https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-automatic-interface-scan
Note the phrase "...and supported by the operating system...". Linux
capabilities must also be enabled (i.e. not *disabled* at build time) for
BIND to be able to keep scanning as addresses come and g
Hi Florian.
Well since you mention it, may we see your BIND configuration? Also "named
-V", please and, if you can, a packet capture (preferably binary pcap, not
just a few lines of tcpdump output) showing what your server is doing at
the time you see these messages in the logs.
Cheers, Greg
On F
Hi Neil.
Think about what a resolver is doing.
A client asks it a question, usually with the RD bit set, meaning
essentially, do whatever you have to do to get me my answer. So the
resolver attempts to find that answer, somehow.
If it already has it in cache, great. If it doesn't it may recurse,
The help text for delv says you can specify a source using -b, the same as
you can with dig:
Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] [q-class]
Where: domain is in the Domain Name System
q-class is one of (in,hs,ch,...) [default: in]
q-type is one of (a,any,mx,
Sure. Your decision, of course. But any network application is only going
to work if the underlying network supporting it doesn't do silly things
with its traffic.
On Thu, 22 May 2025 at 15:23, wrote:
> Thank you for all your assistance. I have made the decision to
> decommission Bind9 and insta
>From the correct alias this time!
On Mon, 19 May 2025 at 22:46, Greg Choules
wrote:
> Your router (or your ISP behind it) is losing a lot of traffic. Here is a
> timeline of frames with explanations of each, which would have been so much
> simpler if you hadn't tried to hide your actual address
I was beaten to it!
It's called QNAME minimisation and is specified here:
https://datatracker.ietf.org/doc/html/rfc9156
In BIND it can be disabled with this statement:
https://bind9.readthedocs.io/en/v9.20.8/reference.html#namedconf-statement-qname-minimization
Hope that helps, Greg
On Thu, 15 M
127.anything is valid on the loopback interface as it is a /8. You will
have to add addresses as aliases, but that is easy. Read the man pages
first and check what addresses already exist on lo0. Ubuntu must have
gotten 127.0.0.53 from somewhere.
Get tcpdump and Wireshark working so you can see wha
@Danilo you are correct, the contents of /etc/resolv.conf are not set by
BIND and BIND itself does not use them. But all applications running on
that machine (including dig, unless you specify @) that want some
kind of name resolution will make OS system calls and then the OS *will*
use what's in r
Hi.
I also suspect it's not BIND, but how the OS is going about resolving names.
Test your running BIND by using dig (please, not nslookup) @127.0.0.1 for
domains you think you are having a problem with.
Also check /etc/resolv.conf and see what address(es) is/are listed as
nameservers.
Third, use
Hi.
That KB article shows you how to use TSIG keys as a view selector for zone
transfer.
If you want a single DNS server to give different answers to the same
question based on client IP then you *could* (though I'm NOT recommending
this, especially since it will be deprecated at some point) use "
Hi Marek.
Please can you show the config that used to work?
Please can you also explain why it is desired to create more views? Maybe
give an example of what you're trying to achieve.
In general, matching views is done top down - test clients against the
criteria in the first view. If they don't m
My take on this is that DNS resolver code is written to (try and) be as
fast and efficient as possible and work pretty much entirely in RAM because
that's the quickest storage available.
Anything that interrupts that and tries to access some external database,
however it's done, is bound to slow d
Please keep your replies on-list.
This should help you understand its purpose:
https://datatracker.ietf.org/doc/rfc9156/
Cheers, Greg
On Mon, 31 Mar 2025 at 11:12, Champion Xie wrote:
> Thank you for your information
> by the way how to implement QNAME minimisation with domain names starting
>
Hello.
The underscore character was an old method for performing QNAME
minimisation. Look in the CHANGES file for a note about it and the ARM for
more detailed information.
BIND 9.14 is five years old and has been unsupported for a long time.
Please update to 9.18 or 9.20, which contain many impro
Sending from the correct alias this time!
