.test.nl
> Server: 127.0.0.1
> Address:127.0.0.1#53
>
> Name:   test2.test.nl
> Address: 1.1.1.1
> Name:   test2.test.nl
> Address: 2.2.2.2
>
> root@Kiwi:/var/named]# nslookup test2.test.nl
> Server: 127.0.0.1
> Address:127.0.0.1#53
>
> Name:   test2.test.nl
> Address: 2.2.2.2
> Name:   test2.test.nl
> Address: 1.1.1.1
>
> root@Kiwi:/var/named]# nslookup test2.test.nl
> Server: 127.0.0.1
> Address:127.0.0.1#53
>
> Name:   test2.test.nl
> Address: 1.1.1.1
> Name:   test2.test.nl
> Address: 2.2.2.2
>
> root@Kiwi:/var/named]# nslookup test2.test.nl
> Server: 127.0.0.1
> Address:127.0.0.1#53
>
> Name:   test2.test.nl
> Address: 2.2.2.2
> Name:   test2.test.nl
> Address: 1.1.1.1
>
> Regards,
>
> Marc
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: servfail are not cached!

[Ben Croswell]

Actually he said the DNS protocol allows for it and ISC had been considering
adding it.

-Ben Croswell
On Sep 27, 2011 11:38 AM, "Issam Harrathi"  wrote:
> As i test it's not cached at all, and you say here it's cached for 30
> seconds?!
> i'm using 9.7.2-P3.
>
> 2011/9/27 Evan Hunt 
>
>> > I discover that servfail are not cached. is it normal?
>>
>> Yes, that's normal.
>>
>> Temporary negative caching of SERVFAIL responses for a limited period (up
>> to 30 seconds, if I recall correctly) is permitted by the DNS protocol,
>> and we've discussed implementing it in BIND9, but haven't had time yet.
>>
>> --
>> Evan Hunt -- e...@isc.org
>> Internet Systems Consortium, Inc.
>>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

[Ben Croswell]

Either is fine. Using the cname would require a single update if your ip
changes, but prevents other records at the same level. So you couldn't
attach mx for instance at example.com and www.example.com if you wanted to.

Neither is wrong and both have pros and  cons

-Ben Croswell
On Sep 28, 2011 10:43 AM, "feralert"  wrote:
> Thanks Jeff,
>
> But I really only wrote that as an example :) . The real question is
> what is best or what is recommended, two A RR (one for domain, one for
> www) or a single A RR for domain and a CNAME RR for www, is one way
> better than the other or can I choose either way?
>
> Cheers!,
> Fred.
>
>
>
> On Wed, Sep 28, 2011 at 4:30 PM, Lightner, Jeff 
wrote:
>> If you set your SOA properly to use "@" (which means "this zone") your A
records should be:
>>
>> domain.com. A   1.1.1.1
>> www A   1.1.1.1
>>
>> The SOA should append the "domain.com" to every record not terminated by
a dot so that "www" is read as "www.domain.com".  Similarly you put a dot at
the end of domain.com A record to prevent it from being appended and read as
domain.com.domain.com.
>>
>>
>>
>>
>>
>> -Original Message-
>> From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:
bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of feralert
>> Sent: Wednesday, September 28, 2011 10:20 AM
>> To: bind-us...@isc.org
>> Subject: CNAME or A record?
>>
>> Hi all,
>>
>> I'm sure this has been asked trillions of times but since I couldn't
>> find any concrete answer/reference in google I am asking you guys in
>> this list. Sorry if anyone thinks this a dumb question or something
>> very obvious.
>>
>> The thing is that i want users redirected to 'www.domain.com' even
>> when they just type the domain name 'domain.com'.
>> In order to do so I am not sure if its best to have one A RR for each
>> or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
>> for 'www.domain.com'.
>>
>>
>> domain.com   A1.1.1.1
>> www.domain.com   A1.1.1.1
>>
>> OR
>>
>> domain.com   A1.1.1.1
>> www.domain.com   CNAME  domain.com
>>
>>
>> Any help appreciated.
>>
>>
>> Thanks,
>> Fred
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>>
>>
>>
>> Athena(r), Created for the Cause(tm)
>> Making a Difference in the Fight Against Breast Cancer
>>
>> -
>> CONFIDENTIALITY NOTICE: This e-mail may contain privileged or
confidential information and is for the sole use of the intended
recipient(s). If you are not the intended recipient, any disclosure,
copying, distribution, or use of the contents of this information is
prohibited and may be unlawful. If you have received this electronic
transmission in error, please reply immediately to the sender that you have
received the message in error, and delete it. Thank you.
>> --
>>
>>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: CNAME or A record?

[Ben Croswell]

That makes no sense.

If he didn't have a dns entry for both sites, how does the user get to site
without the dns entry to be rewritten by Apache?

-Ben Croswell
On Sep 28, 2011 10:52 AM, "风河"  wrote:
> this is the stuff what should be done by webserver rather than by DNS.
i,e,
> Apache rewrite will do that.
> 在 2011-9-28 下午10:29，"feralert" 写道：
>> Hi all,
>>
>> I'm sure this has been asked trillions of times but since I couldn't
>> find any concrete answer/reference in google I am asking you guys in
>> this list. Sorry if anyone thinks this a dumb question or something
>> very obvious.
>>
>> The thing is that i want users redirected to 'www.domain.com' even
>> when they just type the domain name 'domain.com'.
>> In order to do so I am not sure if its best to have one A RR for each
>> or have an A RR for the domain and a CNAME RR pointing to 'domain.com'
>> for 'www.domain.com'.
>>
>>
>> domain.com A 1.1.1.1
>> www.domain.com A 1.1.1.1
>>
>> OR
>>
>> domain.com A 1.1.1.1
>> www.domain.com CNAME domain.com
>>
>>
>> Any help appreciated.
>>
>>
>> Thanks,
>> Fred
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: what's a valid domain name?

[Ben Croswell]

Actually a . is not part of a host name. It separates all the parts of
FQDN. If you put one in a host name you have an undelegated subdomain as I
stated before.

