On 10/27/22 1:24 PM, Marco wrote:
At least for IPv4, there are servers that reject connections from
IPs that don't have a reverse zone with PTR record.
Please elaborate.
I've not heard of (unspecified type of) servers rejecting connections
because of the lack of a PTR record.
I have heard o
On 10/27/22 4:18 PM, Andrew Latham wrote:
IRC for example will check for PTR and gate login. I know there are
others but that came to mind quickly. In some regions having PTRs was a
requirement. It has been years but I recall LACNIC required/desired PTRs
be set.
I wasn't aware of IRC's requir
On 11/4/22 10:07 AM, David Carvalho via bind-users wrote:
My reverse zone file
What is the origin of your zone file? 0-28.66.136.193.in-addr.arpa.?
1.0-28.66.136.193.in-addr.arpa. IN A 193.136.66.1
You seem to be using RFC 2317 Classless IN-ADDR.ARPA delegation.
As such
On 11/4/22 10:54 AM, David Carvalho via bind-users wrote:
Thanks for the replies.
You're welcome.
My reverse zone in named.conf. My secondary dns gets it automatically
daily, along with the "di.ubi.pt.".
ACK
zone "0-28.66.136.193.in-addr.arpa." IN {
allow-query { any; };
On 11/4/22 11:19 AM, David Carvalho via bind-users wrote:
Thanks again.
You're welcome again. :-)
Probably. Am I supposed to, I have just 2 segments in this network
(and 2 others on another work) ?
Normally no, you're not supposed to /need/ to have a copy of an
intermediate zone.
Howeve
On 11/4/22 12:09 PM, Cuttler, Brian R (HEALTH) via bind-users wrote:
My pointer zones are more like
Zone "28.66.136.193.in-addr.arpa.", I've never had that leading "0-"
Is that typical? What does it do?
I invite you to go skim RFC 2317 -- Classless IN-ADDR.ARPA Delegation.
TL;DR: 2317 is a
On 11/4/22 2:07 PM, Mark Andrews wrote:
Any ISP that offers these delegations should be allowing their
customers to transfer the zone that contains the CNAMEs for the
customer address space by default.
I've had enough trouble getting ISPs to support 2317 delegation period.
I think that asking
On 11/5/22 4:32 AM, Ondřej Surý wrote:
The IPv4 reverse zone is easy to scrape and stored for situations
like this… just saying.
Fair enough.
Though if we're going to not officially sanctioned behavior, I'm
inclined to create a local version of the 66.136.193.in-addr.arpa. zone
that CNAMEs t
On 11/6/22 11:12 AM, Carl Byington via bind-users wrote:
or use $clientname.66.136.193.in-addr.arpa. as the intermediate zone
which has a slight advantage when the same client has multiple disjoint
parts of the same /24.
I find that $CLIENTNAME or some other stand in for the client is a
poten
On 11/6/22 6:39 AM, Matus UHLAR - fantomas wrote:
3. allow your servers to to fetch 66.136.193.in-addr.arpa.
Is this 3rd step documented somewhere?
I searched for it in RFC 2317 but didn't find it. Maybe I over looked it.
alternatively they can choose to 0/28.66.136.193.in-addr.arpa. or
0-1
On 11/7/22 9:08 AM, Matus UHLAR - fantomas wrote:
I'm afraid that this problem can become really huge when someone creates
huge amount of generated records, e.g. using proposed module.
Even if BIND's cache is simply FIFO -- which I'm fairly certain that
it's smarter than that -- and flushes a
On 11/7/22 9:45 AM, Fred Morris wrote:
The PUBLIC DNS is not secure against eavesdropping or parallel
construction and never will be.
Even if the information is out there, I believe there is an exposure
risk for ISPs if they do something that makes it /easy/ to correlate
customer / client res
On 01/10/2017 03:40 AM, Michelle Konzack wrote:
Hello experts,
/me looks over his shoulders wondering who's being addressed.
I do not want to querry the world, but only my own Name Server for CNAME
configured (or not).
Okay. ONLY use local data. Check.