On Sun, 16 Mar 2025 at 09:03, Greg Choules
wrote:
> Thank you.
> The problem is that named is running as user "bind" but that user
> doesn't have file system permissions to create and write to files (the .jnl
> and .jbk files at least) in places that it
Hi Danjel.
Please send "ls -al" of both "/etc/bind" and "/etc/bind/zones"
Thanks, Greg
On Sat, 15 Mar 2025 at 16:32, Danjel Jungersen via bind-users <
bind-users@lists.isc.org> wrote:
> I'm so sorry, but I have to trouble you guys again.
>
> The help below helped, I have no errors from checkconf
Hi Neil.
I don't think there is. Perhaps you should suggest it in a Gitlab issue?
Just to be clear, though, please can you give an example of what you mean?
A real life one would be best. Either a binary pcap or +vvv to screen of
the query BIND makes and the REFUSED it receives followed by it retr
Hi Karol.
If I understand you correctly, the choice of address to use is up to you
and how it works best in your network. The DNS service addresses only need
to be relevant to the network they sit in and the clients that need to
reach them. In a private network, any 10 etc. address would work, as l
My 2p is...
You *shouldn't* do a lot of things, but people do anyway, because they can.
If you maintain your own DKIM records then deliberately adding a CNAME
upfront seems unnecessarily complicated. KISS.
If someone else hosts them and CNAME is a pragmatic way to achieve that
"ask them" behaviou
Hi.
An ACL can match other ACLs, meaning that you can include the name of one
ACL in the definition of another.
Your config is being interpreted as:
acl "tsg_acl" {
Start the definition of an ACL called "tsg_acl", which will be followed by
a list of things to match, each of which must end with a s
Hi Danjel.
To obtain a packet capture use tcpdump, which is probably installed
already. If not, add it using your preferred package manager.
You can dump to the screen, but I find it more useful to dump to a file,
which can then be analysed offline in Wireshark.
A typical capture command might be:
Hi.
Is this a question about BIND, or Unbound?
Note the name of the list.
On Fri, 14 Feb 2025 at 16:36, Rainer Duffner wrote:
> Hi,
>
> I have a setup where I have a BIND resolver behind an unbound resolver.
>
> The reason is that when I originally set this up, there was no way to
> integrate an
In that case, something's not right. Please send your "named.conf".
Cheers, Greg
On Thu, 6 Feb 2025 at 14:52, Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov> wrote:
> Greg,
>
>
>
> Yes, I did remove that stanza and restart the daemon, clean shutdown and
> restart, not just a reload.
> G
Hi Paul.
What's a "primary master" as opposed to (presumably?) a "secondary master"?
Maybe there are just too many combinations and permutations of type of box
for a single word to convey all meanings, though I haven't encountered any
yet. Even in an environment like Active Directory, where all se
Hi Brian.
I'm confused. In previous mails you confirmed that you had removed the hint
zone completely. To be absolutely clear what I meant before, it would look
something like this in named.conf:
...
options {
...
};
...
# zone "." {
#type hint;
#file "db.hint";
# };
I have shown that t
Hi Michal.
Please share your configuration and the zone file so that we can see what
you are trying to do.
Thanks, Greg
On Wed, 29 Jan 2025 at 08:28, Michal Bednář wrote:
> Hello,
> i try too make domain record map.domain.tld . I cannot make this in bind9.
> Map is probably keyword
> in zone fi
Hi Robert.
Having localhost in /etc/hosts works if both of these conditions are
satisfied, I think:
1) The client asking the question is on the same box.
2) /etc/nsswitch.conf has been configured to look in hosts first, DNS second
If the client is local but nsswitch says to do DNS first then names
Hi Karol.
You can run them both together, if you like. I think it comes down to a
personal choice between economics, simplicity, cleanliness of design and
performance. If you want your DNS server to handle many 1,000 QPS it might
be better dedicating resource to that and put Kea (I assume Kea?) on
Hi Roberto.