-Ben Croswell
On Oct 31, 2011 6:59 AM, "Kristen Eisenberg" 
wrote:

> Ben Croswell writes:
>
> > In that case technically you are creating undelegated subdomains for each
> > router.
> > The dot is a delimiter and can't be part of a hostname.
> >
>
> I was thinking you are wrong.
> Period is somewhat permitted in a hostname.
>
> Kristen Eisenberg
> Billige Flüge
> Marketing GmbH
> Emanuelstr. 3,
> 10317 Berlin
> Deutschland
> Telefon: +49 (33)
> 5310967
> Email:
> utebachmeier at
> gmail.com
> Site:
> http://flug.airego.de - Billige Flüge vergleichen
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Switching from forwarding to recursion

[Ben Croswell]

If you have a global forwarder in place there are two options that affect
its use. Forward first, the default, and forward only.
Forward first will exhaust the forwarders you have and then attempt to
follow NS records. Forward only will only use forwarders.

The delay you are seeing is likely the delay in exhausting the forwarders
before attempting the roots.

-Ben Croswell
On Nov 1, 2011 9:23 AM, "Will Lists"  wrote:

> We recently tried a test to see how our internal servers would react to a
> loss of their external peers, with the goal being that the internal servers
> would switch from forwarding to doing recursive queries for clients.
>  Normally, the internal servers forward to the external servers.  To
> simulate the loss of the external servers, we pushed a new firewall rule
> that blocked port 53 to the external servers from the internal servers.
>  That did seem to cause the internal servers to start using the root
> servers in a recursive manner.
>
> We did see that some recursive queries were answered, eventually, though
> usually much, much slower than if the request had been forwarded as normal
> to the external servers.  We saw traffic (lots of traffic) going across the
> firewall to the roots as well as multiple domain specific name servers, so
> that flow path is working as best as I can tell.  All servers are running
> BIND 9.7.4.
>
> The issue we saw was that the queries would time out more often than not
> and on the off chance they did get an answer back to the requesting client,
> it was very slow after several retries.
>
> Am I missing something in the named.conf file?  Is there something
> specific I should be looking for in the syslog or daemon.log?
>
>
> The relevant portion of the named.conf file for the INTERNAL view is below:
>
>
> forwarders { NS2; NS1; };
> forward first;
> allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; };
> recursion yes;
>
> // zone: . [hint]
> include "...";
>
>
> The hints DB file is current as of the version of BIND in use (2011060800).
>
>
> Thanks.
>
> -Will
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Switching from forwarding to recursion

[Ben Croswell]

If a given forwarder is "bad " it get its round trip time, rtt, set high
and will not be used until that comes back down via the normal rtt decay
mechanism in BIND. I have not tested the behaviour when all are down. My
assumption would be that if all are down they will all have to be tried
before going to NS or there is no way of knowing when the forwarders are
back.

In your case if you have a limited number of servers a quick removal of the
forwarders may be the quickest way to restore service.

-Ben Croswell
On Nov 1, 2011 10:03 AM, "Will Lists"  wrote:

> Ben,
>
> I seem to recall reading at some point in the past that after X amount of
> time, BIND would stop trying to contact servers it figured to be dead (at
> least it would stop trying for some amount of time).  Is that in fact the
> case and would it eventually come into play here?  Any configurable options
> here, if this behavior does exist?
>
> It almost seems like the best way to handle this scenario, in the event of
> a real failure of one or more external servers that typically act as
> forwarders, would be to quickly modify the configuration internally to just
> stop forwarding.  Thoughts?
>
> Thanks.
>
>
> -Will
>
>
> On Tue, Nov 1, 2011 at 8:54 AM, Ben Croswell wrote:
>
>> If you have a global forwarder in place there are two options that affect
>> its use. Forward first, the default, and forward only.
>> Forward first will exhaust the forwarders you have and then attempt to
>> follow NS records. Forward only will only use forwarders.
>>
>> The delay you are seeing is likely the delay in exhausting the forwarders
>> before attempting the roots.
>>
>> -Ben Croswell
>> On Nov 1, 2011 9:23 AM, "Will Lists"  wrote:
>>
>>> We recently tried a test to see how our internal servers would react to
>>> a loss of their external peers, with the goal being that the internal
>>> servers would switch from forwarding to doing recursive queries for
>>> clients.  Normally, the internal servers forward to the external servers.
>>>  To simulate the loss of the external servers, we pushed a new firewall
>>> rule that blocked port 53 to the external servers from the internal
>>> servers.  That did seem to cause the internal servers to start using the
>>> root servers in a recursive manner.
>>>
>>> We did see that some recursive queries were answered, eventually, though
>>> usually much, much slower than if the request had been forwarded as normal
>>> to the external servers.  We saw traffic (lots of traffic) going across the
>>> firewall to the roots as well as multiple domain specific name servers, so
>>> that flow path is working as best as I can tell.  All servers are running
>>> BIND 9.7.4.
>>>
>>> The issue we saw was that the queries would time out more often than not
>>> and on the off chance they did get an answer back to the requesting client,
>>> it was very slow after several retries.
>>>
>>> Am I missing something in the named.conf file?  Is there something
>>> specific I should be looking for in the syslog or daemon.log?
>>>
>>>
>>> The relevant portion of the named.conf file for the INTERNAL view is
>>> below:
>>>
>>>
>>> forwarders { NS2; NS1; };
>>> forward first;
>>> allow-recursion { 10.0.0.0/8; 192.168.0.0/16; 172.16.0.0/12; };
>>> recursion yes;
>>>
>>> // zone: . [hint]
>>> include "...";
>>>
>>>
>>> The hints DB file is current as of the version of BIND in use
>>> (2011060800).
>>>
>>>
>>> Thanks.
>>>
>>> -Will
>>>
>>> ___
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users@lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Zone Transfer Query

[Ben Croswell]

I would imagine the IP you trying to transfer on is not in the allow-query
acl of the master. You have to be to do soa queries to the master.

