Re: Potential issue in Bind 9.7.3-P3

On 10/27/2011 08:43, Hayward, Bruce wrote: > I compiled both 9.7.4, and 9.8.0-P4 yesterday (w/IPV6 and 64)(using the > BIND Vulnerability Matrix at > http://www.isc.org/software/bind/security/matrix - picking on clean ones) You're always better off picking the latest version in a branch (e.g., 9.8

Re: udp vs tcp query

On Thu, 27 Oct 2011 07:04:42 +0200, Emanuele Balla (aka Skull) wrote: TCP is needed only when replies do not fit 512 bytes (let's ignore EDNS0 and such). For any DNSBL, this limit is not a problem at all. its was edns0 defaults that maked most problems, from my logs it seem more stable now, h

Re: NS also in SOA doesn't get NOTIFY

Ah ha! Now this was the option I was looking for. Tell bind to also notify the SOA MNAME server, since it's not the true master feeing the zones. Looks like this first appeared in BIND 9.5, and OpenBSD 4.9 still ships 9.4.2. :( Thanks for the tip, Chris, I didn't know such an option existed. C

Re: NS also in SOA doesn't get NOTIFY

You have a good point. That SOA MNAME is used in a very limited way, and is not involved in DNS resolution, which is what i'm concerned about. We are not using DDNS, so i could put any value in there. However, i have some desire to make my SOA 'clean', meaning not putting nonsense values in SOA

Re: DNS Sinkhole in BIND

Hello G.W. Haywood, Am 2011-10-27 16:56:44, hacktest Du folgendes herunter: > On Thu, 27 Oct 2011 Michelle Konzack wrote: > > ...and you get the hell on you ass if you have several 1000 of them! > > In this case, bind9 with RPZ is cheaper. > Maybe look at ipsets. Currently we firewall almost 76,0

Re: NS also in SOA doesn't get NOTIFY

On Oct 27 2011, Kevin Darcy wrote: On 10/27/2011 11:02 AM, Jonathan Stewart wrote: Hello, Recently I set up a group of nameservers using a hidden master, visible slaves configuration. ns0 - hidden master ns1, ns2, ns3 - visible slave servers So I set the SOA and NS records like this zone.ex

Re: NS also in SOA doesn't get NOTIFY

On 10/27/2011 11:02 AM, Jonathan Stewart wrote: > Also, is this normal/expected behaviour? How can i get ns0 (and the > others) to NOTIFY ns1 when the serial is incremented? Must i use an > explicit {also-notify} ? Yes, this is expected. Since NS1 is the "master" server (since it is in the SOA

Re: NS also in SOA doesn't get NOTIFY

On 10/27/2011 11:02 AM, Jonathan Stewart wrote: Hello, Recently I set up a group of nameservers using a hidden master, visible slaves configuration. ns0 - hidden master ns1, ns2, ns3 - visible slave servers So I set the SOA and NS records like this zone.example IN SOA ns1.zone.example. hostm

Re: Strange issue with signed zone

On Wed, 2011-10-26 at 13:59 +0400, Peter Andreev wrote: > Hello! > > We have ~30 servers running BIND (9.8, 9.7, 9.6). A week ago we have > signed first of our zones with RSA/SHA1 + NSEC3 + OPT-OUT. > Recently we realised that our servers don't generate NSEC3 for signed zone. > Problem has gone af

Re: DNS Sinkhole in BIND

Hi there, On Thu, 27 Oct 2011 Michelle Konzack wrote: > Am 2011-10-17 13:28:43, hacktest Du folgendes herunter: > > > ... I found that setting up iptables to do drops for known bad > > IPs/ranges was slightly better as the traffic never gets to BIND > > ... > > Example rules for various IPs that

RE: Potential issue in Bind 9.7.3-P3

I compiled both 9.7.4, and 9.8.0-P4 yesterday (w/IPV6 and 64)(using the BIND Vulnerability Matrix at http://www.isc.org/software/bind/security/matrix - picking on clean ones) I installed 9.7.4 yesterday on the prblem server, so far for the p

Re: Potential issue in Bind 9.7.3-P3

  Yes, we've had 9.7.3-P3 stop responding completely.  We're transitioning from SLES to RHEL, and this happens on the RHEL system only (but SLES version is older than 9.7.3-P3).  Bind runs fine for days under "simulated" load, but runs randomly for minutes to many hours before freezing under real c

NS also in SOA doesn't get NOTIFY

Hello, Recently I set up a group of nameservers using a hidden master, visible slaves configuration. ns0 - hidden master ns1, ns2, ns3 - visible slave servers So I set the SOA and NS records like this zone.example IN SOA ns1.zone.example. hostmaster.example.com ( 1; serial num

Re: DNS Sinkhole in BIND

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/17/2011 02:19 PM, Phil Mayers wrote: > On 10/17/2011 06:38 PM, babu dheen wrote: >> YOu are obsolutely correct Chris.. I want to block/redirect all malware >> domain request intiated by clients by setting up DNS SINKHOLE in Redhat >> BIND server.

RE: DNS Sinkhole in BIND

Rather a late response I think. When I setup the rules I spoke about RPZ was just a gleam in someone's eyes. My post discussed the relative merit of iptables vs. blackholes and didn't mention RPZ. RPZ may be a better solution but it requires one to stop and upgrade BIND to get it. -Or

Potential issue in Bind 9.7.3-P3

Has anyone had an issue in the past month with bind 9.7.3-P3, where bind stops responding. In this case we are running on a Netra 240, under Solaris 10. I do not have a lot to offer yet, as there is nothing in any of the logs. I am currently running a snoop for the next time. Tha

Re: dispatch - permission denied

On Oct 26, 2011, at 6:04 PM, Chris Thompson wrote: > On Oct 26 2011, Benzi Mizrahi wrote: > >> Hi, >> >> I've recently upgraded our nameservers from version 9.6.2.-p3 to 9.7.4 , >> and the following messages started to appear on all nameservers logs: >> >> >> 22-Oct-2011 16:58:41.548 dispat

Re: dispatch - permission denied

On Oct 26, 2011, at 4:55 PM, Michael Graff wrote: > Is there something else running on those UDP ports? Oh, yes. It slipped my mind. thank you, > > On Oct 26, 2011, at 12:49 AM, Benzi Mizrahi > wrote: > >> Hi, >> >> I've recently upgraded our nameservers from version 9.6.2.-p3 to 9.7.