Instead of defining "." as type "static-stub" you should define it as type
"mirror". This shows you how:
https://bind9.readthedocs.io/en/v9.18.32/reference.html#namedconf-statement-type%20mirror
Cheers, Greg
On Fri, 27 Dec 2024 at 21:41, Roberto Braga
wrote:
> Hello, if you could he
Hi Brian.
You can't redirect your entire zone from inside the zone itself. CNAME
absolutely will not do it, by design (also DNAME).
The reason is, the way that DNS works. wadsworth.org has been delegated to
a bunch of DNS servers (see below), which are presumably run by you and
associated entities
Hi Brian.
Just checking; you removed or commented this config?
zone ".: {
type hint;
file ;
};
A couple of points about dig:
1) The syntax dig (with no @) will send a query to the
address(es) defined as your system DNS. On a *x system this is defined in
/etc/resolv.conf with the "nameserve
Good idea, Brian. People should test more.
Hope it goes well. Packet captures and Wireshark are your friends.
Cheers, Greg
On Tue, 10 Dec 2024 at 15:25, Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov> wrote:
> Greg,
>
>
>
> I have a test server I will enable the changes on before I roll
And my point is that you just don't need that hint zone definition at
all, especially using custom NS in an environment such as this. Maybe try
commenting it out and see if it makes any difference.
Greg
On Tue, 10 Dec 2024 at 14:48, Cuttler, Brian R (HEALTH) <
brian.cutt...@health.ny.gov> wrote:
Hi Brian.
So in your config you still have a section like this?
zone ".: {
type hint;
file ;
};
You don't need it a) at all anyway, for the reason I gave and b) because
you are forwarding everything non-local and if you specify "forward only;"
for both global forwarding (last resort, simila
2024 at 07:26, Nick Tait via bind-users <
bind-users@lists.isc.org> wrote:
> On 10/12/2024 12:25, Greg Choules via bind-users wrote:
> > Actually you don't need it anyway, even if you are doing recursion, as
> > Internet root hints have been built into BIND for many year
Hi Brian.
If that's what you want to do; answer authoritatively from local zones you
own and forward everything else to Corporate, then you have it correct.
"forwarders {...etc" and "forward only;" go in the "options" block.
Since you are forwarding everything that's not local *and* disabling
recu
Hi Mike.
You're welcome. I know what it's like when you just don't get why something
isn't doing what you thought it should.
What are 10.0.2.10 and 10.0.2.11? You don't show them in your config, but
then you say "In summary: I'm trying to get 10.0.2.10 and 10.0.2.11 to
serve internal.exmaple.com ..
Hi Mike.
What version of BIND are you running?
Firstly, please clarify your question and example configuration.
You talk about "example.com" and subdomains of "exmaple.com", but your
config shows "example.net". It's not easy to understand exactly what you're
trying to achieve a) when your problem
Hi Dimitry.
Views are selected by any/all of "match-clients" and "match-destinations".
Once a view has been selected it is then completely responsible for
handling the query, so there is no automatic fall through to the next view.
However, in the "DE" view you could configure global forwarding/for
My bad. I spotted that afterwards.
On Thu, 28 Nov 2024 at 13:48, Anand Buddhdev wrote:
> On Tue, 26 Nov 2024 at 09:40, Greg Choules via bind-users <
> bind-users@lists.isc.org> wrote:
>
> Hi Greg,
>
> Running "named-checkconf -p" will print your entire nam
Hi Luis.
Running "named-checkconf -p" will print your entire named configuration,
following any include files. There *must* be a "controls" section in there
or rndc could not work, since, from the ARM:
> all communication with the server is authenticated with digital
signatures...
I encourage you t
>From the ARM, when "rndc-confgen -a" is run::
> This option sets automatic rndc configuration, which creates a file
rndc.key in /etc (or a different sysconfdir specified when BIND was built)
that is read by both rndc and named on startup. The rndc.key file defines a
default command channel and auth
gt; *抄送:* "Duan Duan"<1422807...@qq.com>; "bind-users"<
> bind-users@lists.isc.org>;
> *主题:* Re: How do I make my bind recursively support edns
>
> I suspect the OP meant ECS.
