New-Subject: host vs subnet routes
Old-Subject: BIND doesn't listen to other loopback addresses
On 7/6/25 1:02 AM, Ondřej Surý wrote:
The IPv4 loopback is actually quite weird in this regard that
127.0.0.1/8 is assigned by everything in 127/8 automagically works
without explicit address assig
On 5/23/25 8:53 PM, Fred Morris wrote:
If you fail in an outright, reproducible, measurable fashion you give
your opponent predictability and confidence. As a defender you want to
undermine that and look like an under-resourced, poorly administered
network that somehow, we don't know exactly ho
On 5/22/25 9:23 AM, Karol Nowicki via bind-users wrote:
Does ISC Bind software by native has any dns tunneling prevention
embedded ?
I don't think there is anything that I would describe that way. But
there may be some rate limiting option(s) that you could use to at least
cripple using DNS
On 3/19/25 9:40 AM, Mónika Kiss wrote:
I have a domain categorization program written in C that dynamically
determines the risk level of a queried domain.
I need to integrate this categorization logic into a BIND 9 plugin that:
Mónika, have you looked into Dynamically Loadable Zones? You migh
Hi,
I get the impression that I'm still misunderstanding you or perhaps we
don't have the same understanding of RPS / DLZ. Perhaps I need more coffee.
On 3/21/25 2:31 AM, Mónika Kiss wrote:
* Instead, I want the plugin to dynamically query this data by calling
my existing C program or
On 3/19/25 10:02 AM, Ondřej Surý wrote:
Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a
way to add the classification to the message processing and then the RPZ
processing could read the classification and take an action?
This sounds like my understanding of what the Resp
On 2/6/25 08:40, Greg Choules via bind-users wrote:
In DNS terms, for me, a "primary" has the single source of truth for
data in zones and a "secondary" transfers a temporary copy of that data
from a primary, or from another secondary (though daisy chain
secondaries at your peril). All are auth
On 1/30/25 3:25 PM, Fred Morris wrote:
I don't think everything on the planet needs to support encryption
out of the box if composable components are available.
I'm inclined to agree with you.
However, the only rebuttal that I've heard which I give any serious
credence to is the ability for t
On 1/27/25 07:02, Carlos Horowicz via bind-users wrote:
IMHO this has nothing to do with DNSSEC,
HEAVYsigh
Why do things seem to focus on the encryption of DNS traffic and ignore
authentication of the information?
I'm sure that all of us are aware that it's perfectly possible for a DoT
/ D
On 1/24/25 17:09, phil via bind-users wrote:
ftr ubuntu also ships bind with a db.local file
I wonder if we're dancing around what upstream from ISC ships vs what
distros create therefrom and ship.
I'll have to check my copies of the venerable BIND book to be sure, but
I believe that it and
On 1/8/25 10:14 AM, John Thurston wrote:
You may want those services co-hosted today. But if you want to separate
them next year, your life will be easier if they had unique IP addresses
from the start.
I agree that different IPs for each service is more flexible.
Though I've never found it d
On 12/27/24 15:40, Roberto Braga wrote:
For this, I must use 2 servers:
I agree that you should use two servers. But I also believe you could
do what you're doing with one server, one OS image, and maybe even one
instance of BIND.
The first, like Recursive DNS itself, is what clients will
On 12/24/24 09:54, G.W. Haywood wrote:
You can do that sort of thing on the fly. I'd probably be thinking
along the lines of Apache and mod_rewrite
mod_rewrite alters / translates / permutes the request as it comes into
Apache to some different path in the back-end.
You could also accompli
Hi,
I'd appreciate some help in getting just the PTR record from the
following dig command:
dig +short -x 192.0.2.1
With the following germane content from the respective zones:
1.2.0.192.in-addr.arpa. IN CNAME nic.host.example.net.
nic.host.example.net. IN
On 11/27/24 05:09, Dimitry Bansikov wrote:
I need to simplify adding and removing a domain so that it is enough to
just add the zone file itself whitout editing the big list. Is this
possible?
Can you programmatically edit the file?
