We have a sparsely populated IN-ADDR.ARPA zone used to support our
network infrastructure. I had originally defined the following type
of zone structure.
bbb.aaa.in-addr.arpa
1.bbb.aaa.in-addr.arpa
...
254.bbb.aaa.in-addr.arpa
Within the bbb.aaa.in-addr.arpa
[EMAIL PROTECTED] wrote:
Just because individual records are public doesn't mean you should allow just anyone to configure their nameserver as a slave to your domain.
There's no benefit to allowing transfers to just anybody except for the
allowance it makes for the laziness of admins.
Inco
Hello,
I have a server I am testing before I put in production. Working on a more
secure bind config. BTW if anyone has any other suggestions on locking down
bind beside below and chroot let me know. I was adding views which has been
debated time and time again whether or not it really helps bu
Do you only trust your own subnet? Or, perhaps there are other adjacent
subnets that may be needing to use your nameserver for resolving
Internet names (?)
The identity/size of the "allow-recursion" range needs to be informed by
your overall Internet-facing network topology. Talk to your netwo
Res wrote:
On Mon, 17 Nov 2008, Jefferson Ogata wrote:
On 2008-11-17 14:25, Holger Honert wrote:
Chris Thompson schrieb:
On Nov 17 2008, Res wrote:
Ack! allow-transfer should never be any
What, never? Why not?
Security issue! You really want everyone to download your zone(s)?
I couldn'
Guess I should start digging in the code then :)
On Mon, Nov 17, 2008 at 5:59 PM, Evan Hunt <[EMAIL PROTECTED]> wrote:
> > IIRC update-policy cannot be used in congestion with the allow-update
> > statement.
>
> My bad--you're right. There's code I'd never noticed before that says
> allow-update
> IIRC update-policy cannot be used in congestion with the allow-update
> statement.
My bad--you're right. There's code I'd never noticed before that says
allow-update will be ignored if update-policy is set. Whoops.
(Oddly, the check only applies when both of them are defined in the
zone itsel
Just because individual records are public doesn't mean you should allow just
anyone to configure their nameserver as a slave to your domain.
There's no benefit to allowing transfers to just anybody except for the
allowance it makes for the laziness of admins.
Weigh that against the risks
Yeah it would most likely be a feature request/change.
IIRC update-policy cannot be used in congestion with the allow-update
statement. Personally I prefer the usage of update-policy as I can assign
different business units within my organization to take responsibility for
certain records/record t
> Actually, to take this a step further, is there any remote possibility to
> combine this with update-policy as well?
I'm not sure what you mean.
I believe you can use allow-updates to filter according to IP address
and then update-policy to filter according to key; that might be an
easier way
On 2008-11-17 22:20, Res wrote:
On Mon, 17 Nov 2008, Jefferson Ogata wrote:
On 2008-11-17 14:25, Holger Honert wrote:
Chris Thompson schrieb:
On Nov 17 2008, Res wrote:
Ack! allow-transfer should never be any
What, never? Why not?
Security issue! You really want everyone to download your
Actually, to take this a step further, is there any remote possibility to
combine this with update-policy as well?
I know both questions has been mentioned on the list before with varied
answers but I wanted to raise it again since this was finally figured out.
/Jonathan
On Mon, Nov 17, 2008 at
So it looks like my zone config file, not the actual zone, but the
config statement that is in conf was gone. I added it back in and all
is well now.
I have ran rndc reload so many times, I have no idea how it was
deleted, it is all in one file, not separate files, so it seems
unlikely i
Yeah, kinda makes sense, thanks!
/Jonathan
On Mon, Nov 17, 2008 at 11:28 AM, Evan Hunt <[EMAIL PROTECTED]> wrote:
> > > allow-update { !{!10/8;any;}; key update-key; };
> >
> > Wouldn't this still permit any client on the 10/8 subnet to update the
> > zones?
>
> It's very confusing syntax, but
On 2008-11-17 14:25, Holger Honert wrote:
Chris Thompson schrieb:
On Nov 17 2008, Res wrote:
Ack! allow-transfer should never be any
What, never? Why not?
Security issue! You really want everyone to download your zone(s)?
I couldn't care less. If the security of my systems were the least
Ack! allow-transfer should never be any
What, never? Why not?
Security issue! You really want everyone to download your zone(s)?
That is a decision for each operator to make. The ability to
transfer a zone is not by itself a security issue.