Currently I am updating my web adm
On 01/16/2017 08:17 AM, Luis Felipe Dominguez Vega wrote:
Hello, i was searching into google to find my problem, but i think that is
better write to the list. I am using Bind with Samba 4 (with BIND_DLZ) serving
the domain mtz.example.com, but i need resolv throw another server the querys
to doma
On 01/20/2017 05:24 PM, Ray Van Dolson wrote:
So I have domain.com, controlled by AD, but want to delegate
subdomain.domain.com to an external DNS server on the Internet (Amazon
Route53).
Okay...
This is easy to do for my external version of domain.com as I can just
add
subdomain.domain.com
On 01/21/2017 08:28 PM, Reindl Harald wrote:
you can - the second one is a rbldnsd hosting our honeypot DNSBL
I thought you could. But since I've not tried to do so myself, I wasn't
100% sure.
Thank you for the confirmation.
I also half way expect that Ray's network may have something prec
On 02/08/2017 11:09 AM, Cuttler, Brian R (HEALTH) wrote:
DHCP:
I know DHCP will remove the info when the old lease expires, will it
remove this information for me in the case of the device falling off
line, and how can I accelerate that process so that I can reassign
the printer tag to a new IP a
On 04/19/2017 03:37 AM, Tony Finch wrote:
This is what the EDNS client subnet option is about. You can use it in
BIND by adding "ecs" clauses to your address match lists for views or
acls. However it isn't documented in the ARM and it has significant
problems. See
https://kb.isc.org/article/AA-01
On 04/19/2017 09:49 AM, Nico CARTRON wrote:
Of course I meant +subnet / +nosubnet
;-)
Thank you for the pointers Nico & Tony. I'm sure I'll find a way to get
myself into trouble with what you've provided.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signatur
On 04/19/2017 10:58 AM, Victoria Risk wrote:
We have implemented ECS for recursive queries in 9.10.5-S, the
subscriber preview edition of BIND, which will be released today. For
now, ECS recursion is available only to users with a support contract
with ISC. Development of this feature was a signi
On 05/22/2017 07:16 AM, Barry S. Finkel wrote:
Maybe I am misinterpreting the problem. When I was managing a mixed
AD-BIND DNS scenario, ALL of the computers used the BIND servers for
their DNS resolution; none used the AD servers. But I had all of the
AD zones slaved on my BIND servers, so the
On 05/22/2017 01:36 PM, Elias Pereira wrote:
I was provisioning the AD in the wrong way. As we have our main DNS and
it is authoritative for our domain "example.com" I
needed to create a subdomain "sandom.example.com"
so that AD DNS would be authoritative only
for "samdom".
You don't have t
On 06/07/2017 02:18 PM, kevin martin wrote:
I have tried to setup a reverse zone as 10.10.in-addr.arpa and perform
'update add' commands sending addresses like 22.22.10.10.in-addr.arpa
and 2.5.10.10.in-addr.arpa and, in all cases, the update fails with
NOTZONE. bind complains "update failed: u
On 07/12/2017 03:21 PM, b...@zq3q.org wrote:
OK, I'm ready to consider other registrars, any suggestions
would be appreciated.
$Dynadot++ has been good to me. I can pay them via PayPal and they
support DS records for DNSSEC if you eventually want to mess with that.
- I think they were reaso
On 07/18/2017 09:09 AM, Abi Askushi wrote:
I am trying to figure out how could I account the DNS traffic generated
from clients in terms of bytes. My setup is a simple caching DNS with
several clients querying the DNS server. I can measure the DNS traffic
that is generated from the DNS server
On 08/10/2017 06:21 PM, toddandmargo wrote:
> Fedora 26
Fedora = Linux (vs Windows vs other)
> I am stumped. I need to be able to look up short names on my local
> network.
...
> What am I missing?
domain and / or search configuration in /etc/resolv.conf
man resolv.conf
--
Grant. . . .
un
On 08/10/2017 10:18 PM, /dev/rob0 wrote:
Note that this still work for dig(1) and host(1) as per the OP's
examples. But things like ping(1) and browsers will work with a
search domain.
Do you mean to say that the search / domain entry in /etc/resolv.conf do
/not/ work for dig / host? (Or am
On 08/11/2017 06:49 AM, U Zee via bind-users wrote:
Any ideas please???