You might be able to re-structure the list of zone statement
On 12/1/24 11:30, Greg Choules via bind-users wrote:
However, in the "DE" view you could configure global forwarding/forward
only to the "default" view.
Would it be better to do this -- what I call loopback / trombone --
forwarding -or- leverage something like loading all zones in all views?
On 8/24/24 07:37, Carlos Horowicz via bind-users wrote:
2. if RPZ records are held in memory, why would an RPZ zone need to be
stored n times if there are n orthogonal views ? That is, why the more
views the more memory needed. Maybe you meant the qpcache, to store
different answers, though I d
On 12/11/23 18:47, Blason R wrote:
Oh I forgot to tell you that. This is BIND RPZ and all the queries are
recursive.
Okay, what RPZ configuration do you have? Is it messing with the
queries you're testing in any way?
What configuration do you have for RPZ related to DNSSEC?
Dig output jus
On 8/21/23 10:11 AM, Mark Elkins via bind-users wrote:
Hi,
Hi,
1) Count how many delegated domains there are (Names with NS records)
Mind your $ORIGIN and check the number of NS record owners.
2) Extract the above Names - so I can look for changes (Added/Deleted names)
I suspect that de
On 6/29/23 6:44 AM, Matus UHLAR - fantomas wrote:
bind has "sortlist" statement that could do what you want. It will
provide all IPs but sorted differently.
+1 to "sortlist". I couldn't remember the exact nomenclature nor how it
was used.
Otherwise, you can set up multiple views with differ
On 6/12/23 2:48 AM, Matus UHLAR - fantomas wrote:
note that query-source settings affects source IP of packet, while "ip
rule" affects outgoing interface (unless you also configure SNAT for
those packets), so they are not exactly the same.
Late comment: `ip route` can have some influence on w
On 5/15/23 1:58 PM, Kereszt Vezeték wrote:
Hi Everybody
Hi,
I have a dns server in my private network with a local domain. The dns
server forward the public request to the google dns server . I wold like
separate hosts in the inside network.
One group allow only the local host resolve, not
On 3/28/23 11:28 AM, Matus UHLAR - fantomas wrote:
Yes, this is one of the problem "authoritative zones for local use".
Authorizing the /zone/ for local use wasn't the problem. The problem
was that the world could get some of that zone's data from the query
cache even if they couldn't query
On 3/28/23 10:48 AM, Matus UHLAR - fantomas wrote:
If your server has authroritative zones for internal use, yes, in such
case allow-query is good idea.
The server that I first set this on had a secondary copy of the root
zone for my systems use. I ended up adding additional restrictions to
On 3/28/23 6:30 AM, Matus UHLAR - fantomas wrote:
Great, this means that only clients with those IP addresses can query
your server for non-local information.
I used to think the same thing.
Then I learned that I needed to also add similar configuration for
`allow-query {...};` and `allow-que
On 3/11/23 10:43 AM, Fred Morris wrote:
I've found myself in situations in the past where NOTIFY has been
fetishized as "real time"
"real time" can be a VERY loaded phrase.
Some sometimes it's measured in fractions of a second. Other times it's
measured in minutes.
I've always simply c
On 3/11/23 10:37 AM, Paul Stead wrote:
Sorry I should have made it clearer that the notifier should only be
shuffled to the top of the list if it is a defined primary for said zone.
Okay. The try the notifier first /if/ it's a configured primary makes
more sense to me. I guess I've not had e
Hi Paul,
Thank you for explaining.
On 3/10/23 12:21 AM, Paul Stead wrote:
Imagine that 1.1.1.1 has lost network connectivity recently. A notify
comes from 2.2.2.2 - if I understand correctly Bind will try 1.1.1.1
first, time out and then try 2.2.2.2 - even though we know given the
situation t
On 3/9/23 2:25 PM, Paul Stead wrote:
Chiming in to say +1 to Kalus' logic and sight of benefit here.
Please forgive my ignorance in asking:
Why doesn't the order of the configured primaries suffice?
N.B. I'm assuming that this is the the order of the primaries for a zone
in the named.conf fi
On 1/17/23 4:45 PM, Michael Richardson wrote:
Many people do exactly that.
