Have patience.
When the various current DNS resolution mechanisms (systemd-resolved, stub
resolvers, resolv.conf, MDNS, on-LAN DNS servers which forward and cache,
"secure" lookup over TLS by the browser itself, etc.) are augmented by AI, it
will all work perfectly.
Or not.
--
On Sat, 1 Feb 2025 09:11:32 +0100
Ondřej Surý wrote:
> Hey,
>
> since you've asked about ISC recommendations and good practice,
> we prefer to use the current DNS terminology as defined in RFC 8499[1]
> that says:
>
> > Although early DNS RFCs such as [RFC1996] referred to this as a "master",
>
On Sat, 1 Feb 2025 14:47:35 +
Marc wrote:
"You have to get the bigger picture. Everything requires regulation otherwise
big tech is going to fuck you. There are enough examples out there."
The even bigger picture is that the regulators are sometimes even worse than
Big Tech.
--
Visit http
no luck.
Thanks
with kind regards,
Paul Ssekamatte
Directorate for ICT Services (DICTS)
Makerere University
Mob: 0782-094368
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions
A quick follow-up for posterity, this was resolved by manually editing
the bind 9.18 zone files and removing all DNSSEC records.
On 2024-10-22 9:57 p.m., Paul Galbraith wrote:
I am getting this error with bind 9.20.2, when trying to delete an
record with nsupdate on the same host. Using
secondary_servers;
key transfer-key.galbraiths.ca;
};
update-policy {
grant local-ddns zonesub any;
};
};
Any insight would be greatly appreciated. Thanks,
Paul
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe fro
— ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 21. 8. 2024, at 9:26, Paul Vixie wrote:
It worked with any policy source not just Farsight. However, is no longer
necessary since isc
It worked with any policy source not just Farsight. However, is no longer
necessary since isc now has a native RPZ implementation. Thanks for that.
p vixie
On Aug 20, 2024 23:55, Ondřej Surý wrote:
Hello,
In line with ISC's deprecation policy, I am notifying the mailing list
of our intent
Could you send the email from another account (which doesn't use your DNS
server)? It's not too hard to set up a free account with services like Outlook,
Yahoo or (if desperate) Gmail.
On Mon, 03 Jun 2024 18:46:40 +0200
Thomas Barth via bind-users wrote:
> Hello,
>
> I cannot send them an em
be different. Please do not
> feel obligated to reply outside your normal working hours.
>
> On 28. 10. 2023, at 17:50, Paul Stead wrote:
>
>
> As a previous ISP admin I too have come across similar situations and
> frustrations.
>
> I can only say that Google and Cl
"it works everywhere else, you must be
broken"
Paul
On Sat, Oct 28, 2023, 3:56 PM Rick Frey wrote:
> As Mark mentions, the NS records gtm.bankeasy.com need to be corrected
> and failure is not due to lack of iterating through all auth nameservers
> (all of the auth nameservers
Op 06-10-2023 om 10:39 schreef Mark Andrews:
You need to figure out what is updating the zone. This isn’t named.
Thanks for your answer.
It makes me find the reason. See my other message.
With regards,
Paul
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
--
Visit
Op 06-10-2023 om 10:28 schreef Paul van der Vlis via bind-users:
Hello,
I try to give a dynamic IP to a name, using nsupdate. This works fine,
but after some hours the IP is gone from the master (which I update).
Something like this:
Host home.customer.nl not found: 3(NXDOMAIN)
The IP is
ng about the removal in the logs. But I saw a "freeze"
and a "thaw" in the logs for the domain.
Any idea why the IP removes after some time?
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://vandervlis.nl/
--
Visit https://l
On Sat, 16 Sep 2023 10:22:26 +0100 (BST)
"G.W. Haywood via bind-users" wrote:
> Hi there,
> ...
>I'd be surprised if the OP couldn't manage with 2^20 IPs in a segment -
> but then I guess he does work in the .gov domain.
^^^
The OP's contact e
On Sat, 10 Jun 2023 19:24:03 +0200
Ondřej Surý wrote:
> You are over-complicating things. If unconfigured, named binds the outgoing
> UDP to 0.0.0.0 (::0), which means the chosen IP address is picked by the
> kernel. You need to configure priorities on your interfaces in the kernel -
> ip rout
op
of the list.