I'm seeing different A records returned depending on where I query from.
As such I can only speculate that something related to DNS for a CDN is
not working as desired.
I'd suggest a packet capture of the client's DNS t
On 08/23/2017 01:58 PM, John Miller wrote:
Finally, be _very_ careful about using the SPF qualifier "-all" to
start out with. What you're saying there is that the only server
authorized to _send_ mail for X.TLD is the one listed in the MX.
Unless people are always logging directly into the mail
On 08/23/2017 01:28 PM, Tom Browder wrote:
Given such a configuration described in the first paragraph, does the
following set of DNS records for a domain look look appropriate:
# For each domain X.TLD:
X.TLD. INA 142.54.186.2.
*.X.TLD.IN CNAME X.TLD.
X.TLD.
Is it possible to filter (*.)wpad.* with RPZ? Or do I need to look into
Response Policy Service and try to filter that way?
I've used RPZ for various different things over the years, but I don't
quite know how to match a wild card on the right hand side.
Context: I'd like to prevent ""misco
On 11/30/2017 12:04 AM, Daniel Stirnimann wrote:
I doubt you can use RPZ for that.
The testing that I did made me think that RPZ wouldn't be able to do it.
I wonder if Response Policy Service (DNSRPS) can do it.
We use https://dnsdist.org/ for that, our rule:
-- WPAD Name Collission Vulnera
On 12/15/2017 08:10 AM, Timothe Litt wrote:
I use an 19xLVC too (On Raspbian == Debian). But I also have an RTC.
GPS does have outages, can take a while to get a fix, and NTP wants
consensus. So I use my GPS receiver as a local clock source
(preferred), but also configure several servers fr
On 12/18/2017 12:24 PM, Bob McDonald wrote:
I've seen cases where folks have added all of the Domain Controller
addresses for an AD forest to the NS list for a domain.
I believe that DCs do this by themselves if they are using MS-DNS. (I
think the netlogon service does a dynamic DNS update an
On 12/20/2017 06:27 AM, MAYER Hans wrote:
And I don’t wont that this static names can by changed by someone out
of an IP range, where it is allowed. I didn’t find any hint to block
certain IP ranges to be updated within a dynamic zone.
I don't remember the specifics, but there is a way built
On 12/20/2017 10:40 AM, Grant Taylor via bind-users wrote:
I don't remember the specifics, but there is a way built into BIND to do
what you are wanting.
Well, my GoogleFu seems to working today:
Link - DNS Dynamic Update (DNS and BIND, 4th Edition)
- https://docstore.mik.ua/o
On 12/23/2017 08:22 PM, Michelle Konzack wrote:
> So, whats going on here?
I get timeouts while trying to talk to dns2.tamay-dogan.net. and
dns1.tamay-dogan.net returns a SERVFAIL when I query for the SOA of
tamay-dogan.net.
I don't see dns3.tamay-dogan.net listed in the ADDITIONAL SECTION when
q
On 12/23/2017 09:19 PM, Michelle Konzack wrote:
> Now I have removed a third time the jourmal files and oh wonder,
> it seems to work again. How can it be, that 3 journals out of sync
> can block more then 2000 domains?
Hum. I bet that there were log entries about the journal(s) being o
On 12/23/2017 02:11 PM, Michelle Konzack wrote:
I try to blackhole several 1000 domains and try to redirect them to the
host
It looks like you're trying to load zones that are sharing a zone file
in an effort to black hole them.
I would strongly advise you look at Response Policy Zones as I
On 12/23/2017 11:07 PM, Michelle Konzack wrote:
I have just discovered several entries of
Dec 24 06:26:49 dns1 named[16591]: update-security: error: client
+37.157.109.77#2936: update 'tdnet.eu/IN' denied
Which is realy bizzar, because this is the 4G/LTE IP of my ThinkPad T400
with Windows 7
On 12/24/2017 12:42 PM, Lee wrote:
Is there a minimum version of bind one should be running before trying
to use RPZ?
in other words, v9.9.latest is OK or 9.10.latest or ???