Sorry, I don't see that as an answer to -- my understanding of -- the
OP's question of "Does the primary server that handles the DNSSEC duties
need to be not hidden / publicly accessible?"
Specifically what many peop
On 11/7/22 9:45 AM, Fred Morris wrote:
The PUBLIC DNS is not secure against eavesdropping or parallel
construction and never will be.
Even if the information is out there, I believe there is an exposure
risk for ISPs if they do something that makes it /easy/ to correlate
customer / client res
On 11/7/22 9:08 AM, Matus UHLAR - fantomas wrote:
I'm afraid that this problem can become really huge when someone creates
huge amount of generated records, e.g. using proposed module.
Even if BIND's cache is simply FIFO -- which I'm fairly certain that
it's smarter than that -- and flushes a
On 11/6/22 6:39 AM, Matus UHLAR - fantomas wrote:
3. allow your servers to to fetch 66.136.193.in-addr.arpa.
Is this 3rd step documented somewhere?
I searched for it in RFC 2317 but didn't find it. Maybe I over looked it.
alternatively they can choose to 0/28.66.136.193.in-addr.arpa. or
0-1
On 11/6/22 11:12 AM, Carl Byington via bind-users wrote:
or use $clientname.66.136.193.in-addr.arpa. as the intermediate zone
which has a slight advantage when the same client has multiple disjoint
parts of the same /24.
I find that $CLIENTNAME or some other stand in for the client is a
poten
On 11/5/22 4:32 AM, Ondřej Surý wrote:
The IPv4 reverse zone is easy to scrape and stored for situations
like this… just saying.
Fair enough.
Though if we're going to not officially sanctioned behavior, I'm
inclined to create a local version of the 66.136.193.in-addr.arpa. zone
that CNAMEs t
On 11/4/22 2:07 PM, Mark Andrews wrote:
Any ISP that offers these delegations should be allowing their
customers to transfer the zone that contains the CNAMEs for the
customer address space by default.
I've had enough trouble getting ISPs to support 2317 delegation period.
I think that asking
On 11/4/22 12:09 PM, Cuttler, Brian R (HEALTH) via bind-users wrote:
My pointer zones are more like
Zone "28.66.136.193.in-addr.arpa.", I've never had that leading "0-"
Is that typical? What does it do?
I invite you to go skim RFC 2317 -- Classless IN-ADDR.ARPA Delegation.
TL;DR: 2317 is a
On 11/4/22 11:19 AM, David Carvalho via bind-users wrote:
Thanks again.
You're welcome again. :-)
Probably. Am I supposed to, I have just 2 segments in this network
(and 2 others on another work) ?
Normally no, you're not supposed to /need/ to have a copy of an
intermediate zone.
Howeve
On 11/4/22 10:54 AM, David Carvalho via bind-users wrote:
Thanks for the replies.
You're welcome.
My reverse zone in named.conf. My secondary dns gets it automatically
daily, along with the "di.ubi.pt.".
ACK
zone "0-28.66.136.193.in-addr.arpa." IN {
allow-query { any; };
On 11/4/22 10:07 AM, David Carvalho via bind-users wrote:
My reverse zone file
What is the origin of your zone file? 0-28.66.136.193.in-addr.arpa.?
1.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.1
You seem to be using RFC 2317 Classless IN-ADDR.ARPA delegation.
As such
On 10/27/22 4:18 PM, Andrew Latham wrote:
IRC for example will check for PTR and gate login. I know there are
others but that came to mind quickly. In some regions having PTRs was a
requirement. It has been years but I recall LACNIC required/desired PTRs
be set.
I wasn't aware of IRC's requir
On 10/27/22 1:24 PM, Marco wrote:
At least for IPv4, there are servers that reject connections from
IPs that don't have a reverse zone with PTR record.
Please elaborate.
I've not heard of (unspecified type of) servers rejecting connections
because of the lack of a PTR record.
I have heard o
On 10/27/22 11:23 AM, Marco wrote:
It isn't, because a customer gets /48 or /56 in most cases.
"For example one of their clients has the IP 2001:db::3." is a singular IP.
The customer's router can use various methods to assign addresses, auto
configuration and DHCPv6.