Anand has done a better job at describing this function in other software
than my attempts
Paul
On Sat, 11 Mar 2023, 17:16 Grant Taylor via bind-users, <
bind-users@lists.isc.org> wrote:
> Hi Paul,
>
> Thank you for explaining.
>
> On 3/10/23 12:21 AM, Pau
On Thu, 9 Mar 2023, 23:53 Grant Taylor via bind-users, <
bind-users@lists.isc.org> wrote:
> On 3/9/23 2:25 PM, Paul Stead wrote:
> > Chiming in to say +1 to Kalus' logic and sight of benefit here.
>
> Please forgive my ignorance in asking:
>
> Why doesn't
On Thu, 9 Mar 2023, 20:27 Klaus Darilion via bind-users, <
bind-users@lists.isc.org> wrote:
> > -Ursprüngliche Nachricht-
> > Von: bind-users Im Auftrag von Mark
> > Andrews
> > Gesendet: Donnerstag, 9. März 2023 21:04
> >
> > Named just uses the notify to trigger an early refresh process
grant> I'd be interested in learning what other things /require/ or are
grant> at least predicated on having PTR records for IPs.
Been a few years since I last delved but was appalled at some of the
pointless uses of rev-ptrs. NYT used to require it to let you connect to
their website, as one such
On Wed, 3 Aug 2022 15:10:39 -0400
Timothe Litt wrote:
> Hmm. Your resolv.conf says that it's written by NetworkManager.
>
> What I suggested should have stopped it from updating resolv.conf.
>
> See
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_an
On Wed, 3 Aug 2022 13:47:41 +0200
Victor Johansson via bind-users wrote:
> Hey,
>
> I just want to add that there is a better way to do this in iptables
> with hashlimit. The normal rate limit in iptables is too crude.
>
> Below is an example from the rate-limit-chain, to which you simply send
There has been lots of discussion recently about DNSSEC issues, including
whether it's desirable to sign internal zones. Independent of this most recent
issue, a couple of weeks ago I did an informal survey, using DNSVIZ, of various
TLDs. I found the following rather surprising results:
DNS-VIZ
Agreed, but without the upstream provider actually fixing the issue I
couldn't find a way to provide resolution of this domain to my customers -
are there better ways to resolve this from our side?
There seems to be a document about this issue -
https://kb.isc.org/docs/aa-01387
Paul
On Fr
e DNS software seem to fall back gracefully
and resolve these problems
Paul
On Fri, 13 May 2022 at 13:51, Paul Stead wrote:
> I have noticed this, too,
>
> The problem seems to be related to edns - disabling edns for the upstream
> servers looks to resolve the issue, this can be seen with
along the lines of -
server 157.83.102.245 {
edns no;
};
for each of the problematic upstreams. I contacted Barclays a few months
ago about this, but never got a solid response.
Paul
On Fri, 13 May 2022 at 13:12, Ondřej Surý wrote:
> Hi Rainer,
>
> I believe this is unrelated to an
via chron. It
restarted early this morning and of course it failed to come up with no errors
in the log, making it difficult to troubleshoot ☹.
Paul
-Original Message-
From: bind-users On Behalf Of Reindl Harald
Sent: Tuesday, March 15, 2022 10:01 AM
To: bind-users@lists.isc.org
PKG
itself. Just wondering why that mistake down bind down and how I can get
more meaningful logs on the logs even those a prepackaged bind version.
TIA
Paul
From: bind-users On Behalf Of Paul Amaral
via bind-users
Sent: Tuesday, March 15, 2022 9:08 AM
To: 'bind-users@lists.is
Hi, I realize this is related to Centos, but all the sudden chroot bind
failed to start up with any meaningful errors.
Anyone know what might be the issue here? I have no clues on that the issue
is.
Paul
Job for named-chroot.service failed because the control process exited with
error code
On Thu, 17 Feb 2022 15:26:35 +0100
Ondřej Surý wrote:
...
> This is part of the problem - debugging on Windows is extremely painful and
> requires expertise with extremely high learning curve.