> --
> Mark Andrews
>
> On 24 Nov 2024, at 07:43, Greg Choules via b
Hi.
Please can you clarify what you mean and what you're trying to achieve?
EDNS support generally has existed in all versions of BIND for many years.
Cheers, Greg
On Sat, 23 Nov 2024 at 15:43, 从今以后 via bind-users
wrote:
> Hey ,guys
>
> How do I make my bind recursively support edns ?
>
> The o
Hi Danilo.
The CDS and CDNSKEY are published in your own zone, not anywhere else. You
can confirm this by doing a dig for them directly, or AXFR if you permit
transfers on your server.
They are intended for use with registrars that *do* support automatic DS
creation using one of them. If yours doe
Hi Steven.
As you said, `listen-on {...;};` tells BIND which addresses to register for
incoming traffic. This can be a list, not just one address. Any query
received on (say) 10.0.0.1 will be responded to from the same address.
It is possible to choose which address to use for outgoing queries/fet
Latest Chrome/Safari/Firefox on MacOS as well and it looks good for me. I
haven't needed to clear cookies or browsing data or anything, it just
worked.
My 9.20.0 is running locally on the Mac, installed via homebrew. Maybe try
that and see what you get?
Perhaps it's something to do with the enviro
Hi Håvard.
Have you tried a different browser? Having said that, I just started 9.20.0
with this config:
statistics-channels { inet 127.0.1.0 port 8080 ; };
Then pointed three different browsers at that address/port and it looks
fine to me in all of them.
Browers tried were Chrome, Safari and Fir
Hi Grant.
That doesn't work for zones that then get used in a `response-policy`
block. In this case you *must* define a zone §each time; so one (or up to
64) per view/instance of `response-policy`. Test it on your laptop/in a VM.
What this does mean is that (if you are using views) you *could* have
Hi Carlos.
If you have enough RAM it should be possible to create multiple views, each
with a zone (primary or secondary, up to you) that contains the RPZ data
for that view and a response-policy that uses that zone.
The limit on number of zones is per response-policy block. But if you're
using se
Hi John.
The reason is step 4c here:
https://datatracker.ietf.org/doc/html/rfc1034#section-5.3.3
The A record in the response is for a name that BIND wasn't asked for
(otherwise why a CNAME at all?), so in the interests of not just believing
random answers that might potentially poison the cache,
Hi.
Please, please, please upgrade your OS and BIND.
CentOS 6 went EoS 3 years ago, from what I can tell.
BIND 9.8 is 12 years old and there have been far too many changes and
security fixes in that time to list in a mail. If you want to see for
yourself, explore https://downloads.isc.org/isc/bind
Hi Gabe.
Prefetch still exists; reference here:
https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-prefetch
Hope that helps.
Greg
On Tue, 23 Jul 2024 at 17:36, Gabe Loyer wrote:
> In searching for documentation I can only find something for prefetch in
> 9.10, which appar
Hi Kees.
A few questions:
- What version of BIND are you running?
- How large (number of RRs) are your zones?
- What is the peak rate of dynamic updates?
- Do you have "max-journal-size" configured to anything?
- Are you perhaps getting short on disc storage in the place where BIND
keeps its files?
Hi Brian.
You need the NS record(s) in hints because this is what a resolver wants
first; the name(s) of the NS for a given zone.
Regarding "@" or ".", they amount to the same thing in my example, though
perhaps I was being a bit lazy and minimal.
@ represents the name of the zone (or the most rec
Correct.
On Fri, 28 Jun 2024, 12:54 Renzo Marengo, wrote:
> Ok very veri interesting,and about this doubt?
>
> etc/resolv.conf in bind server is used only from client services ? E.g.
> ping tool
> I think bind9 dns service doesn't contact any /etc/resolv.conf, right?