Agreed.
However that'
On 10/27/22 1:16 AM, Marco Moock wrote:
Hello,
Hi,
how do ISPs automatically create the reverse and forwaring zones for
their customers IP pools?
I think it might be out of scope for what you were asking about, but I
believe the following is an alternative approach.
For example one of t
On 10/15/22 1:51 PM, Greg Choules via bind-users wrote:
Hi Grant.
Hi Gred,
I'm quickly replying to your message. I'll reply to Matus & Fred later
when I have more time for a proper reply.
My understanding is this, which is almost identical to what I did in a
former life:
client ---recur
On 10/15/22 10:34 AM, Matus UHLAR - fantomas wrote:
If you are an ISP/registry/DNS provider, it makes sense to separate
authoritative zones for your clients' domains, for all those cases your
client move their domains somewhere else without notifying you (hell,
they do that too often), or to be
On 10/15/22 10:03 AM, Bob McDonald wrote:
My understanding has always been that the recommendation is/was to
separate recursive and non-recursive servers.
I too (had) long shared -- what I'm going to retroactively call -- that
over simplification.
Now I understand I'm talking about an INTERN
On 9/6/22 4:16 PM, Michael De Roover wrote:
once I tried to do the same on the satellite network, BIND on the main
network would see the zone transfer as coming from 192.168.10.51 or
192.168.10.52 -- instead of coming from 192.168.20.3 -- and refuse
it. The same is true the other way around, wh
On 8/2/22 3:15 PM, Grant Taylor via bind-users wrote:
It looks like you're dealing with A queries for the root domain. I've
blocked this, and similar queries, via iptables firewall in the past.
I've seen a number of responses to Robert's "Stopping ddos" thre
On 8/2/22 2:02 PM, Robert Moskowitz wrote:
Any best practices on this?
It looks like you're dealing with A queries for the root domain. I've
blocked this, and similar queries, via iptables firewall in the past.
Also, make sure that you apply the same BIND ACL to the cache that you
do for q
On 8/2/22 11:51 AM, Brown, William wrote:
Or perhaps some way of the client side deciding how to handle hard v./
soft failure.
Wouldn't this require the client side being aware of DNSSEC and making
decision based on it?
Maybe it's just me, but I think client application side DNSSEC
validati
On 8/1/22 4:21 PM, Greg Choules via bind-users wrote:
Off the top of my head, could it be this?
random-device
...
BIND will need a good source of randomness for crypto operations.
Drive by plug: If it is lack of entropy, try installing and running
Haveged. At least as a troubleshooting ai
Let's flip this on it's head.
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
As some enterprise networks begin to engineer towards the concepts of
ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC
signing of an internal zone.
So why shouldn't the internal zone(s) be s
On 8/1/22 11:51 AM, John W. Blue via bind-users wrote:
However, the intent of the thread is to talk about the lack of an
AD flag from a non-public internal authoritative server. Based upon
what I am seeing only the AA flag is set.
There are multiple reasons to sign zones. The existence of th
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
While that extra overhead is true, it is more accurate to say that if
internal clients are talking directly to an authoritative server the AD
flag will not be set. You will only get the AA flag. So there is
nothing to be gained from signi
On 7/11/22 11:48 PM, Philip Prindeville wrote:
Hi,
Hi,
I have a remote subnet that has its own DHCP server, but wants to
update the domain which spans several locations and subnets.
What do I need to do on both ends (remote DHCP server and central
DNS server) to push updates over?
I would
On 5/23/22 5:55 PM, Lefteris Tsintjelis via bind-users wrote:
Nothing actually. Windows logs are clean. Unix logs also.
#trustTheBitsOnTheWire
#useTheSniffer
I'd start by capturing w/ tcpdump using the `-s 0` and `-w
/path/to/capture.pcapng` options. Then use Wireshark to analyze the
packet
On 5/23/22 4:30 AM, Nux wrote:
Hi,
Does anyone know whether it's possible to generate with Bind these kind
of A records automatically on the authoritative side, similar to
services like xip.io or nip.io? Eg:
127.0.0.1.nip.io -> 127.0.0.1
name.127.0.0.1.nip.io -> 127.0.0.1
and so on.