I guess the question is, what information can be
> > allow-update { !{!10/8;any;}; key update-key; };
>
> Wouldn't this still permit any client on the 10/8 subnet to update the
> zones?
It's very confusing syntax, but no.
You're probably thinking in boolean algebra (I did too, when I first
encountered this). If it were boolean algebra, you c
In message <[EMAIL PROTECTED]>, Holger Honert writes:
> This is a multi-part message in MIME format.
> --090609000409090603090005
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> Content-Transfer-Encoding: 7bit
>
> Chris Thompson schrieb:
> > On Nov 17 2008, Res wrote:
>> > style=3D'font-size:10.0pt;
>> font-family:Arial'> =
>> &=
>> nbsp; &n=
>> bsp; &nb=
>> sp; 2008110601
>> ; serial
>>
when replying or forwarding, please try to trim off this
gawdawfulfuckery that m$ mail produces. the original email is <1k in
si
No, the bad referral is coming from your own server.
The "query (cache) denied" message means that your server doesn't
consider itself to be authoritative for the zone in question. Find out
why.
Chris Buxton
Professional Services
Men & Mice
On Nov 17, 2008, at 6:51 AM, Scott Haneda wrote:
Chris Thompson schrieb:
On Nov 17 2008, Res wrote:
On Sun, 16 Nov 2008, Jeff Justice wrote:
Well, first part solved. I forgot to change the IP address of our
nameserver at the registrar. Secondary is still not updating though.
options { directory "/opt/local/etc/named/";
listen-on po
Look at some web stats, I saw a traffic drop over the weekend on a few
sites. Looking into it, I am stumped.
Here are a few named log snips:
17-Nov-2008 05:47:26.582 security: info: client 203.162.4.198#40307:
query (cache) 'nuclearrabbit.com/MX/IN' denied
17-Nov-2008 05:47:27.375 security:
On Fri, 2008-11-14 at 17:35 -0800, Chris Buxton wrote:
> Use a firewall (with deep packet inspection) to restrict by subnet.
> Then use the TSIG key in the allow-update statement.
>
> Unfortunately, to my knowledge, that's the only way to do this.
Wouldn't using a BIND view to restrict
In article <[EMAIL PROTECTED]>, Grant <[EMAIL PROTECTED]>
wrote:
> I have BIND installed on 3 different computers, all three having the
> same configuration information. I use to use WebMin to update each, but
> that was kind of a pain to have to go to three different systems to make
> a chan
Need more details like where are you querying from and do you have any
intermediate DNS servers acting as "cache-only". You may need to clear
the cache
before seeing any changes.
On Nov 16, 1:33 pm, Steve Koon <[EMAIL PROTECTED]> wrote:
> --===2781829417837077449==
> Content-Class: ur
On Nov 16, 1:33 pm, Steve Koon <[EMAIL PROTECTED]> wrote:
> --===2781829417837077449==
> Content-Class: urn:content-classes:message
> Content-Type: multipart/alternative;
> boundary="_=_NextPart_001_01C94819.E4F43606"
>
> --_=_NextPart_001_01C94819.E4F43606
> Content-Typ
Look at some web stats, I saw a traffic drop over the weekend on a few
sites. Looking into it, I am stumped.
Here are a few named log snips:
17-Nov-2008 05:47:26.582 security: info: client 203.162.4.198#40307:
query (cache) 'nuclearrabbit.com/MX/IN' denied
17-Nov-2008 05:47:27.375 security:
On Sun, 2008-11-16 at 10:33 -0800, Steve Koon wrote:
> We have moved a zone from UltraDNS to our DNS server 1 week ago and it
> is still not showing us as authority. Can anyone help me as to why
> this might be happening and how to fix it? I have included a dig below
> using a public dns server (4.
On Nov 17 2008, Res wrote:
On Sun, 16 Nov 2008, Jeff Justice wrote:
Well, first part solved. I forgot to change the IP address of our nameserver
at the registrar. Secondary is still not updating though.
options { directory "/opt/local/etc/named/";
listen-on port 53 { 127.0.0.1;74.
Thanks for this. All working now.
On Sat, 2008-11-15 at 01:01 +1100, Mark Andrews wrote:
> In message <[EMAIL PROTECTED]>, "Dean, Barry" writes:
> There is a firewall sitting in front of the servers for
> bjmu.edu.cn that is blocking traffic from port 53.
I think that there wa
30 matches
Mail list logo