-Ben Croswell
On Dec 5, 2011 7:34 AM, "Gaurav Kansal"  wrote:

> Dear All,
>
> ** **
>
> I have a master DNS on IPv4 AND slave DNS on IPv6.
>
> I also have a IPv4 address on slave (But only IPv6 address is entered in
> NS). Now I am trying to transfer my zone from master to slave through the
> IPv4 address.
>
> ** **
>
> But it is giving me a error “failed while receiving responses: REFUSED”.**
> **
>
> ** **
>
> So, Is the error is because I am trying to transferring a zone on a
> different IP which is not Authoritative for that zone or because of
> something else
>
> ** **
>
> Thanks and Regards,
>
> Gaurav Kansal
>
> 9910118448
>
> ** **
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: What does this mean ? INSIST(zone->type == dns_zone_stub) failed

[Ben Croswell]

I don't see the desired outcome of making them both master and the trying
to have one transfer from the other.
Have one be master and one be slave from the master. No reason to alter
code and query responses will be the same to your clients.

-Ben Croswell
On Dec 8, 2011 8:57 PM, "蔡火胜"  wrote:

> I use a modified version of BIND9.7.1-p2.I installed it on two
> machines(MachineA and MachineB). They both host the same zone in master
> mode.
> And in the modified code , one machine would refresh (using
> dns_zone_refresh) its zone data from the other in order to get the same
> data.
>
> This time , MachineA has a serial number 85 for the zone and MachineB has
> a serial number of 83. MachineA is running .
> When I start MachineB , it calls dns_zone_refresh and later runs into the
> callback function "refresh_callback". In that function , it runs into the
> lines which start from the label "tcp_transfer:" , which requires the zone
> type to be dns_zone_slave or dns_zone_stub , but this time the zone type is
> dns_zone_master , so assert error. It runs into the "tcp_transfer:" code
> because of a lower serial number (83 vs 85,that's another problem for
> myself).
>
> Above is the cause of the crash. It seems nothing to do with the original
> BIND code.But I have some questions.Should I do a transfer of a zone
>  between two  servers which both host that zone as MASTER type? And , if
> they have the same serial number , then the call of dns_zone_refresh has no
> effect , right?Then , it means I misused dns_zone_transfer  , is that right
> ?
>
>
> 于 2011年12月08日 23:28, Evan Hunt 写道:
>
>> Congratulations, it means you've found the successor of CVE-2011-4313 :-}
>>>
>>> Any details on the triggering event? Was it a zone transfer?
>>>
>> On the off chance that the crash was in fact remotely triggered (in
>> which case this would indeed be a security concern), please *don't* send
>> details of the triggering event to an open mailing list.  Instead, gather
>> up the information detailed in this article:
>>
>> https://deepthought.isc.org/**article/AA-00340/89/What-to-**
>> do-if-your-BIND-or-DHCP-**server-has-crashed.html<https://deepthought.isc.org/article/AA-00340/89/What-to-do-if-your-BIND-or-DHCP-server-has-crashed.html>
>>
>> ...and send mail to bind9-b...@isc.org.  Thanks.
>>
>>  __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New problem with "lame-server" after Dist-Upgrade

[Ben Croswell]

Did the BIND version change with the OS upgrade?

-Ben Croswell
On Dec 24, 2011 6:38 PM, "Michelle Konzack" 
wrote:

> Hello *,
>
> my Inttranet NameServer (my DNS-Master) was running Debian Lenny/5.0 and
> is now upgraded to Debian Squeeze/6.0 and et I get  per  day  very  huge
> "named.log" files, because:
>
> [ '/var/log/named.log' ]
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'www.erdbeerlounge.de//IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'www.erdbeerlounge.de/A/IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (connection
> refused) resolving 'www.erdbeerlounge.de//IN': 217.147.94.23#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (connection
> refused) resolving 'www.erdbeerlounge.de/A/IN': 217.147.94.23#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns1.dns24.net/A/IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns2.dns24.net/A/IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns1.dns24.net//IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns2.dns24.net//IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns3.dns24.net/A/IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns4.dns24.net/A/IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns3.dns24.net//IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns4.dns24.net//IN': 78.47.247.21#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns1.dns24.net/A/IN': 78.47.104.44#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns2.dns24.net/A/IN': 78.47.104.44#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns1.dns24.net//IN': 78.47.104.44#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns2.dns24.net//IN': 78.47.104.44#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns3.dns24.net/A/IN': 78.47.104.44#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns4.dns24.net/A/IN': 78.47.104.44#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns3.dns24.net//IN': 78.47.104.44#53
> Dec 25 00:21:01 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'ns4.dns24.net//IN': 78.47.104.44#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
> refused) resolving 'ns1.dns24.net/A/IN': 217.147.94.23#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
> refused) resolving 'ns2.dns24.net/A/IN': 217.147.94.23#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
> refused) resolving 'ns1.dns24.net//IN': 217.147.94.23#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (connection
> refused) resolving 'ns2.dns24.net//IN': 217.147.94.23#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'dns1.name-services.com/A/IN': 78.47.104.44#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'dns2.name-services.com/A/IN': 78.47.104.44#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'dns1.name-services.com//IN': 78.47.104.44#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'dns2.name-services.com//IN': 78.47.104.44#53
> Dec 25 00:21:02 dns named[29004]: lame-servers: info: error (unexpected
> RCODE REFUSED) resolving 'dns3.name-services.com/A/I

Re: Problem at loading advert in Squid 2.7 & 3.1

[Ben Croswell]

Not sure how this is a BIND related issue.

-Ben Croswell
On Dec 26, 2011 11:55 AM, "feralert"  wrote:

> Dear all,
>
> Squid is not loading an advert in a web page frame which loads fine
> when using a direct connection to the internet.
> The versions used are 2.7.STABLE9-2.1 and 3.1.6-1.2 both in a debian
> squezze with default configuration)
>
> The url the frame tries to load is:
>
>
> http://frame.cool.com/ad-frame/#&ad_wrap=ad-1&ad_url=http://ad.doubleclick.net/adj/site011.opus/home;Slot=Leaderboard;Pos=Top;Page=home;LoggedIn=No;tile=1;sz=728x90;&ad_timestamp=13249166700149
>
>
> In squids log file I only see a line for 'http://frame.cool.com/ad-frame/
> ':
>
> 1324916528.019   5405 192.168.5.237 TCP_REFRESH_MISS/200 445 GET
> http://frame.cool.com/ad-frame/ - DIRECT/67.228.247.179 text/html
>
> But no sight of a 'http://ad.doubleclick.net/adj/site011.opus/home'
>  request.
>
>
> If I load the page in my computer (with a direct connection to the
> internet) and watch http traffic with the "http fox" firefox
> extension, I can see both requests.
>
>
> Any help would be highly appreciated.
>
> Cheers!
> Fred.
>
>
> "UNIX is very simple, it just needs a genius to understand its simplicity."
> -- Dennis Ritchie, D.E.P.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: forwarding "@" to a different domain?