>
> --
> Ondřej Surý — ISC (He/Him)
I wonder if difficult debugging is deliberate -- it would certa
Hi Mark, and others,
Op 25-10-2021 om 23:58 schreef Mark Andrews:
On 26 Oct 2021, at 08:02, Paul van der Vlis wrote:
Hello,
I've made some progress..
Op 24-10-2021 om 21:39 schreef Paul van der Vlis:
(...)
I've tried to specify the "key-directory" in the bind confi
Hello,
I've made some progress..
Op 24-10-2021 om 21:39 schreef Paul van der Vlis:
(...)
I've tried to specify the "key-directory" in the bind configuration, but
when I do that I get an error during "rndc reload", so I cannot specify
a key-directory. This
is is Bind 9.16.15 from Debian 11.
What do I wrong?
Does somebody know a good howto to get this working? I use now this:
https://certbot-dns-rfc2136.readthedocs.io/en/stable/
but in my opinion it's not complete enough.
With regards,
Paul
--
Paul van
On Tue, 6 Jul 2021 12:44:15 +
"MURTARI, JOHN" wrote:
> Folks, let me add my desire for a quick download dig supporting DoH. It
> could really help with some testing, some ready stuff for Ubuntu 18/20,
> Redhat/CentOS, could make a lot of people happy. Maybe the libs included
> and we s
It ought to be possible to write a front-end to listen on the standard control
channel and only forward (properly-keyed) 'status' requests to the "real" port
that BIND listens to.
>From looking at the RNDC exchange via Wireshark however, you'd have to adapt
>some of BIND's code that does the e
The site mxtoolbox.com has a suite of tools to check your DNS, email and Web
servers from the outside. They're easy to use and might turn up something.
On Fri, 11 Jun 2021 09:10:32 -0700
techli...@phpcoderusa.com wrote:
> Hi,
>
> The two domains I am working with on my SOHO home server are 1)
On Fri, 4 Jun 2021 13:58:40 -0700
Gregory Sloop wrote:
> This feels a lot like responding to trolls, but I'll instead assume that
> you're asking (or making a point) in good faith.
>
> So, we'll stipulate that - you're actually interested in truth and knowledge.
>
> So, it's easily compiled on
If you can have BIND log directly to a file, couldn't you use a FIFO
(prwxrwxrwx) or Unix domain socket (srwxrwxrwx) and avoid the disk I/O by
sending the log data directly to the forwarder? (E.g., Pulse Audio listens on a
socket for audio data from an application, and sends it in real-time to t
Actually, it's in keeping with the *original* definition of hacking!
On Sun, 9 May 2021 23:55:13 -0600
@lbutlr wrote:
> On 06 May 2021, at 09:57, Dennis Clarke via bind-users
> wrote:
> > I do NOT trust a build result where I had to go hacking into all the
> > Makefiles just to get it to buil
A couple of years ago, I tried using nsupdate to modify a dynamic (DHCP) IP
address for my very simple domain. It worked, except that it totally messed up
the organization of the zone file. Since the file only has 44 active lines
(which are organized logically), I maintain it by hand. After nsup
.539 security: info: client 92.204.191.45#2927 (sl): query
(cache) 'sl/ANY/IN' denied
This is not a complete list, but they all were on Apr 13 (and near your times).
==
On Tue, 13 Apr 2021 15:23:20 +0100 (WET-DST)
Pete
Interesting observation. I just did lookups on 4 recent (< 24 hrs ago)
'sl/ANY/IN' queries logged by our BIND and got:
2 Comcast cable IPs (hsd1.tx.comcast.net and hsd1.ma.comcast.net)
1 OVH Hosting IP (Montreal)
1 Afranet IP (Tehran!)
The whois info for the OVH IP contains the line:
Comment:
We also get *lots* of suspicious queries of the same kind, from various
privileged and unprivileged ports, which I'm pretty sure are DDoS attempts. For
example:
12-Apr-2021 23:44:17.767 security: info: client 107.213.131.17#80 (sl): query
(cache) 'sl/ANY/IN' denied
12-Apr-2021 23:44:19.477
Well said!
