On 10/25/2018 03:25 PM, Lee wrote:
I feel like I'm missing something :(
I'll see if I can fill in below.
I read this
https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325
and used RPZ to block anything coming from outside that might be
On 10/25/18 2:34 PM, N6Ghost wrote:
I want to move a core namespace to the load balancer but i want them to
let me assign them a new zone thats internally authoritative and use it
as the LB domain.
which would be:
cname name.domain.com -> newname.newzone.domain.com
they want:
cname name.domain.
On 10/25/2018 06:26 PM, Lee wrote:
If you're using those addresses internally it makes sense to filter them
from 'outside'.
That's what I thought.
I play those games at times also :) So it sounds like what I was
missing is that you like a challenge & are using more address space that
I thou
Is there a way to enforce a minimum TTL?
My initial searching indicated that ISC / BIND developers don't include
a way to do so on a matter of principle.
I'd like to enforce a minimum TTL of 5 minutes (300 seconds) on my
private BIND server at home. I'm wanting to use this as a method to
th
On 10/25/2018 09:27 PM, Mark Andrews wrote:
Use a browser that maintains its own address cache tied to the HTTP
session. That is the only way to safely deal with rebinding attacks.
Rebinding attacks have been known about for years. There is zero excuse
for not using a browser with such protec
On 10/26/2018 01:23 AM, Matus UHLAR - fantomas wrote:
there is not.
Thank you, Matus and Tony, for the direct answer.
using short TTLs is very risky, and forcing minimum TTL is apparently
not way to work around.
Understood. - I /think/ that I'm somewhat (dangerously?) informed and
/choos
On 10/26/2018 01:08 AM, N6Ghost wrote:
maybe its just old habits,
Fair enough. I know that I have plenty of my own old (¿bad?) habits too.
i think its a bad idea to build your infrastructure in a way the needs
forward zones to work. not when you can build it with proper delegation.
i just
On 10/26/2018 08:52 AM, Kevin Darcy wrote:
My basic rule of thumb is: use forwarding when connectivity constraints
require it. Those constraints may be architectural, e.g. a multi-tiered,
multi-layer network for security purposes, or may be the result of
screwups or unintended consequences, e.g
On 10/26/2018 11:11 AM, Brian Greer wrote:
You could setup a DNSMASQ / Unbound service as a front end, which then
queried bind. Both of those allow the setting of a minimum TTL (max of
3600 seconds in DNSMASQ). It cannot be done with bind by itself.
*nod*
I was aware that there were other res
On 10/29/2018 04:17 AM, Michał Kępień wrote:
Hi Grant,
Hi Michał,
You might want to keep an eye on:
https://gitlab.isc.org/isc-projects/bind9/issues/613
Indeed.
Thank you for bringing that to my attention.
I do appreciate the tools that I use having the options to do the things
tha
On 11/12/2018 04:57 AM, Sabri MJAHED (VINC) wrote:
Hi all,
Hi,
I want to have the same zone on multiple views, but i didn't find any
solution that ease the use of this.
I would think that the zone's "in-view" statement would do what you want.
I don't want to make 3 file of zone conf with
On 12/27/18 9:01 AM, Barry Margolin wrote:
The alternative is to have a separate zone for each address, and delegate
each of them to your server. So the parent zone would have:
It does not require a separate zone for each address. But it does
require some creative zone work.
; 1.0.192.in-ad
On 12/27/18 11:24 AM, John Levine wrote:
Well, there's those pesky old DNS standards, but we're used to software
working around screwed up zones.
Agreed. Which standard(s) does this run afoul of?
If the parent delegates a name to a child server, the child server must
have an SOA at that name
On 12/27/18 12:14 PM, John Levine wrote:
Well, yeah, like I said it's wrong but you can often get away with it.
}:-)
I'll admit that it's not 100% proper.
The DNS specs are a mess and the SOA at the top is poorly described in
1034 and 1035 (as is a lot of other stuff.) You'll definitely los
It has come to my attention that my answer to the following question
might not have been clear. So I'll try again.