[Ben Croswell]

You can't cnane mydomain.com to anything because it has, at the minimum, ns
and soa records.

-Ben Croswell
On Jan 8, 2012 1:11 PM, "Jukka Pakkanen"  wrote:

>
> www in cname mydomain.myshopify.com.
> mydomain.com. in cname mydomain.myshopify.com.
>
> Is this what you are looking for?
>
>
> 8.1.2012 17:48, enigmedia kirjoitti:
>
>> Hi All: I have a situation where I need to forward requests for "
>> mydomain.com"
>> and "www.mydomain.com" to a third party: "mydomain.myshopify.com" (while
>> still
>> pointing other things like MX records elsewhere).
>>
>> I realize I can point a CNAME for "WWW" to "mydomain.myshopify.com", but
>> how do
>> I point "mydomain.com" to this third party if there is no A record to
>> point to?
>>
>> TIA
>>
>>
>> __**_
>> Please visit 
>> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to
>>  unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>>
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>to
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users<https://lists.isc.org/mailman/listinfo/bind-users>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: zone update to slave

[Ben Croswell]

You can freeze thaw or use nsupdate to dynamically add the static entries.

rndc freeze
Edit zone
rndc thaw

You will lose any ddns updates during the freeze.

-Ben Croswell
On Jan 11, 2012 3:52 PM, "Dan Letkeman"  wrote:

> Ah, I did not know that.  So then my scenario must be somewhat common.
>  Yes I update this reverse zone dynamically via dhcp, but I also have
> some static devices in the same range that I want to manually enter,
> hence the manual entry on the master.  So what is the best practice
> for adding a static entry to a dynamically updated zone?
>
> On Wed, Jan 11, 2012 at 2:51 AM, Matus UHLAR - fantomas
>  wrote:
> > On 10.01.12 15:06, Dan Letkeman wrote:
> >>
> >> It seems as if these types of records get transfered:
> >>
> >> 9   PTR gvc-busdrivers.wks-gvc.domain.com.
> >>
> >> But these do not:
> >>
> >> 24.184.16.172.in-addr.arpa. IN  PTR
> str-r7500.gvc.domain.com.
> >>
> >> If I delete the journal file on the on the slave server up the serial
> >> number on the master I get the same results.  The first type of record
> >> is updated dynamically and the second type of record is added
> >> manually.
> >
> >
> > afaik zone zan be updated only statically or only dynamically, not both.
> > Apparently your master does not know that you have added something
> manually,
> > because it only writes the zone file, it does not read it.
> > --
> > Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> > Warning: I wish NOT to receive e-mail advertising to this address.
> > Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> > (R)etry, (A)bort, (C)ancer
> > ___
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users@lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Using TCP for checking

[Ben Croswell]

My one caution on this would be you may run into false negatives with TCP if
people have misconfigured firewalls.
It's surprising the number of people out there that believe TCP is only for
xfers.

-- 
-Ben Croswell


On Tue, Apr 7, 2009 at 3:17 PM, Mark Elkins  wrote:

> I'm involved in the CO.ZA Registry. In the process of registering a
> domain name in the co.za zone - we do a bunch of DNS checks using
> 'dig'.
>
> for each nameserver,
>  a) check that the zone exists (fetch the SOA),
>  b) fetch the NS RRSet count and compare entries.
>  c) if Nameserver inside the domain being registered (glue needed)
>i) check the reverse glue (can be multiple v4 + v6 addresses)
>ii) check each reverse has a forward
>
>
> Currently - many of these (dig-9.4.1) checks include the flags +time=9
> +retry=5..
>
> ..the assumption being that for any 'dig' action - try, timeout 9
> seconds - repeat another 5 times... - so a totally failed lookup would
> take 54 seconds... however - an ethernet trace/dump seems to indicate
> queries go out one after the other - with little inter-query delay..
>
> If we do a lookup with UDP - a low but significant number of 'digs' fail
> - which results in our checks failing - and the registration checking
> process delaying that particular registration for a few hours.
>
> If we switch to using TCP for 'dig' lookups  - the failure rate
> basically disappears to Zero. This would result in happier customers
> (less registration delays).
>
> I've always been taught (and teach others) to use UDP and not TCP for
> DNS queries - but in the case of a registry checking for info like we do
> - would it not be politically correct to instead do TCP checks?
>
> What does the net-dns wisdom say?
>
> My current thought is to do a UDP check (don't change timeout/retry from
> default) and only if that fails - retry immediately with a TCP Check.
> Others in my group are for using TCP immediately.
>
> --
>  .  . ___. .__  Posix Systems - Sth Africa.  e.164 VOIP ready
>  /| /|   / /__   m...@posix.co.za  -  Mark J Elkins, Cisco CCIE
> / |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: tcp versus udp

[Ben Croswell]

Also if EDNS0 is in effect theoretically the max size would be 4096 bytes
before a truncate happened.

-- 
-Ben Croswell

On Mon, May 4, 2009 at 8:55 PM, Martin McCormick
wrote:

> Matt Baxter writes:
> > When a response can not fit in a single UDP packet the server will mark
> > the
> > truncated flag (and respond with all the data it can inside the UDP
> > packet). That should trigger a client to resubmit the query via TCP. Zone
> > transfers are the most common use for TCP, but it can be required for
> > normal queries, although that is far from normal.
>
> My thanks to you and to 2 other list members who replied
> off list. This confirms what I thought I remembered reading some
> time before.
>
> Martin McCormick
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: child zone not forwarded

[Ben Croswell]

You have to make sure that you actually have NS delegations in xxx.com for
child.xxx.com.  That has bitten me on occasion.
If you load the parent and the parent has no NS delegation for a child, it
assumes the child doesn't really exist and ignores the zone forward.