>
> Thanks again
>
> Il gior
Hi again Renzo.
In general, BIND (and other resolvers) make non-recursives (aka iterative)
queries to authoritative servers, such as the roots and others.
- Clients (laptops etc.) make recursive queries to the DCs. If the DCs know
the answer they respond immediately; no forwarding needed.
- If th
Hi Renzo.
You're welcome.
1) Correct. You don't need forwarding for a simple resolver. Take a look at
the meaning of the RD flag in the BIND protocol header. This should help
you understand the difference between recursive and non-recursive queries.
2) No. See 1)
3) Yes. For a standard resolver fac
Hi Renzo.
Thank you for that. The hints look OK. A bit old, but they will work.
The first thing I would advise you to do as a matter of priority is to
upgrade BIND.
9.11 has been end-of-life for a few years and there have been many security
fixes since then. 9.18.27 is the current version.
You co
Hi Renzo.
Ah OK, I had it the wrong way round. AD DNS needs to resolve names in the
Internet on behalf of its clients, so it forwards to BIND.
In that case, two questions:
1) What version of BIND are you running? You can get this with "named -V"
2) What is in the file "named.ca"?
For a long time (
Hi Renzo.
Firstly, please can we see your BIND configuration and have the actual AD
domain name.
Secondly, BIND, or any other recursive DNS server, does not 'forward' to
the root servers, unless you have configured it explicitly to do so, which
would be a bad idea and not work anyway. It will recu
Hi Brian.
Ni problem. The server may tell the client (dig; please not nslookup)
information about where the answer came from, if 'minimal-responses' is set
to "no". Usually clients don't need to know that, so please take a look at
how m-r works:
https://bind9.readthedocs.io/en/latest/reference.html
Hi Brian.
Yes, you can define your own hint zone and tell BIND to use it. The
contents (I called the file "db.root" but the name is your choice) could be
as simple as:
@ 300 IN A 127.0.0.3
@ 300 IN NS @
which says for this zone (which will be called ".", coming next) the NS is
the same name and i
Hi Sami.
If you can, I would set up a new BIND (test) server running the current
code - 9.18.27 - next to your current production system and compare how
they behave: current code uses NS queries for qmin rather than _... A
queries. There may still be failures, but this would allow you to pinpoint
b
Hi Thomas.
Firstly, I doubt you actually need to kill and restart `named`. Flushing
the cache would probably work, either all of it or just selected names.
Secondly, take a packet capture of this happening and analyse what BIND is
really doing, in Wireshark.
- If it shows up that certain NS are ca
Hi Brian.
We're going to need some details please, like for starters:
- What's the domain being queried?
- A network diagram showing where your BIND server is and what it's
forwarding to.
- IP addresses of everything.
- A packet capture (binary pcap format, not a snippet or a screenshot) from
your
Adding my 2p, I would take that principle a step further.
Create a generic, unique SRV record that represents what you want to
happen. Then create specific CNAME records for each server. The reasons for
the extra, generic record are that it represents the service you want to
offer and all "server..
Hi.
In BIND, since 9.11, there is an option/view statement called
"minimal-any", which defaults to "no". That might be what you're after.
Cheers, Greg
On Sat, 20 Apr 2024 at 17:29, Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wrote:
> Hello everyone,
>
> I've been looking for days and days
Hi Crist.
Firstly, DNS servers do not make recursive queries, unless they have been
configured to forward.
Secondly, please start a packet capture on your server (save to disc, so
you can analyse it later in Wireshark) then start BIND and make some test
queries to your server. Look at what your ser
Hi cjc.
My answers would be:
- Leave `dnssec-validation` alone (auto) and ensure your server has a path
to the Internet to make queries.
- Don't mess with root hints. The only time anyone should need to do this
is when running a completely captive server living in a custom namespace
that is NOT t
Hi Sami.
"allow-..." statements are to restrict from which sources *this* server
will accept messages, of whichever type.