On Mon, 29 Mar 2021 16:11:54 +0100
Tony Finch wrote:
> alcol alcol wrote:
>
> > seriously? is like linux/unix FAQ 😄
>
> Please, if you can't be helpful, don't reply at all. We all have to learn
> somehow, and the best way to show your knowledge is to share it generously.
>
> T
Bruce, indeed the named is in
/Applications/Server.app/Contents/ServerRoot/usr/sbin/named.
> On Mar 26, 2021, at 12:20 PM, Bruce Johnson
> wrote:
>
>
>
>> On Mar 26, 2021, at 9:17 AM, Paul Cizmas wrote:
>>
>> Ondrej:
>>
>> Thank you - I in
and it is
/Applications/Server.app/Contents/ServerRoot/usr/sbin/named
When I ran rndc status I got
~$ rndc status
rndc: error: open: /Library/Server/named/rndc.key: permission denied
rndc: could not load rndc configuration
Thank you,
Paul
> On Mar 26, 2021, at 1:44 PM, Tony Finch wro
)
~$ named -v
BIND 9.9.7-P3 (Extended Support Version)
So, why is it still 9.9.7-P3?
Thank you,
Paul
> On Mar 26, 2021, at 9:25 AM, Ondřej Surý wrote:
>
> $ brew info bind
> bind: stable 9.16.13 (bottled), HEAD
> Implementation of the DNS protocols
> https://www.isc.org/bind/
Ondrej:
I did not think of doing it. Let me try. Thank you for your suggestion!
Paul
> On Mar 26, 2021, at 2:04 AM, Ondřej Surý wrote:
>
> Paul,
>
> why don’t you just install BIND 9 from Homebrew?
>
> Ondřej
> --
> Ondřej Surý — ISC (He/Him)
>
> My wor
-proctitle.lo] Error 1
> On Mar 25, 2021, at 10:58 PM, Larry Stone wrote:
>
> I’ve been building BIND on MacOS for years (currently on Catalina but has
> worked on almost the entire Mac OS X series.
>
>>
>> On Mar 25, 2021, at 7:50 PM, Paul Cizmas wrote:
>&
Eddy, I fully agree with you. I wish I could do it. Unfortunately I failed to
install libuv from scratch and I took a shortcut by using homebrew (and now I
am paying for it, as I should).
Paul
> On Mar 25, 2021, at 11:05 PM, Eddy Hahn wrote:
>
> I do not use either of them because
I did use homebrew. It installed libuv 1.41.0 without any complaints. Is
there something I could do to manually point BIND to libuv?
Thank you,
Paul
> On Mar 25, 2021, at 10:12 PM, Mark Andrews wrote:
>
> libuv discovery requires pkg-config to be found. macports/homebrew insta
read_np.h... no
checking for libuv... checking for libuv >= 1.0.0... no
configure: error: libuv not found
I have libuv installed, however. It is version 1.41.0.
I would appreciate any suggestions on how to fix this.
Thank you,
Paul
___
Please
Is there another command I should issue to stop BIND?
Thank you,
Paul
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
ISC funds the development of this software with paid support subscriptions.
Con
Our DMARC Policy has been "p=quarantine" since 30 Jun 2019, so I guess it won't
affect us. (It was "p=none" before that -- we only started using DKIM in Apr
2017.)
On Tue, 16 Feb 2021 20:54:30 + (UTC)
Dan Mahoney wrote:
> Greetings bind-users netizens.
>
> Dan Mahoney, ISC SysAdmin here.
interface to be reactivated (if
it's a privileged port issue).
Just brainstorming.
Paul
On Fri, 12 Feb 2021 18:33:21 -0500
bindus...@prograde.net wrote:
> Greetings,
>
> I’ve been fighting a two-fold problem with named (bind 9.16.11) running on
> macOS.
>
> 1: If an e
I don't think tcpdump was installed by default with various versions of Debian
that I set up in the last few years for networking. I didn't bother to install
it, as it's output is different enough (old fashioned?) from the sharks to be
annoying. It *was* installed with OpenSuSE 15.2 though. (Ope
I rather prefer tshark to tcpdump: it's essentially the command line version of
wireshark, and thus has wireshark's protocol "dissecting" abilities.