-- 
-Ben Croswell


2009/5/6 Cihan Subasi (Garanti Teknoloji) 

>  Hi,
>
> I have a authorative zone xxx.com and its child as a FORWARD zone to a
> local dns...But child is not working, seems like the requests are not
> forwarded at all and locally ansvered...Why?
>
> thank you
>
> zone "child.xxx.com" {
> type forward;
> forward only;
> forwarders { 10.129.3.34;};
> };
> zone "xxx.com" {
> type master;
> file "dmz.dom";
> allow-update { none; };
> allow-query { localhost;
>   can_query; }
> };
>
> This message and attachments are confidential and intended solely for the
> individual(s) stated in this
> message. If you received this message although you are not the addressee,
> you are responsible to keep the
> message confidential. The sender has no responsibility for the accuracy or
> correctness of the
> information in the message and its attachments. Our company shall have no
> liability for any changes
> or late receiving, loss of integrity and confidentiality, viruses and any
> damages caused in
> anyway to your computer system.
>
> Bu mesaj ve ekleri, mesajda gonderildigi belirtilen kisi/kisilere ozeldir
> ve gizlidir. Bu mesajin muhatabi
> olmamaniza ragmen tarafiniza ulasmis olmasi halinde mesaj iceriginin
> gizliligi ve bu gizlilik yukumlulugune
> uyulmasi zorunlulugu tarafiniz icin de soz konusudur. Mesaj ve eklerinde
> yer alan bilgilerin dogrulugu ve
> guncelligi konusunda gonderenin ya da sirketimizin herhangi bir sorumlulugu
> bulunmamaktadir. Sirketimiz
> mesajin ve bilgilerinin size degisiklige ugrayarak veya gec ulasmasindan,
> butunlugunun ve gizliliginin
> korunamamasindan, virus icermesinden ve bilgisayar sisteminize verebilecegi
> herhangi bir zarardan
> sorumlu tutulamaz.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Single Zone Forwarding Dilema

[Ben Croswell]

If you want to force forwarding you will probably want to add the forward
only; directive.
By default your server will try to follow NS delegations and then forward if
it can't follow them
Forward only; tells it to not even bother trying to follow NS delegations.


-- 
-Ben Croswell


On Fri, Jun 5, 2009 at 11:00 PM, Mark S. Turczan  wrote:

> Folks,
>
> I'm trying to understand the behavior of a single zone that I'm forwarding
> queries for.
>
> Essentially, when I do a dig fwd.zone.net SOA the request seems to be
> properly forwarded to the nameservers in the forward statement. I've
> verified this with tcpdump running on my primary nameserver.
>
> But when I attempt to resolve a host record in fwd.zone.net it doesn't
> seem to be forwarded to the proper nameservers and instead goes out to the
> Internet.
>
> I've verified that the host record exists on the remote nameservers to
> which I am forwarding by looking up the record directly from the remote
> nameserver.
>
> This is what the forwarded zone's configuration looks like:
>
> // zone: fwd.zone.net
> zone "fwd.zone.net"
> {
>type forward;
>forwarders { ; ; };
> };
>
> Am I correct in understanding that each and every query for any record in
> the forwarded zone should be forwarded to the specified nameservers and not
> go out to the Internet? BTW, I'm running BIND 9.3.5-P1.
>
> Regards,
>
> Mark
>
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegating reverse DNS to a customer

[Ben Croswell]

The issue is probably that you need to delegate the 251.250.63.in-addr.arpa
to your client in the 250.63.in-addr.arpa zone.
If you load 251.250.63.in-addr.arpa to try and delegate it, your servers
will answer for it because they load it.

Think of it in the same mind of delegating a forward subdomain of a domain
you load. If you want to delegate foo.bar.com to someone you put the NS
records in bar.com not foo.bar.com.

-- 
-Ben Croswell

On Tue, Aug 18, 2009 at 8:31 AM, Tim Huffman  wrote:

>  Guys,
>
>
>
> We’re a smallish (but growing) ISP, and we’ve been asked by one of our
> customers to delegate reverse DNS for 63.250.251.0/24 to their DNS
> servers, ns1.emns.com – ns4.emns.com. Unfortunately, we’ve never had to
> delegate DNS to a customer before, and we’re having problems getting it to
> work.
>
>
>
> We’re running BIND 9.5.1 on Fedora.
>
>
>
> Can anyone give me an example of how this should be done in named.conf and
> the file 251.250.63.in-addr.arpa.zone? I’d appreciate it!
>
>
>
> --
>
> Tim
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Need help on delegation to subdomain/external servers

[Ben Croswell]

I have done some testing of the RTT forwarding and found that as long as
only one, or the other of the two "nameservers" that you forward to is
active at any given time the switch over is actually very quick.
The exception being the first query when the currently active forwarder dies
and the second comes up.  The reason being that the first query has to wait
for a timeout cycle before trying the second forwarder and readjusting the
RTT values for both.

So theoretically if your forwarders are 10.1.1.1 and 10.2.1.1 as long as
only one will answer queries at a given time with their own "right" answer
it should failover fairly quickly.  If both answer then you will be at the
mercy of the RTT as to which answer you will get.