Does th
On 5/15/22 7:28 AM, Angus Clarke wrote:
Hi Grant
Hi Angus,
maybe, I'm reading up ...
poking around the manual, are you alluding to the "sortlist" directive?
Yes, that's what I was referring to.
So the concern with returning an ordered RRset is that the set could be
large:
Okay.
I assu
On 5/12/22 2:41 PM, Nick Tait via bind-users wrote:
This sounds like exactly the sort of use case for Response Policy Zones:
How are you going to have RPZ return different addresses for different
clients? Are you suggesting use different RPZs with different contents
for different clients?
On 5/12/22 6:30 AM, Angus Clarke wrote:
Hello
Hi,
With bind (and others) it seems that DNS views are the way to go,
Before stepping up to views I'd stop to ask the question, would
returning multiple IPs in a preferred sort order suffice?
BIND has the ability to sort RRs differently based
On 5/11/22 2:19 PM, Bob Harold wrote:
Not sure who set it up, but my DHCP servers have for some zones:
zone x.y.z.in-addr.arpa
{
primary 10.2.3.4;
}
I'm assuming that is BIND's named.conf syntax.
Which I believe overrides the MNAME lookup.
Doesn't that just tell BIND where to initiate
On 5/11/22 11:24 AM, Bob McDonald wrote:
It would seem that using an anycast cloud name (An anycast cloud
of the NS device IPs) for the MNAME might provide the same level of
distribution as per Windows. However, again, you run into the issues
of forwarded updates.
Another thing that I've see
On 5/8/22 5:58 AM, Tony Finch wrote:
Regarding anycast, it isn't necessary for internal authoritative
servers unless your organization is really huge (and probably not
even then): it is simpler to just use the DNS's standard reliabilty
features. All you need to do is have more than one authorit
On 5/5/22 1:35 PM, Maurà cio Penteado via bind-users wrote:
Hi folks,
Hi,
Thank you for the reply.
:-)
Unfortunately, I did not understand how I am supposed to add multiple
A-records for the same name to the zone-file to fix this issue.
Based on your first message, you already have mult
On 5/5/22 9:01 AM, Reindl Harald wrote:
by not add multiple A-records for the same name to the zone-file
BIND don't know about docker on it's own
Another option would be to leverage BIND's ability to sort A records
based on configured preference (in the config file, not the zone file)
based o
On 4/12/22 7:18 PM, Duchscher, Dave J via bind-users wrote:
We are dropping this configuration and looking at doing something else.
I'm sorry to hear that.
We have had intermittent issues with Slack, Microsoft, and a growing
list of domains. Even have one that consistently fails.
Are you ab
On 3/24/22 4:34 PM, Carl Byington via bind-users wrote:
Yes, the disconnect was my brain. I will try to plug that back in.
;-)
We've all had those days. Most of us will have them again.
How do you do that in /etc/hosts?
It's been a while, so I'm relying on memory, a.k.a. lossy media.
On 3/24/22 3:50 PM, Carl Byington via bind-users wrote:
In general, the domain exists with a bunch of existing names - www,
mail, etc. We just need to add one more (outbound) and tie it to the
ip address of their outbound mail server. I don't want to take over
their entire domain.
Fair enoug
On 3/24/22 10:02 AM, Carl Byington via bind-users wrote:
I think so.
Agreed.
Presumably to create those domains locally. Of course the rest of
the world won't see them.
1.0.0.127.in-addr.arpaPTR outbound.example.com.
outbound.example.com A 127.0.0.1
What advantage does
On 3/1/22 5:35 AM, Matus UHLAR - fantomas wrote:
you are right, forwarding queries requires recursion.
Thank you for the confirmation Matus. :-)
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
--
Visit https://lists.isc.org/mailman/listinfo/bind-users t
On 2/28/22 1:47 PM, Gregory Sloop wrote:
I figured before I beat my head against the wall for too long, I'd ask
the real experts! :)
I'm definitely not an expert. I don't even pretend to be one on T.V.