On the secondary (slave), "allow-notify {192.168.56.154;};" will permit it
to process NOTIFY messages sent to it from the primary (master), but ignore
any others. Actually, this
Hi Amaury.
You should be able to do this by defining your own trust anchors. This
should explain what you need:
https://bind9.readthedocs.io/en/latest/dnssec-guide.html#trusted-keys-and-managed-keys
Have fun.
Greg
On Sat, 16 Mar 2024 at 13:38, Amaury Van Pevenaeyge <
avanpevenae...@outlook.fr> wr
Hi.
If I understand you correctly, you are trying to get your resolver to go to
two different places (main_hidden_dns_server and other_dns_server) for
answers to the same question, and then want it combine those answers into a
single response to the client, which contains PTR records for both names
Please don't encourage using "search" in resolv.conf or the Windows
equivalent. Search domains make queries take longer, impose unnecessary
load on resolvers and make diagnosis of issues harder because, when users
say "it doesn't work" you have no idea what it was that didn't work.
I tried using s
2nd $beverage consumed.
I have never liked sortlist since I inherited it 16 years ago in my
previous job.
For me it suffers from at least one fundamental problem:
- If a client, say at location "1", is given a bunch of sorted A records
with the server at location "1" first, what does the client do
Hi Wolfgang.
Firstly let me say that I have never been a fan of QoS. So I'm slightly
biased against the whole thing in the first place.
But regarding your comment "It’s not easy for the network to guess the
requirements of an application," I would disagree. Traffic classification
and setting of DS
Hi both.
You can't do it using ACLs. But you can do it using primaries. This is
hinted at in the section about the primaries statement, but not clearly
expanded on.
For example:
# define a primaries list called "also-notifed" (or anything you like).
Define as many lists as you need.
primaries also
Hi again.
Please start a packet capture on the auth server. This should do it:
sudo tcpdump -nvi any -c 1 -w mydns.pcap port 53
Then from pc1, please do these and copy/paste text output, not screenshots:
dig @172.16.0.254 pc1.reseau1.lan NS +norecurse
dig @172.16.0.254 pc1.reseau1.lan SOA +
Hi again and thanks for that.
I'm still not exactly clear on the setup. I think the auth server is
172.16.0.254 (I don't know what pc1 is).
But anyway, looking at your results I see the AA bit for everything. It
appears that these queries both went directly to the auth server because
recursion is d
Hi Michel.
Please can you send the following information:
- name and IP address of the authoritative server
- the full contents of the zone file for "reseau1.lan"
- name and IP address of the other server - what does this server do?
- What is the machine "pc1", on which you are running the digs?
-
Hi.
The existence of a `.jnl` file for the zone means that, at some point in
the past anyway, you *did* allow dynamic updates to this zone and some
updates were made, which were stored in the journal file.
I would like to ask a couple of questions:
1) What is the timeline of your investigation? Ma
Hi Michel.
You will get an authoritative answer (AA bit = 1) if the server is either
primary (master) or secondary (slave) for the QNAME (query name); in this
case "reseau1.lan". From the config snip you provided this is because you
have the config:
zone "reseau1.lan" {
type master;
...
};
If
I really wouldn't recommend that.
If you have to, create exceptions for domains that won't validate correctly
by using the "validate-except {..." statement.
In parallel with that, encourage people with broken domains to fix them,
which makes life better for all of us.
Cheers, Greg
On Tue, 12 Dec
Hello.
There are well known and documented issues with the zone "gov.in" and there
were some recent problems with "gov" as well.
Please search this mailing list archive for those domains and you may find
some useful hints, tips and information that explain and help you with your
own problem.
Cheer
Have you checked the routeing table on this server?
Without any other evidence, this looks to me like packets are going places
you aren't expecting.
In the first screenshot the query goes to 213.227.191.1 and apparently a
response doesn't come back until 4s later. When I try it using dig I get an
Hi there.
Can you send some information, for those unfamiliar with what you're trying
to do?