-- 
-Ben Croswell

On Thu, Sep 17, 2009 at 12:27 PM, Kevin Darcy  wrote:

> RUOFF LARS wrote:
>
>>
>>
>>
>>> [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Kevin Darcy
>>>
>>>
>>
>> BTW, at the moment I am experimenting a solution usign a forward zone:
>> zone "dummy.ts" IN {
>>type forward;
>>forward only;
>>forwarders { 172.25.32.171; 192.168.2.3; };
>> };
>>
>> It seems to work.
>> I guess that the requests are not sent simultaneously though?
>>
>>
> Correct, it's similar to the algorithm that a stub resolver uses: try one
> forwarder, if it times out, try another, and so on.
>
> In fact, the way I like to think of forwarding is: when you forward, you're
> turning named *into* a stub resolver with a cache, at least for part of the
> namespace. If you forward "globally" (i.e. in "options"), and have some
> authoritative zones and/or stub zones with "forwarders { }" defined, then
> those are just selective "overrides" of your stub-resolver+cache function.
> And if you have "forward first" anywhere, then you're just giving named a
> second chance to resolve names iteratively, in case the initial
> stub-resolver+cache approach fails (because the forwarders aren't
> available/reachable).
>
> Seems like extreme overkill to use a big heavyweight process like named, to
> perform a simple stub-resolver function that can otherwise be accomplished
> with a few library routines, doesn't it? Well it *should* seem like
> overkill, because it's usually the wrong tool for the job. Forwarding is
> generally to be avoided, unless you need to deal with a limited-connectivity
> situation (e.g. trying to resolve Internet names to internal clients through
> a firewalled environment) or, in certain select cases, to forward to a
> richly-populated central cache, with ample capacity, over fast internal
> links, in order to speed up the average name resolution time for a local set
> of clients.
>
>> What delay do I have to expect when only the second server (192.168.2.3)
>> is active?
>>
>>
> I'm not sure, I'd have to look through the code. I don't believe this delay
> is configurable, by the way.
>
>> What search policy is applied by default? (round-robin vs sequential?)
>> Can I modify it?
>> Obviously I would prefer a policy where we always forward to the last
>> active, unless we time out; Then try the alternate.
>> Will check that out.
>>
>>
>>
> I believe that forwarder-selection uses the same algorithm as NS-selection,
> i.e. it's based on the historical RTT data. So it might not switch over as
> fast as you'd like.
>
> - Kevin
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: FW: Blocking top level domain

[Ben Croswell]

Easiest way would probably be to load the .cn domain and just not put
anything in it.


On Wed, Sep 30, 2009 at 11:12 AM, Apisa, Kathy (US - MABS) <
kathy.ap...@meggitt.com> wrote:

>
>   --
>
> *From:* Apisa, Kathy (US - MABS)
> *Sent:* Wednesday, September 30, 2009 10:23 AM
> *To:* 'bind-users@lists.isc.org'
> *Subject:* Blocking top level domain
>
>
>
> Greetings everyone
>
>
>
> I would like to know how to implement the blocking of a top level domain in
> Bind 9
>
>
>
> For example, I want to block access to any domain that ends in .cn
>
>
>
>
>
> Thanks,
>
> Kathy Apisa
>
> 
>
> Information Technology
>
> 330-796-5963
>
> kathy.ap...@meggitt.com
>
>
>
> This email may contain proprietary information and/or copyright material.
> This email is intended for the use of the addressee only. Any unauthorized
> use may be unlawful. If you receive this email by mistake, please advise the
> sender immediately by using the reply facility in your email software.
>
> Information contained in and/or attached to this document may be subject to
> export control regulations of the European Community, USA, or other
> countries. Each recipient of this document is responsible to ensure that
> usage and/or transfer of any information contained in this document complies
> with all relevant export control regulations. If you are in any doubt about
> the export control restrictions that apply to this information, please
> contact the sender immediately.
>
> Be aware that Meggitt may monitor incoming and outgoing emails to ensure
> compliance with the Meggitt IT User policy.
>
> This transmittal and any attached documents may contain technical data, the
> use of which may be restricted by the U.S. Arms Export Control Act and/or
> the Export Administration Act. By accepting such data, the recipient agrees
> to comply with the International Traffic in Arms Regulations (ITAR) and/or
> the Export Administration Regulations, as applicable.
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: SIBLING GLUE address records (A or AAAA)

[Ben Croswell]

I would imagine the answer will be that they aren't required but would be
helpful.

Since the parent .xx is delegating to the second-level domains, if you do
glue for all four DNS servers you are preventing a remote DNS server from
having to go to the servers for example.xx to get the A records for the DNS
servers for otherexample.xx.


On Mon, Oct 5, 2009 at 3:59 PM, Sergio Ramirez wrote:

> Hi,
>
>   In the following example, the authoritive server for
> zone .xx has configured the delegations of the zones example.xx
> and otherexample.xx:
>
> example.xx  NS  ns1.example.xx
> example.xx  NS  ns2.example.xx
> ns1.example.xx A  11.22.33.44
> ns2.example.xx A  11.22.33.55
> otherexample.xx NS ns3.example.xx
> otherexample.xx NS ns4.example.xx
>
> the bind report these messages:
>
> "ns3.example.xx has no SIBLING GLUE address records (A or )"
> "ns4.example.xx has no SIBLING GLUE address records (A or )"
>
> because the glue records are not configured in the zone .xx, for
> ns3.example.xx and ns4.example.xx
>
> Are these glue records requiered ?
>
> I understand that is not. Is this right ?
>
> Regards,
> --
> Sergio R.
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: New BIND user

[Ben Croswell]

Best place to start in my mind is the O'Reily book "DNS and BIND" by
Cricket.
It's where I started and the first thing a person had to read before I
started training them back in the day.

On Tue, Oct 6, 2009 at 12:47 PM, NéoSynergix | Martin Dubreuil <
martin.dubre...@neosynergix.com> wrote:

>  Hello everyone,
>
>
>
> I am using a mix of MS DNS and XP workstations with a DNS software (simple
> Dns +)
>
>
>
> I am now looking to move into BIND world under *nix distributions.
>
> Would you recommend me reading/using a specific reference ?
>
> Book, URL, distribution, tutorial…
>
>
>
> Thank you, your help is appreciated.
>
>
>
> *Martin*
>
>
>
>
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Poblem with ZONE (subdomain)

[Ben Croswell]

It is against the DNS rules to have a CNAME and any other record type exist
at the same level of the DNS tree.
For instance you can have a domain called foo.com and then try to do
foo.comIN CNAME
bar.com because the CNAME collides with the SOA and NS records for the
domain.