First I want to be clear that I was discussing what the records should
be, RFC 2317 Classless IN-ADDR.ARPA Delegation (read: CNAME) or standard
NS delegation. I don't care how t
On 1/21/19 1:39 AM, ObNox wrote:
Hi,
Hi,
I'm trying to find a viable solution to my use case. Here is the context :
- Site 1 : ISC DHCP + ISC Bind and dynamic updates for example.net
Here, example.net is authoritative with views for different query sources.
There are plans to add a new sit
On 01/22/2019 08:12 AM, Jordan Tinsley wrote:
I get an error that named.service doesn’t exist. I may be overlooking
documentation somewhere, but I don’t see anything about this.
I don't think that the BIND source code includes distro / init daemon
specific scripts / files. It's going to be u
On 1/22/19 10:06 PM, ObNox wrote:
I'm not fully against this idea but I'm not comfortable with Site2/3
depending on Site1 for the updates.
Fair.
If for some reason Site1 is unreachable and a host tries to update the
DHCP lease, the DNS update would fail and the said host wouldn't be
reachabl
On 1/27/19 8:57 AM, John Levine wrote:
No. If that's what you want to do, I'd suggest looking at PowerDNS.
John, why would you recommend PowerDNS over BIND's DLZ options?
Rather what's wrong with DLZ that causes you to recommend a non-BIND
solution?
--
Grant. . . .
unix || die
smime.p
On 01/28/2019 04:13 AM, Blason R wrote:
Thanks for the revert however, in my scenario I have Windows AD server
is being used as a Authoritative DNS for exmaple.local which has
forwarding set to BIND acting as a RPZ and wanting to see if we can
conceal this vulnerability on BIND.
Am I understa
On 01/28/2019 02:22 AM, Blason R wrote:
Can someone guide me on prevention and possible configuration in BIND
from DNS Re-bind attack?
Please clarify what you mean by "rebinding" and what you're trying to
protect against.
From one of you other messages, you indicate that you are already usin
On 01/29/2019 01:19 AM, ObNox wrote:
Hi,
Hi ObNox,
For that to work, I need to make sure every separated component works as
expected when configured separately.
Ah, yes. The joys / perils of testing discrete units individually and
then start pugging them together like Legos and making sur
On 01/29/2019 09:43 AM, Rick Dicaire wrote:
Wonder if you can use ddns zones with catalog zones, haven't tried it
myself...
Are you referring to the catalog zone itself allowing dynamic updates?
Or allowing dynamic updates to the zones that are listed in the catalog
zone(s)?
Thinking about
On 01/29/2019 02:41 PM, Rick Dicaire wrote:
Regardless how the change is stored, journal or zone file?
It's my understanding that dynamic update implies a journal file for the
zone. Meaning they are inseparably linked.
You can tell BIND to freeze & flush the changes from the journal to th
On 02/01/2019 08:31 AM, ObNox wrote:
Sorry for the late replies, I'm drowning with all the stuff I have to do
and getting late on every project.
It's all good.
Thank you for the follow up.
I always use this method. It's way slower but I end up having a better
understanding at each component
On 02/07/2019 07:02 PM, Paul Kosinski wrote:
I haven't analyzed the details and pitfalls, but could a Web proxy
mechanism of some sort be of help? In particular, rather than having
your users directly access "teamviewer.org" (or whatever), have them to
access "teamviewer.local", which is resolv
On 02/12/2019 03:45 PM, Kevin Darcy wrote:
"recursion no" is incompatible with *any* type of forwarding or
iterative resolution. Should only be used if *everything* you resolve is
from authoritative data, i.e. for a hosting-only BIND instance.
I know it's not yet an option and won't yet work f
On 02/20/2019 01:19 PM, King, Harold Clyde (Hal) wrote:
Can I create a root zone to define a wildcard pointing to our warning
page with one hostname defined going to a forward’ed DNS source? I could
just give it an IP, but can I forward that one domain to outside DNS
(Google or their NS reposit
On 02/21/2019 01:34 PM, @lbutlr via bind-users wrote:
I edited a zone file after issuing a rndc freeze command, added two new
sub zones, changed the serial number, saved the file, and then did an
rndc thaw.