But I do wonder what, if any, sort of restrictions you are placing on
recursion on your sy
On 2/16/22 9:24 AM, G.W. Haywood via bind-users wrote:
FWIW I've been using DNSSEC with HE slaves since October 2017. I'm
happy to report that I've never had any problem with the service.
Please clarify if you are talking about DNSSEC for your own zone that
they are doing secondary transfers
On 2/16/22 7:35 AM, Mark Tinka wrote:
I was assuming Linux has something similar, where in userland, you have
the option to install which train of BIND you want, regardless of OS
version.
Most of the -- what I'll call -- binary distributions of Linux tend to
have a fairly small range of any g
On 2/15/22 1:07 AM, Bjørn Mork wrote:
You'll normally get a few update queries to the SOA MNAME if you
leave the real master there.
This was going through my mind as I read the thread.
Aside: BIND secondaries can be configured to forward such updates to
the hidden primary.
Whether you sho
On 1/4/22 4:37 AM, Ray Bellis wrote:
Better yet, use BIND's mirror zones feature so that the zone is also
DNSSEC validated.
Completely agreed. I think the type of authoritative information is
somewhat independent of the fact that any authoritative information exists.
IMHO, the strictures ag
On 1/3/22 10:57 AM, John Thurston wrote:
It must have a 'forward' zone defined on it for each of those stupid
domains. And yes, you are right . . at that point it is no longer only
performing recursion.
;-)
But there is no other way to do it. Even in a combined
recursive/authoritative design
On 1/3/22 12:15 AM, Borja Marcos wrote:
If you separate the roles it is much simpler to implement an effective
access control.
The problem I have with separating recursive and authoritative servers
has to do with internal LANs and things like Microsoft Active Directory
on non-globally-recogni
On 12/15/21 4:51 AM, Danilo Godec via bind-users wrote:
Hello,
Hi,
I'm noticing some unusual activity where 48 external IPs generated over
2M queries that have all been denied (just today):
15-Dec-2021 00:01:42.023 security: info: client @0x7f96180b3fe0
194.48.217.14#59698 (.): view outsid
On 12/9/21 12:18 AM, Harshith Mulky wrote:
Hello Experts
Hi,
I'm fairly certain that I'm not an expert, but I've dealt with BIND in
chroot recently.
I need some help with bind-chroot
We are running below version of bind and bind-chroot
bind-9.11.2-lp151.10.1.x86_64
bind-chrootenv-9.11.2-
On 12/2/21 9:59 AM, Fred Morris wrote:
Hello, Rear View RPZ (https://github.com/m3047/rear_view_rpz) is now
generally available: turn your local BIND resolver into a network
investigation enabler with locally generated PTR records.
Would you please elaborate on what Rear View RPZ does?
It see
On 11/18/21 3:14 AM, Mark Elkins wrote:
With IPv6 - you might want to use NSEC3 - as there can be huge holes in
the reverse zone. Make the bad guy work at guessing what is in the zone.
Be mindful of current efforts for minimizing NSEC3 rounds / iterations
which purportedly have a diminishing R
On 11/13/21 9:07 AM, Reindl Harald wrote:
but you have to deal with it
And? So?
We have to deal with all sorts of things. The need to do our job is not
a reason in and of itself a reason to not do it.
you missed my second post!
No, order of reply vs reading.
* he needs the delegation
On 11/13/21 7:29 AM, Tony Finch wrote:
You should make sure that your public nameservers return a definite
nodata or NXDOMAIN reply for your private names, not REFUSED, nor a
referral to an RFC 1918 address. The latter two will cause resolvers
to retry, and the retries can become a large propor
On 11/13/21 12:59 AM, Reindl Harald wrote:
i doubt that any ISP out there would delegate to a private address and
when your bind is asked over it's public IP a view won't work
ISP's willingness to do something is a policy decision and that's
completely different than their capability to do som
On 11/4/21 1:27 PM, Bruce Johnson via bind-users wrote:
named-checkconf -z revealed a name had been entered with underscores.
The person responsible has been sacked. (not really, merely reminded no
underscores are allowed in A records :-)
You might want to apologize to them.