On Tue, Jan 19, 2010 at 4:06 PM, Michelle Konzack <
linux4miche...@tamay-dogan.net> wrote:

> Helle Kevin,
>
> Am 2010-01-19 14:29:59, schrieb Kevin Darcy:
> > Correct. You can't have "lists" be a CNAME and also have it own an
> > MX record. The zone is invalid.
>
> OK
>
> > You can probably just whack the CNAME for "lists" and add one for
> > the target of the CNAME (vserver3.tamay-dogan.net), which will
> > function the way you apparently intended. Be aware, however, that
> > this will then be valid for all of the other CNAMEs pointing at that
> > target,
>
> I do not understand this.
> Do you mean:
>
> lists   IN MX 10mail.tamay-dogan.net.
> bugsIN MX 10mail.tamay-dogan.net.
>IN CNAMEvserver3.tamay-dogan.net.
>
> Thanks, Greetings and nice Day/Evening
>Michelle Konzack
>
> --
> Linux-User #280138 with the Linux Counter, http://counter.li.org/
> # Debian GNU/Linux Consultant #
> <http://www.tamay-dogan.net/> Michelle Konzack
> <http://www.can4linux.org/>   Apt. 917
> <http://www.flexray4linux.org/>   50, rue de Soultz
> Jabber linux4miche...@jabber.ccc.de   67100 Strabourg/France
> IRC#Debian (irc.icq.com)  Tel. DE: +49 177 9351947
> ICQ#328449886 Tel. FR: +33  6  61925193
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master server offline

[Ben Croswell]

Actually speaking without thinking is bad.
It's the expire timer in the SOA not the refresh.



On Thu, May 6, 2010 at 10:37 PM, Dave Filchak  wrote:

>  Our master server machine had a drive failure and looks like it will be
> offline for some time. Somewhere in the back of my mind, I thought I
> remembered that something bad can happen to the dns resolution for your
> zones if the master is offline for too long. Is there anything to this or am
> I just dreaming? As long as the secondary can answer request, we should be
> ok?
>
> Cheers,
>
> Dave
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>



-- 
-Ben Croswell
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Master server offline

[Ben Croswell]

If your secondaries can't reach the primary for the period of time you have
in your SOAs for refresh the secondaries wills top answering.

-- 
-Ben Croswell

On Thu, May 6, 2010 at 10:37 PM, Dave Filchak  wrote:

>  Our master server machine had a drive failure and looks like it will be
> offline for some time. Somewhere in the back of my mind, I thought I
> remembered that something bad can happen to the dns resolution for your
> zones if the master is offline for too long. Is there anything to this or am
> I just dreaming? As long as the secondary can answer request, we should be
> ok?
>
> Cheers,
>
> Dave
>
> ___
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Ben Croswell]

I think what we see as a result of this attack is DNS provider diversity
being the new buzz phrase. The same as not relying on a single ISP link i
see more people using multiple DNS providers.
The size of these attacks will grow as IoT continues to grow. It makes
sense to have diverse providers to ensure your domains are serviceable if a
provider gets attacked.

On Oct 31, 2016 12:25 PM, "Matthew Seaman" 
wrote:

> On 2016/10/31 16:09, Barry Margolin wrote:
> > I heard that the impact of the attack was even narrower than just the
> > US, it was mostly eastern US. That suggests some things about the
> > granularity of Dyn's anycast network and the distribution of the Mirai
> > botnet.
>
> There were actually three attacks on the same day.  The first (about
> 12:00 UTC) affected pretty much just the Eastern USA, and we saw little
> beyond some raised RTTs in Europe.  The second (about 16:00UTC) took out
> all the Dyn POPs in the USA and affected their European POP.  The third
> (around 18:00UTC) ... was pretty much a non-event.  Dyn had mitigated
> the attacks pretty effectively by that point.
>
> Cheers,
>
> Matthew
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: The DDOS attack on DYN & RRL ?

[Ben Croswell]

The other option being having a master owned by your company and then
setting both external providers to secondary from your master. You to
maintain control over data and hqve diversity.

On Nov 1, 2016 10:42 AM, "Barry Margolin"  wrote:

> In article ,
>  Ben Croswell  wrote:
>
> > I think what we see as a result of this attack is DNS provider diversity
> > being the new buzz phrase. The same as not relying on a single ISP link i
> > see more people using multiple DNS providers.
> > The size of these attacks will grow as IoT continues to grow. It makes
> > sense to have diverse providers to ensure your domains are serviceable
> if a
> > provider gets attacked.
>
> My boss asked me to look into this after the attack. The sticking point
> seems to be that most DNS providers don't allow zone transfers from
> their servers. We currently get our auth DNS from SoftLayer, the hosting
> provider for our primary web, application, and database servers. I
> contacted them to find out if it's possible to enable zone transfers to
> a third party slave service, they said no; they suggested that we simply
> set up both services as masters, which would mean we'd have to update
> them independently (or write our own scripts that make use of each
> service's API). The customers of Dyn are in the same situation.
>
> Maybe last week's incident will prompt enough big customers to demand
> this that they'll change their policies.
>
> --
> Barry Margolin
> Arlington, MA
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Bind master keeps saying it is not authoritative

[Ben Croswell]

Ensure that the allow-query clause on the master includes the slave. If the
slave can't query for the SOA on the zone it can't do an xfer.

On Mar 2, 2017 6:34 AM, "Xavier Humbert" 
wrote:

> The whole configuration, comments removed :
>
> -- Master --
> acl my-slaves {
> any;// DEBUG
> };
>
> acl my-clients {
> any;// DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.135; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-transfer{ my-slaves; };
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> controls {
> inet 127.0.0.1 port 953
> allow { 127.0.0.1; } keys { "rndc-key"; };
> };
>
> // Logging
> // omitted
>
> zone "in.acv.orion.education.fr" {
> type master;
> file "/etc/named/internal/in.acv.orion.education.fr.db";
> allow-transfer {my-slaves; };
> };
>
> -- Slave --
> acl my-clients {
> localhost;
> any;//DEBUG
> };
>
> options {
> // IP config
> listen-on port 53 {172.29.16.133; 127.0.0.1; };
> listen-on-v6 port 53 {none; };
>
> // Paths
> directory"/var/named";
> dump-file   "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> memstatistics-file "/var/named/data/named_mem_stats.txt";
>
> // Behaviour
> recursion no;
> allow-update{ 172.29.16.135; };
> allow-transfer{ 172.29.16.135; };
>
> };
>
> // rndc key
> include "/etc/rndc.key";
>
> // Logging
> // Omitted
>
> zone "in.acv.orion.education.gouv.fr" {
> type slave;
> file "/etc/named/in.acv.orion.education.gouv.fr.db";
> masters {172.29.16.135; };
> };
> zone "." IN {
> type hint;
> file "named.ca";
> };
>
> include "/etc/named.rfc1912.zones";
> include "/etc/named.root.key";
>
> --
>
> Really, reall basic !
> Thanks
>
> --
> Xavier Humbert
> CRT Supervision et Exploitation de Niveau 1
> Rectorat de Nancy-Metz
> 03 83 86 27 39
>
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Ben Croswell]

This would only change behavior if the server has global forwarding.