I don't see an "rndc flush " in there.
Which means that BIND likely still has the jour
On 02/21/2019 02:03 PM, @lbutlr via bind-users wrote:
OK, but rndc flush example.com results in:
rndc: 'flush' failed: not found
*FACEpalm*
I'm sorry. I gave you the wrong command. You want "sync", not "flush".
My brain always thinks "flush the journal to disk" when it's really
supposed
On 2/21/19 6:28 PM, @lbutlr wrote:
rndc reload did not recreate (or at least update the time stamp) on the
.signed file.
Hum. Maybe it's something different about how you're doing DNSSEC than
I am.
I have BIND managing DNSSEC for me via "auto-dnssec maintain;". So I
don't get .signed file
Hi,
I need some help understanding why the following doesn't work as desired.
I want to 1) allow recursion from subnets defined in myACL, 2) block
recursion from the rest of the world, and 3) not return any additional
data to anybody.
options {
…
additional-from-auth no;
On 03/05/2019 10:51 AM, Tony Finch wrote:
There's an old entry in the CHANGES file:
912. [bug] Attempts to set the 'additional-from-cache' or
'additional-from-auth' option to 'no' in a
server with recursion enabled will now
On 03/05/2019 12:07 PM, Tony Finch wrote:
It's not clear to me where the zone cuts are, but I guess what you are
seeing is a referral when outside the allow-recursion ACL, so the server
thinks glue is required; and no additional data inside the allow-recursion
ACL because there's no referral when
On 3/17/19 5:13 AM, Stephan von Krawczynski wrote:
Hello all,
Hi,
I am using "BIND 9.13.7 (Development Release) " on arch
linux. Up to few days ago everything was fine using "certbot renew". I had
"allow-update" in nameds' global section, everything worked well. Updating
to the above versio
On 3/17/19 8:35 AM, Stephan von Krawczynski wrote:
In todays' internet this is no niche any more.
Oh, there most certainly are niches today. I think there are more today
than there were before.
And the right tool means mostly "yet-another-host" because you then need
at least a cascade of t
On 3/17/19 2:37 PM, Alan Clegg wrote:
It turns out that this series of changes, taken as a whole, removed
allow-update as a global option.
That sounds like either an unintended consequence -or- a change in
anticipated ~> expected behavior by some people.
The question now becomes: Is there a
On 3/17/19 5:48 PM, @lbutlr wrote:
I disagree. I'd prefer the best decision be made by consensus of the
contributors rather than the community at large.
I agree that the decision should be made by the contributors / maintainers.
I'm saying that I think they should have data / information / opi
On 3/17/19 6:31 PM, Alan Clegg wrote:
The change was an unintended consequence ending up in what was thought
to have been the correct behavior all along, so.. Yes.
How many zones are you authoritative for?
I think most people on this list have forgotten how to count as low as
the number of z
On 3/18/19 7:57 AM, Alan Clegg wrote:
Let me say that I didn't mean to disparage or discount small operators.
I didn't take anything you said as disparaging or as if it was trying to
discount small operators.
You asked what seemed to me as legitimate questions. I tried to provide
what I th
On 3/18/19 1:32 PM, Victoria Risk wrote:
- We have decided to treat this change as a regression bug, and to fix
it in 9.14.1. Alan argued that we should hold 9.14.0 and fix it there:
however we have decided to go ahead with 9.14.0 with the change we
already made in allow-update, which we will
On 3/25/19 11:15 PM, Crist Clark wrote:
if they are cached and available, it will go ahead
and use them.
Does having the necessary information in an authoritative zone count as
available in this context?
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_
On 4/26/19 1:14 PM, Gawan Re wrote:
Any help will be appreciated.
It's my understanding that recursion is required to answer any queries
not contained within local authoritative data.
Can you slave the delegated zone off of the server it's delegated to?