On Wed, 10 Feb 2021 22:20:08 +
"John W. Blue via bind-users" wrote:
> Three words: tcpdump and wireshark
>
> It is like peanut and jelly ..
Do you know about mxtoolbox.com? It (and other similar sites) does a good job
of diagnosing DNS-related problems. I use it now and then to check out my own
sites, as it gives a "second opinion".
In particular its "DNS Lookup' function reported the following for
"internet-dns1.state.ma.us"
Ty
It sounds to me like dnssec-verify is sending the output in question to STDERR
instead of STDOUT.
On Sat, 06 Feb 2021 19:02:28 +
Matthew Richardson wrote:
> I have been using Perl to do a reasonable amount of scripting, running bind
> utilities and processing the results into variables. T
of "Received:" headers. This would indicate that the duplication was caused by
an intermediate MTA. (The one I previously indicated was mx.pao1.isc.org, which
is the one and only MX for lists.isc.org.)
-Paul K.
On Tue, 24 Nov 2020 22:46:06 -0500
Jim Popovitch via bind-users wrote:
t 21:56 -0500, Paul Kosinski via bind-users wrote:
> > I've been getting two identical copies of recent posts to this list...
>
> Me too, but it's because of people hitting reply-all thinking that they
> are replying to the list and the poster. People really need to verify
I've been getting two identical copies of recent posts to this list
(such as this item). This only started happening in the past 24 hours
or so. Is anyone else seeing this?
Upon examination of the headers of the two copies, it looks like ISC's
list-servers are doing the duplication.
(The first p
With regard to using chroot, hasn't named/BIND long had the "-u" (user)
and "-t" (directory) options to accomplish the same thing more easily?
On Fri, 16 Oct 2020 12:47:35 -0500
Chuck Aurora wrote:
> /me catching up on earlier parts of this thread,
>
> On 2020-10-15 11:42, alcol alcol wrote:
>
The article is from 2016, probably before DNSSEC become so widespread.
But I would guess that their current overall approach is not a radical
departure from what was outlined in the article.
On Tue, 23 Jun 2020 13:41:18 +0200
Alessandro Vesely wrote:
> On 2020-06-05 9:29 p.m., Paul Kosin
A very interesting article on how China uses DNS (among other things)
to "control" Internet usage.
https://blog.thousandeyes.com/deconstructing-great-firewall-china/
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from
rharolde> Thanks for the link. Lots of pieces to get working there. Not
rharolde> nearly as simple as TSIG. But good if you are already using
rharolde> Kerberos.
MS active directory is kerberos under the hood. You don't need to run a
classic mit/hesiod KDC to get GSS-TSIG to work. But it is crypti
> with my internet connection"
>
> > Even if your ISP allows it, chances are that other mail servers will reject
> > it
>
> that's a completl different story
>
> > On 5/2/20 3:30 PM, Paul Kosinski via bind-users wrote:
> >> H
How many ISPs allow traffic on port 25? My impression is that even many
(non-enterprise) business customers can't use port 25.
On Sat, 2 May 2020 09:28:54 +0200
Reindl Harald wrote:
> Am 02.05.20 um 09:00 schrieb Michael De Roover:
> > That's actually my biggest concern with DoH, ISP blocking.
I was pleased that I was able to get our two (successive) ISPs to set
up reverse DNS for our small number of IP addresses, and each twice to
change them when they moved us to moved us to new IP ranges (due to the
IPv4 crunch). It never even occurred to me that it might be possible to
have them dele
lient 134.0.217.53#27016 (WWw.imENT.cOm):
query: WWw.imENT.cOm IN A -E (216.55.100.245)
Dec 22 12:05:44 iment0 named[10333]: client 134.0.217.69#23417 (WWw.IMeNt.cOM):
query: WWw.IMeNt.cOM IN A -E (216.55.100.245)
Thanks,
Paul Kosinski
___
Please visit
"... long ago adapted to using full numbers, including area codes, for
pretty much *all* phone dialing ..."
Except that that proved to be so onerous that people often use "speed
dialing" for commonly dialed numbers. (Not to mention the fact that
people usually address their friends and coworkers b
implied by the PTR lookup result of such a
group's external IP address, although unique, is usually not suitable.