If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally.  The forward{} turns off global forwarding
for that branch of the tree.

On May 12, 2017 9:27 AM, "Mik J via bind-users" 
wrote:

> Hello,
>
> If my DNS is master/slave for a zone, why would I want it to use
> forwarders.
>
> In other terms why would I want
> zone "mydomain.com"
> {
> type master;
> file "zones/master/com/mydomain.com";
> allow-update { acl; };
> };
>
> Instead of (forwarders {};)
> zone "mydomain.com"
> {
> type master;
> file "zones/master/com/mydomain.com";
> allow-update { acl; };
> forwarders {};
> };
>
> Why would I want to forward requests if I'm autoritative for the zone ?
>
> Thank you for those who can hightligh this point.
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Why would a master zone use forwarders ?

[Ben Croswell]

If you load foo.com on server A and delegate bar.foo.com to server B with a
global forwarder of server C you resolution will vary depending on forward
first vs forward only and forwarders {}.

With no forward {} the path for blah.bar.foo.com directed at server A will
be A > C > B
With forward {} the global forward will be short circuited for foo.com and
below resulting in a path of A > B

On May 12, 2017 11:56 AM, "Mik J"  wrote:

Thank you Ben for your answer

My server uses a global forwarding

I don't understand what you wrote
"If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally."

If my DNS is autoritative, why would I use a forwarding ?

For my sub domains I use delegations
sub.mydomain.com NS ns.sub.mydomain.com
ns.sub.mydomain.com A 1.1.1.1

What's the difference between the global forward for delegated child
domains and the delegation I do ?

Thank you



Le Vendredi 12 mai 2017 15h34, Ben Croswell  a
écrit :


This would only change behavior if the server has global forwarding.

If it is master for a foo.com and also has global forwarding it will use
the global forward for any delegated child domains under foo.com unless
they are also loaded locally.  The forward{} turns off global forwarding
for that branch of the tree.

On May 12, 2017 9:27 AM, "Mik J via bind-users" 
wrote:

Hello,

If my DNS is master/slave for a zone, why would I want it to use forwarders.

In other terms why would I want
zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
};

Instead of (forwarders {};)
zone "mydomain.com"
{
type master;
file "zones/master/com/mydomain.com ";
allow-update { acl; };
forwarders {};
};

Why would I want to forward requests if I'm autoritative for the zone ?

Thank you for those who can hightligh this point.

__ _
Please visit https://lists.isc.org/mailman/ listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe from
this list


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/ listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: strange problem with query being dropped/ignored by the BIND process

[Ben Croswell]

Have you checked deeper at the OS level? I have seen on Linux DNS servers
silent drops of queries on very busy servers that were exhausting UDP
receive buffers.

On Jun 28, 2017 10:26 AM, "Marc Richter" 
wrote:

Hi,

we have a setup here consisting of a recursive DNS server and two
monitoring servers. The monitoring servers sent a test query to the DNS
server once every two minutes to check if it is answering properly.

We now have the problems that these test queries are timing out from time
to time, (correctly) resulting in alarms in our monitoring system.

I have checked this now and noticed that each time we see that alarm, the
query sent by the monitoring server is not being answered at all.
To debug that I ran tcpdump on both the monitoring server and the recursive
DNS server. I see the query being sent out on the monitoring server and I
also see the query being received on the DNS server, however there is no
response sent to this query at all.
Looking at the query log, which I enabled temporarily, the query is also
not logged there so it looks like BIND is ignoring that query somewhere,
although it is properly received by the IP stack of the server.

Do you have any suggestions how to debug this further, to hopefully find
out where these queries are stuck/dropped/ignored, as I have run out of
ideas ?

The environment is:
BIND 9.9.9-P5 (Extended Support Version) 
running on SunOS sun4v 5.11 11.3


Thanks !
Marc
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Forwarding from delegated zone not working

[Ben Croswell]

If the AD environment loads company.com you need to make sure it has NS
delegations. The nameserver will ignore the zone forwarded if it knows the
child doesn't exist.

On Oct 10, 2017 11:22 AM, "seanliam73"  wrote:

> Hi
>
> I have a subdomain delegated from AD to a bind9 instance I have running
> that
> so that all requests for that subdomain are sent to the bind 9 instance. I
> would then like to set up zone forwarding so that further subdomains can be
> managed by other bind 9 instances.
>
> I know the forwarding is working because I can query the main bind9
> instance
> at receive the expected results. However if I query from the AD server that
> is doing the delegation I get a SERVFAIL error.
>
> Am I trying to do something that is not possible or am I just missing some
> configuration.
>
> *main instance config*
>
> options {
> directory "/var/named";
> listen-on port 53 { listen addr; };
> auth-nxdomain yes;
> recursion yes;
> allow-query { ip addresses; };
> listen-on-v6 { any; };
> dnssec-enable no;
> dnssec-validation no;
> dnssec-lookaside auto;
> };
>
> logging {
> channel default_debug {
> file "data/named.run";
> severity debug 3;
> };
>
> channel querylog {
> file "data/query.log";
> severity debug 5;
> };
>
> category default { default_debug; };
> category queries { querylog; };
> };
>
> zone "example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
> zone "development.example.company.com" IN {
> type forward;
> forward only;
> forwarders { ip address; };
> };
>
>
>
> --
> Sent from: http://bind-users-forum.2342410.n4.nabble.com/
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users