I don't know when RPZ was introduced (I'd have to check release notes)
but I've been using it for years. So I'd say gi
On 12/24/2017 01:25 PM, Lee wrote:
So it looks like I'm upgrading to 9.11 before giving RPZ a try.
If the version of BIND that you're running supports what you want out of
RPZ, you can try it now. It will continue to work the same in newer
versions.
My understanding is that newer versions
On 12/25/2017 10:23 AM, MAYER Hans wrote:
Hi Grant,
Hi Hans,
Many thanks for the detailed information.
You're welcome.
"update-policy” is new for me and maybe the solution.
I have to dig deeper into the documentation.
It's relatively new for me too. I think I became aware of it through
On 01/17/2018 07:57 AM, Tony Finch wrote:
I'm currently at UKNOF39 where we have just had a couple of talks about
RPZ. One of the speakers talked about algorithmically generated malware
domains: if you know the algorithm, you can pre-generate the malicious
domains and add them to your RPZ in ad
On 01/18/2018 03:44 AM, Matus UHLAR - fantomas wrote:
what you search for is the Classless IN-ADDR.ARPA delegation, described
in RFC2317
Classless IN-ADDR.ARPA delegation likely won't work if all IPs involved
are not configured for it.
I would suggest adding NS records to (re)delegate the (f
On 01/18/2018 12:08 PM, Matus UHLAR - fantomas wrote:
you can create something very similar, not necessarily classless.
simply redirect reverse names via CNAME to other zone. very standard.
Yes. But that requires that something is done in the authoritative /
parent zone.
what's the point o
On 01/22/2018 09:21 AM, Warren Kumari wrote:
http://www.sss.gov works OK, but http://sss.gov always seems to return
"The requested service is temporarily unavailable. It is either overloaded
or under maintenance. Please try later.".
Inconsistency between related things is annoying.
I guess pr
On 01/23/2018 05:25 AM, Brian J. Murrell wrote:
It would be an interesting experiment to isolate the zone that receives
DDNS updates for the DHCP clients onto a separate server to see if that
makes this problem go away for the main server, but I don't have another
machine to run another BIND on
On 01/25/2018 07:29 AM, Matus UHLAR - fantomas wrote:
so, in fact you want the whole zone locally, override anything you like,
but forward some records to other servers?
Yes.
DNS does not work that way.
I have successfully used this technique many times, including for
resolvers in the wild
On 01/29/2018 02:51 PM, Reineman, Rick wrote:
This happens all the time. Bang head against problem, give up and ask
for help, figure it out thirty minutes later.
Yep.
I learned a long time ago that it's more expedient to ask the question
so that you can find the solution on my own 30 minutes
On 02/08/2018 08:51 AM, Mukund Sivaraman wrote:
Also, just for argument's sake, one user wants to extend TTLs to
5s. Another wants 60s TTLs. What is OK and what is going too far?
I think what is "OK" is up to each administrator.
Obviously the zone administrators have decided that they want peo
On 02/09/2018 09:37 AM, Barry Margolin wrote:
As long as you understand the implications of what you're doing?
I don't think my level of understanding has any impact of my ability to
override what the zone publisher sets the desired TTL (or any value) to be.
I have the right to run my networ
On 02/09/2018 05:26 PM, @lbutlr wrote:
But to answer your question, off-hand, I'd say that any TTL under 60s
is suspicious and any TTL under 10s is almost certainly intentionally
abusive.
I thought there was a lower recommended boundary, particularly to detect
and avoid things like fast flux.
On 02/10/2018 12:15 PM, Barry Margolin wrote:
Just because you have the right to do something doesn't mean it's a
reasonable thing to do.
I never meant to imply that it was the reasonable thing to do.
I meant to imply that it is my choice how I run my servers.
And if you're offering a service
On 03/27/2018 08:54 PM, Blason R wrote:
Is there any DNS sizing guide available? I have created a sinkhole
server which is catering around 25 - 30 zones loaded with 4 CPU
and 8 GB RAM. I am daily adding around 1-5k of zones.
I don't have an answer to your question. But I do wonder why
On 03/28/2018 12:51 AM, Blason R wrote:
Interesting I didn't know that. Let me dig in..can I have few examples
please?