Most can change without notice due to DHCP, and they also tend to be
something unworkable, like "c-66-31-152-1.hsd1.ma.comcast.net.".
On Mon, 30 Sep 2019 09:35:57 -0600
Pa
pemensik> I am aware search is a no-no in DNS community. However, is
pemensik> there any public documentation to this change? Is there RFC
pemensik> recommending not to use search or how it should be used,
pemensik> related to today's top level domains?
pemensik> While I agree it is dangerous, the
Testing how lists.isc.org handles DMARC "Quarantine" (and "Reject")
policy. The enterpr...@mozilla.org mailing list forwards such email in a
way that some recipients choke on it (i.e., can't validate it).
___
Please visit https://lists.isc.org/mailman/lis
A *bank* not using DNSSEC?? Glad I don't have any money there.
On Sun, 16 Jun 2019 14:00:36 +0100 (BST)
"G.W. Haywood via bind-users" wrote:
> Hi there,
>
> On Sun, 16 Jun 2019, Mark Andrews wrote:
>
> > The servers for this zone are broken, they do not respond to
> > queries with DNS COOKI
from the GLTD to comcast’s DNS I even got, dig:
couldn't get address for 'dns101.comcast.net': no more at one point. Although
now it seems to be back to normal, not sure what to make of it.
Thanks for your reply Bob.
Paul
a
;; Query time: 26 msec
b
;; Query
7;dns101.comcast.net': no more" so I doubt
it's a dig version issue.
Paul
;; Received 239 bytes from 192.5.6.30#53(192.5.6.30) in 32 ms
net.172800 IN NS k.gtld-servers.net.
net.172800 IN NS b.gtld-servers.net.
ne
DNS server tried
doing a new query it timeout on GTLD server to Comcast?
When I query directly to their DNS servers there is no latency, so I suspect
this is a link issue at Comcast affecting DNS?
TIA paul
; <<>> DiG 9.9.4-RedHat-9.9.4-61.el7_5.1 <<>> @192
ified?
On Mon, 4 Mar 2019 19:30:36 +0100
Matus UHLAR - fantomas wrote:
> >On 4 Mar 2019, at 16:20, Paul Kosinski wrote:
> >> provides our users with general caching DNS service for
> >> all other domains.
> >
> >[...]
> >
> >> Its "named.conf&
Op 05-03-19 om 16:32 schreef Matus UHLAR - fantomas:
>>> On 05.03.19 14:41, Paul van der Vlis wrote:
>>>> This was a long time ago. In the meantime I have rebooted the server.
>>>>
>>>> What I see, is that the resolving does not work from othe
Op 05-03-19 om 15:21 schreef Matus UHLAR - fantomas:
>>> On 05/03/2019 01:01, Paul van der Vlis wrote:
>>>> Not sure. It was a domain used for testing purposes.
>>>>
>>>> Before it was in /etc/bind/named.conf.local, but I removed it from
>>
Op 05-03-19 om 11:51 schreef Anand Buddhdev:
> On 05/03/2019 01:01, Paul van der Vlis wrote:
>
>> Not sure. It was a domain used for testing purposes.
>>
>> Before it was in /etc/bind/named.conf.local, but I removed it from there.
>
> Did you run "rndc r
s zone added via "rndc addzone" originally?
Not sure. It was a domain used for testing purposes.
Before it was in /etc/bind/named.conf.local, but I removed it from there.
With regards,
Paul van der Vlis
> Regards,
>
>
> Jie
>
> * Paul van der Vlis wrote:
>
c/bind
root@ns1:/var/cache/bind# rgrep extensus.nl /var/cache/bind
Binary file /var/cache/bind/_default.nzd matches
I've also tried to add and remove it again, but I don't get it away.
Somebody an idea?
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux
We have a BIND server on our LAN which is authoritative for our ".local"
domain and also provides our users with general caching DNS service for
all other domains.