Underscores are l
On 10/21/21 1:33 AM, Edwardo Garcia wrote:
Hai all,
Hi,
One of these is we have a number of reverse zones, a /19 in fact, they
are mostly GENERATE'd for regions with fixed gw and a few other local
custom PTRs
So 32 x /24s. Annoying, but not terrible to work with.
In our examples I have
On 9/9/21 10:29 AM, Ondřej Surý wrote:
I think the rndc reconfig should pick the new cert/key, but I am not
sure if we have actually implemented this.
Drive by comment:
Should BIND /need/ to take any action for a /reconfig/ if it's
configuration hasn't change? -- To me the configuration is
Tony's statements surprised me enough that I shaved them for later deep
read and pondering. That time has now come.
On 6/21/21 11:00 AM, Tony Finch wrote:
That advice is out of date: nowadays you should not put any localhost
entries in the DNS, because it can cause problems for web browser
se
On 5/30/21 9:24 AM, Richard T.A. Neal wrote:
I spent a little time this weekend setting-up BIND 9.17.13 on Ubuntu
21.04 and configuring the system as a recursive resolver offering DNS
over HTTPS using a LetsEncrypt certificate.
Nice work.
Is there any interest in me writing this up as a web a
On 5/23/21 9:27 AM, Ondřej Surý wrote:
Nope, that’s how you enter email to SOA with dot in user part as
the first dot gets converted to @.
#TodayIlearned
I agree with Ondřej. I think it's the missing $ in front of ORIGIN.
Remember the $ lines are directives to BIND and not zone data.
ORIGI
On 4/27/21 10:24 AM, Kevin A. McGrail wrote:
Agreed on the OT and good subject change.
:-)
For me, I wouldn't bind DNS to the eth0, just another attack surface
hence I would use local loopback.
I think the main reason to bind to eth0 / LAN is for when there are
multiple (mail) servers that
BIND-Users on topic content first:
#1 bind for a local caching DNS query server
I absolutely agree.
and change resolve.conf to 127.0.0.1 for the best RBL performance.
How much effective performance difference does the loopback interface
(lo) vs the local LAN interface (eth0) make?
Simil
On 4/26/21 2:45 PM, bamberg2000 via bind-users wrote:
Hi!
Hi,
BIND 9.11.5, I forward the request ("forward zone" or global "forward
first") to another server and I get NXDOMAIN. Is it possible to process
NXDOMAIN other than "redirect zone"? I just want to repeat the request
to another for
On 4/12/21 1:41 PM, Peter Coghlan wrote:
As far as I can see providing no response at all in any instance when
a code 5 refused response would normally be returned would be the
appropriate thing for my nameserver to do here and doing this would
cause no difficulties at all with any legitimate q
On 3/31/21 10:00 AM, Tony Finch wrote:
Because of this, if it's important for you to avoid multi-second
DNS lookup times ... you need to design your system so that the libc
resolver never tries to talk to a DNS server that isn't available.
I've seen various client OSs fail in really weird ways
On 3/25/21 9:19 AM, Olivier wrote:
Hello,
Hi,
I would like to implement a 3 hosts cluster with the following features:
I don't see anything conceptually wrong with what you've outlined.
Though I wouldn't call it a "cluster". To me a cluster is something
that is (as largely as possible) s
On 3/5/21 1:41 PM, Bruce Johnson wrote:
Turne out to be a dumdum mistake on my part. SELinux was set to
enforce…set it to permissive and voila! the .jnl file was created.
Ah.
That sounds like an SELinux policy problem. SELinux /should/ allow
named to create journal files.
A non-default loc
On 3/5/21 12:07 PM, Bruce Johnson wrote:
Fixing the permissions and restarting named got dynamic updating
working again, but new systems (ie names that are NOT already in
the Zone file ) are throwing errors about the journal file: error:
journal open failed: unexpected error
It seems like you
On 2/16/21 11:54 PM, Dario García Díaz-Miguel via bind-users wrote:
Hi everybody,
Hi,
Since I'm a little bit desperate with this issue, and after asking
this on reddit (r/sysadmin) and serverfault with low or none responses,
I think it would be worth half an hour or so to test stunnel. It
1 - 100 of 343 matches
Mail list logo