RPZ zones are effectively standard zones. The only difference is that
the CNAME record is used to convey information to the RPZ engine (? is
that an accurate description ?)
On 03/28/2018 08:31 PM, Blason R wrote:
Right now I have around 27 zones added in DNS but that is with
direct zones NO RPZ. And my config is 4 vCPU 8Gb RAM its running well
and around 700 users
:-)
The only concern thing for me is I may need to re-write all my scripts
to load those zones
On 04/03/2018 05:24 PM, Browne, Stuart via bind-users wrote:
A number of places use a 'stealth' (or 'hidden') master as a bit of
protection from potential bad actors. It's a network domain barrier
between the master (usually on an internal-only network) from a public
network with potential bad
On 04/18/2018 11:52 AM, Blason R wrote:
Pertaining to my other thread since I am building sinkhole server which
will eventually have around 0.5 million zones or may be 1 Million which
one would you think will perform better?
RPZ or include statements? I have 8 Core Processor and 32 GB of RAM
On 04/18/2018 12:56 PM, Blason R wrote:
Will the performance be same, considering the number of zones I have or
will have??
Multiple zones (read: classic non-RPZ method) will require more
resources than a single zone (read: RPZ method).
I typically view needing fewer resources as being faste
On 04/18/2018 11:37 PM, Blason R wrote:
I need to wall garden the malicious Domain request and instead route to
that server itself.
I assume that you are saying that you need to 1) filter malicious
domains and 2) you want requests for them to be resolved to your (DNS?)
server.
e.g. my DNS s
On 05/02/2018 12:23 PM, Blason R wrote:
I would really appreciate if someone can shed light; if DNS based
advanced attacks can be stopped using DNS RPZ? Like DNS beacon channels
or Data Exfiltration through DNS queries.
If you know fixed aspects of the queries / responses, you can very
likely
On 05/02/2018 12:59 PM, Blason R wrote:
Well, challenge is not implementing RPZ that part is done but now
wondering as a advanced part if such attacks can be detected as well
blocked by using RPZ? I guess one option I see if to deploy HIDS on BIND
server like suricata which will detect such att
On 05/03/2018 12:42 PM, Darcy Kevin (FCA) wrote:
As far as I know, Domain Controllers still only maintain SRV records
DCs, likely all member servers, and possibly all workstations (or the
DHCP server on their behalf) will try to register A / and PTR
records too.
Also, updates to the AD
On 05/05/2018 11:35 AM, Blason R wrote:
> BTW on the slave dumped zones are not in a readable format I believe
> those are kinda of mapping?
There is a config option for the zone file format. I believe you want
what's below. Try it and / or check the man page to confirm / refine to
your prefere
On 05/18/2018 08:02 AM, Matus UHLAR - fantomas wrote:
why? is there any logic in this?
I can see a case where a hidden / internal master is used and only
accessible by direct slaves in a DMZ.
So the slaves in the DMZ act as a contact point for the world.
--
Grant. . . .
unix || die
smi
On 06/17/2018 09:43 AM, Blason R wrote:
Can someone please guide if DNS exfiltration techniques can be
identified using DNS RPZ?
I don't think that Response Policy *Zone* can do what you want to do.
(I've often wondered about this my self and have spent some time
thinking about it.)
Or do I
On 06/17/2018 10:52 AM, Vadim Pavlov via bind-users wrote:
DNSSEC can be used for infiltration/tunneling (when you get data from a
DNS servers) but there is a catch that such requests can be easily dropped.
Will you please elaborate and provide a high level overview of how
DNSSEC can be used f
On 06/17/2018 11:18 AM, Vadim Pavlov via bind-users wrote:
Just to be more clear. DNSSEC records can contain any content and can
be used for infiltration/tunneling.
Ah. I think I see.
E.g. If you request DNSKEY record (you can encode your request in fqdn)
you will get it exactly "as is". Int
On 06/17/2018 11:48 AM, Blason R wrote:
Excellent Inputs guys and thanks a ton for your feedbacks.
You're welcome.
RPS is quite interesting and which one is commercial offering for
the same?
The best (read: quick) I have is Paul Vixie's email to OARC's
DNS-Operations mailing list.