- Full BIND config
- IP addresses of relevant things, like interfaces of the servers on which
you are running BIND and of Teamviewer.
- What does Teamviewer need from DNS? What kinds of queries is it making
Hi Nick.
First question, does the internal zone *have* to keep the same name? As has
been said already, this is a fairly common setup done by people a long time
ago who usually didn't think through the consequences of their actions.
What follows assumes you could change the name of the internal zon
Hi Prashasti.
I'm on my phone, so I'll keep it brief.
- ditch both 9.8 and 9.11; install 9.18
- why are you forwarding to yourself? 127.0.0.1
- get binary packet captures and look at them in Wireshark to see what's
actually going on.
- real IPs please.
- why use "port xxx"?
Cheers, Greg
On Tue, 1
>From the correct mail alias!
On Sat, 16 Sept 2023 at 21:50, Greg Choules
wrote:
> Hi Ged.
> 172.16/12 is not a special case. The whole problem (IMHO) stems from how
> humans have chosen to represent both IP addresses (v4; v6 are different and
> actually a little easier) AND DNS domain names; bo
Hi.
Although it is technically possible to do reverses on non-octet boundaries
(for example, see https://www.ietf.org/rfc/rfc2317.txt) it is a
complete pita, in my experience. Personally I would not head down that
path. Stick to /8, /16 or /24.
Cheers, Greg
On Sat, 16 Sept 2023 at 09:20, G.W. Hay
Hi John.
Sorry if this sounds picky, but a dot out of place in this game is the
difference between success and crash-n-burn.
Please can you show me EXACTLY what ...10.in-addra.arpa zones you have in
both sets of DNS?
>From previous work with AD clients I think that, if it doesn't already
exist, M
Hi John.
Can you tell me a bit more please?
- What zones exist in both BIND and MS DNS for something.10.in-addr.arpa?
- Where are hosts auto registering to? I'd guess MS, but it would be good
to confirm.
- What does fragmentation look like? A few real examples would be useful.
I'm trying to underst
Hi Fred.
No, the sense is correct.
Imagine you have a server with a secondary zone of (say) "example.com",
which transfers data for that zone from a primary somewhere. The secondary
loads data received during a zone transfer straight into memory and uses it.
It is optional for the secondary to also
Hi Ben.
In short, kinda. "recursive-clients" limits the overall number of
concurrent recursive queries the server will handle.
For each of those queries there is also "clients-per-query", which limits
the number of different sources all asking the same question at the same
time. This is so that, fo
Hi Blason.
"incometax.gov.in" is a domain known to cause problems. Take a binary
packet capture and look at it in Wireshark. Also see this
https://dnsviz.net/d/incometax.gov.in/dnssec/
A workaround in BIND is to disable DNSSEC validation for just that domain
whilst leaving it on generally: see bel
You may already have BIND installed; most distros do. If not, it's easy.
You don't *have* to run named, but tools like this (and dig, particularly)
are very useful to have.
Do "which arpaname" to see if you have it already.
Cheers, Greg
On Thu, 24 Aug 2023 at 08:00, Marco wrote:
> Am 24.08.202
This time from the correct email alias!
On Mon, 17 Jul 2023 at 22:58, Greg Choules
wrote:
> Hi.
> Some observations:
> - Please don't use nslookup. Please use dig, it is much more versatile and
> gives much more information with which to try and interpret what might be
> going on.
> - If you're
Real data please:
- example queries (genuine, not invented for illustration)
- real domains
- real IP addresses
- packet captures
- both BIND server configs
- zone file contents
- startup logs
There are so many things it *could* be, the more information the better.
Cheers, Greg
On Sun, 16 Jul 20
Hi Sami.
In the "response-policy" block in your config, what (if anything) is the
value of the statement "qname-wait-recurse"?
If you do not have that set explicitly, please do "named -C" to list the
defaults and see what it is; probably "yes".
This parameter controls whether RPZ waits until succe
1 - 100 of 171 matches
Mail list logo