Its "named.conf" file doesn't list any "forwarders" any more, and
"forward-only" is gone, but it still has a leftover "recursion yes"
I haven't analyzed the details and pitfalls, but could a Web proxy
mechanism of some sort be of help? In particular, rather than having
your users directly access "teamviewer.org" (or whatever), have them to
access "teamviewer.local", which is resolved by your internal DNS to a
specialized proxy se
I recently updated a couple servers that were running OpenBSD 6.3 with
bind 9.11.3 to OpenBSD 6.4 and bind 9.11.4pl2. Since then, I'm been
getting a large number of "error sending response: would block" log
messages:
Nov 15 11:03:58 lisa named[79587]: client @0x6f2f02bc440
10.128.30.77#65198 (p64-
Maybe port scanners will find open ports pretty quickly, but I've found
that using non-standard ports is helpful in reducing traffic, at least.
For example, SSH on port 22 gets lots of SYNs but moving it elsewhere,
and making 22 totally unresponsive discourages most such attempts. This
increases se
Code refactoring is nothing compared to what Mozilla did to Firefox!
It's hard to believe they didn't change the name, given that they
totally changed the add-on interface and thereby removed so many of the
features that made Firefox our browser of choice.
On Thu, 20 Sep 2018 09:48:08 +0100 (BST
Hi Tony,
Thanks for your answer!
Op 23-08-18 om 18:40 schreef Tony Finch:
> Paul van der Vlis wrote:
>>
>> Is it possible to sign the ZSK key permanently with the KSK key?
>> In this way I could keep the KSK key offline.
>
> The only(*) revocation mechanisms in DNS
Hello,
Is it possible to sign the ZSK key permanently with the KSK key?
If yes: how to do that?
In this way I could keep the KSK key offline.
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl
t, 18 Aug 2018 20:12:01 +0200
Reindl Harald wrote:
>
>
> Am 18.08.2018 um 20:02 schrieb Paul Kosinski:
> > When I started using Linux almost 20 years ago, I think there was
> > only nslookup, and no dig. So by habit, I tend to use it unless the
> > extra power of dig ou
When I started using Linux almost 20 years ago, I think there was only
nslookup, and no dig. So by habit, I tend to use it unless the extra
power of dig outweighs its extra complexity. I don't remember what I
used on Windows back when I was regularly using both.
On Sat, 18 Aug 2018 11:42:20 -0600
We have a couple of small domains whose DNS is served by BIND on our dedicated
machines. Almost 3 years ago we had set up DMARC records, and were getting
reports from various MXs every day until a couple of days ago (Aug 13). Then
they suddenly stopped!
Nothing in the BIND config or zone files
We do something somewhat similar with our LAN. We have a new cable
connection and an old DSL connection. The cable is 60x faster, but has
a dynamic IP and blocks various ports (esp. 25), so we keep the DSL so
we can send email directly etc.
Obviously, we don't want to stream video or even do much
Most of your replies seem not to address the (immediately
preceding) paragraph they appear to be responding to.
On Mon, 25 Jun 2018 22:15:07 +0200
Reindl Harald wrote:
>
>
> Am 25.06.2018 um 22:01 schrieb Paul Kosinski:
> > Somebody who has irresponsibly (and apparently want
dvertently assisting in the attack,
and should be contacted and asked to help in the remediation. (Note
that *their* resources, as well as yours, are being wasted.)
On Mon, 25 Jun 2018 17:47:23 +0200
Reindl Harald wrote:
> Am 25.06.2018 um 17:37 schrieb Barry Margolin:
> > In articl
se the query doesn't come until after
the connection is established.)
On Mon, 25 Jun 2018 15:32:44 +0200
Reindl Harald wrote:
>
>
> Am 25.06.2018 um 05:39 schrieb Paul Kosinski:
> > Is it possible to get BIND not to respond at all, thereby causing
> > a timeout on
Is it possible to get BIND not to respond at all, thereby causing
a timeout on the query? That would perhaps reduce load more than
NXDOMAIN or deleting the sone(s) would.
On Mon, 25 Jun 2018 00:03:09 +0200
jo...@hasig.de wrote:
> yes, but it minimizes the use of resources because the only answer
ycast?), and ensure we
can still meet the contracted SLAs. Basically it's a lot of work (+ cost) just
to "sort out" this Sophos mess.
I'd rather Sophos did their stuff over a separate TCP or UDP port rather than
hijacking DNS, but doubt they will listen to "littl
1 - 100 of 336 matches
Mail list logo