Link -
On 06/25/2018 11:08 PM, Dale Mahalko wrote:
* The secondary program looks up the domain in a database, which also
includes the multihome destination for each domain. If a match is found,
a route is created to that multihome destination. Aliased acceleration
domains such as Akamai will be matche
On 06/26/2018 05:20 PM, Elias Pereira wrote:
since the samba needs to be authoritative on its own dns.
Is that truly a requirement?
I've not messed with AD on Samba. But I know that Windows servers just
need the ability to update DNS. They do not need to be authoritative
for it.
Is this
On 06/26/2018 06:21 PM, Elias Pereira wrote:
yes. :)
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#Why_This_Matters
Hum.
After reading that section of the page you linked to, I'm not convinced
that the DNS /must/ be on the Samba server.
How would this work in the scenario I
On 06/26/2018 10:21 PM, Mark Andrews wrote:
And if you are not using AD you can use SIG(0) and KEY records to allow
hosts to authenticate updates to the DNS for their own records.
I'm not quite following. Do you mean that you can allow hosts to update
their own RRs without requiring AD and us
On Jun 27, 2018, at 11:59 AM, Dale Mahalko wrote:
> Guessing the potential background domains used by Microsoft / Steam, etc and
> monitoring bandwidth used by those domains is unfortunately the only option
> available.
If you can get information on the IP addresses associated with their ASN(s)
On Jun 27, 2018, at 12:27 PM, Darcy Kevin (FCA)
wrote:
> I’m not convinced DNS has any valuable role to play here.
I can see the value for services that have FQDNs that resolve to IP addresses
outside of their ASN(s) like Google / YouTube.
--
Grant. . . .
unix || die
smime.p7s
Description:
I think we may be talking past each other. I was referring to (client) machine
trust accounts inside of AD, not hostnames in DNS.
I now think you are referring to the latter. I can see how that can work.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME cryptographic signature
__
On 07/27/2018 09:59 AM, Elias Pereira wrote:
hello,
Hi,
Can an authoritative dns for a domain, eg mydomain.tdl, have a hostname,
example, wordpress.mydomain.tdl with a private IP?
Yes, an authoritative DNS server can have a private
(non-globally-routed) IP address in the zone data.
Howev
On 07/30/2018 04:54 PM, Elias Pereira wrote:
Thanks to everyone that help me!!!
You're welcome.
The Grant Taylor tuto works like a charm!!! :)
I'm glad that it worked for you.
Note: I call this technique "Apex Override".
I believe the Apex Override technique can be used anywhere you want
On 07/30/2018 08:01 PM, Browne, Stuart via bind-users wrote:
Be wary of DNAME's; they can be quite limited.
ACK
Here's an example from our old system:
internal. 3600 IN SOA mgmt1.mel.internal.local.
sysadmin.external.com.au. 2014051201 28800 14400 360 86400
internal. 36
On 08/03/2018 12:00 PM, Petr Menšík wrote:
Hi!
Hi,
Our internal support reached to me with question, why are some queries
bound to low ports silently dropped.
Please clarify if you're saying "bound to" as in the code that
originated the query came from said port or if you mean queries that
On 08/06/2018 08:29 PM, A wrote:
I have a VPS and requested my webhost to fix reverse DNS for my domain &
IP. They responded by telling me to provide them with the records I want.
I found the following response to someone's question on the *Net*:
Many ISPs will put in CNAME records wi
On 08/08/2018 10:02 PM, Blason R wrote:
Due to the architecture since I have my internal DNS RPZ built I wanted
my other internal DNS servers should send traffic to RPZ server and
then RPZ would resolve on behalf of client.
Speaking of PRZ and forwarding…
Does anyone know off hand if BIND, w
On 08/09/2018 01:01 AM, Lee wrote:
yes, it works just fine
Good.
it does, so you have to flag your local zones as rpz-passthru. eg:
*.home.net CNAME rpz-passthru.
localhost CNAME rpz-passthru.
8.0.0.0.127.rpz-ip CNAME . ; 127.0.0.0/8
8.0.0.0.10.rp
On 08/06/2018 07:40 AM, Leroy Tennison wrote:
If there is already an ISC document I didn't find it, please provide
the URL.
I'm not aware of any such best practices type document. I too would be
interested in reading it is it exists.
I just added a slave of a master for disaster recovery an
On 08/06/2018 08:14 AM, Leroy Tennison wrote:
As previously posted, I just added a slave of a master for disaster
recovery and now need to know how to promote it should the master be
offline too long.
Please see the reply that I just sent for details about how I handled
this problem in the pa
On 08/18/2018 07:25 AM, Bob McDonald wrote:
I don't think anyone hates nslookup (well maybe a few do ) I
suppose the immense dislike stems from the fact that it's the default
utility under Windows. Folks who use dig as their default realize that
when used properly, dig provides much more functi
On 08/20/2018 05:23 AM, Tony Finch wrote:
If the local root zone gets corrupted somehow (maliciously or otherwise)
the usual setup cannot detect a problem, but it'll cause DNSSEC validation
failures downstream. The normal resolver / validator algorithm is
more robust.
The new mirror zone code
On 08/20/2018 11:06 PM, Doug Barton wrote:
But that doesn't mean that slaving a zone, any zone, including the root,
is "dangerous." If slaving zones is dangerous, the DNS is way more
fragile than it already is.
Sorry, poor chose of words.
The last time I read the RFC discussing slaving the ro
On 08/22/2018 01:15 AM, Zhengyu Pan wrote:
In my application scenario, I have two master. Each master connect
several slave dns. When users update zone, i update these two master
respectively in a for loop. However, when any master update fails, i
will roll bock. you know, whenever any up
On 08/23/2018 01:20 PM, Barry S. Finkel wrote:
Somehow, under the covers, AD synchronizes the zones so that they have
the same content.
It's my understanding that MS-DNS servers hosting AD Integrated zones
are actually functioning as application layer gateways between DNS and
data that's stor
On 08/23/2018 02:15 PM, Grant Taylor via bind-users wrote:
It's my understanding that MS-DNS servers hosting AD Integrated zones
are actually functioning as application layer gateways between DNS and
data that's stored in LDAP.
My AD Guy confirms that the DNS data for Active
On 08/29/2018 04:05 AM, John Miller wrote:
Does anyone know of a good intro-level book that explains how DNS works
and gives an current overview of the different DNS servers out there?
I'll argue that the basics have not changed.
Get a good foundation of the basics and then add new deltas /
r
On 09/08/2018 07:58 AM, @lbutlr wrote:
what do I need to do for other DNS servers?
I don't think you need to do anything special.
The zone signatures come form and are managed by the master name server.
The secondary name server(s) is (are) just additional servers with
copies of the zone.
On 09/18/2018 04:12 PM, SIMON BABY wrote:
Are we support this with our current release?
BIND has supported round robin DNS for a long time.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https:
On 10/23/2018 04:21 PM, Timothy Metzinger wrote:
At this point I’m stumped and welcome any suggestions.
Trust the bits on the wire.
What sort of outgoing DNS queries do you see when you run dig on the
problematic system without specifying the DNS server?
Can you find that server listed anyw
On 10/24/2018 03:58 AM, Matus UHLAR - fantomas wrote:
It uses routing tables to decide this, so you can force it to use
alternative route.
It's also possible to use the routing table to specify which source IP
is used for a given route.
This is handy to specify the source IP to use if you ha
On 10/24/2018 06:15 AM, G.W. Haywood via bind-users wrote:
A server on a non-standard port is often neglected. Its security may
be less well maintained than one that is intentionally public.
Why and how do you make that correlation?
Are you implying that some people think that because they've
On 10/24/2018 07:24 AM, Timothy Metzinger wrote:
There's no security in obscurity.
Obscurity by itself is not security.
Obscurity can be one many layers of security.
Automated port scanners will sweep your system in a couple of seconds.
Yes, automated scanners can scan all the ports on a s
On 08/09/2018 01:01 AM, Lee wrote:
it does, so you have to flag your local zones as rpz-passthru.
Thank you again Lee. You gave me exactly what I needed and wanted to know.
I finally got around to configuring my RPZ to filter IPv4
Special-Purpose Address Registry as per IANA's definition.
(
101 - 200 of 297 matches
Mail list logo