That would make your server have an a
On 5/20/19 4:34 AM, Matthijs Mekking wrote:
* It will make the code much easier to maintain, which is beneficial for
users too since that will mean in general less bugs, easier to find
bugs, and easier to extend it with new features.
Drive by 2¢ comment:
Is the existing DLV code causing a pro
On 5/28/19 10:16 AM, David Bank wrote:
I want to configure zurg so that it will refer ALL requests to buzz or
woody; however, when a request is made to resolve andy.internal.local or
sid.internal.local, then zurg rewrites those IPs from the 10. addresses
that buzz and woody know about to 192.16
On 5/28/19 11:13 AM, David Bank wrote:
Hello, Grant! Thanks for replying.
Hi.
You're welcome.
No - the bubble is its own world for the most part. No reason for
general 10/8 inhabitants to try to talk to 192.168/16 - the very, very
few hosts that need to talk in 192.168/16 already have
On 5/29/19 3:15 PM, Jon wrote:
Hi Grant,
Hi,
I don't usually wade in on these but I also believe RPZ would be the
simplest way to achieve this.
I tend to agree.
DNSSEC can complicate this a bit (requiring additional settings).
In order to keep the same zone working with 10. Addressing for
On 6/10/19 10:18 AM, Barry Margolin wrote:
Why would the original source port be close to any of these low port
numbers? Source ports should normally be ephemeral ports.
There has been some movement afoot in the last 10 years or so to use
more of the 65,535 ports as the source port for securit
On 6/7/19 8:44 PM, Mark Andrews wrote:
Named drops those ports as they can be used in reflection attacks.
Sane NAT developers avoid those ports for just that reason. The full
list is below.
I understand the logic behind avoiding potentially problematic ports.
But I don't understand the actua
On 6/10/19 3:29 PM, Mark Andrews wrote:
The primary issue here is that there is still source address spoofing
happening so you have to consider what if this packet was spoofed. DNS
uses UDP and is used as a reflector. The small services ports listed
generate reply traffic.
Additionally kpassw
On 6/10/19 4:56 PM, Mark Andrews wrote:
Named is already selective about what it doesn’t reply to.
* Packets < 12 octets (DNS header size) don’t get a reply.
* QR=1 doesn’t get a reply.
* Source port 0 doesn’t get a reply (source port 0 is “discard me”).
* Kpasswd doesn’t get FORMERR.
* echo, ch
Hi David,
On 6/11/19 2:05 PM, David Bank wrote:
About a week-and-a-half ago, I wrote into the list, looking for some
help configuring RPZ.
Thank you for the follow up with details on how someone else could
reproduce this for themselves if they find themselves with a similar
need / desire.
On 6/25/19 9:25 PM, Lefteris Tsintjelis via bind-users wrote:
Is it possible to apply temporary only update policy and never save or
modify anything to a zone file?
What would this functionally do?
Or are you wanting to update the zone contents without actually updating
the zone file on disk?
On 6/26/19 10:46 AM, Lefteris Tsintjelis via bind-users wrote:
Yes, exactly this. That is the reason I changed the actual zone disk
file permissions to root thinking that files would not be modifiable,
but bind surprised me there. I did not expect to change the file
ownership from root to bind!
On 6/26/19 1:17 PM, Lefteris Tsintjelis via bind-users wrote:
If I set it though, and named no longer has access to modify and rewrite
other files but its own, will it break things? What will happen in case
of a dynamic update like ACME in this case? Will the update go through?
I think that wo
On 6/29/19 12:30 PM, Lefteris Tsintjelis via bind-users wrote:
I prefer the text format and I always use masterfile-format text. I
am always tempted to check if everything is OK. Probably a waste of
time but I just feel safer if I can see things.
I'll argue that it doesn't matter (much) why yo
On 6/29/19 2:13 PM, Lefteris Tsintjelis via bind-users wrote:
Standard DNS mechanisms and poll would not work. Everything must
be done within 1 minute so notify MUST be used and therefor zone
serial must be increased and of course all secondaries MUST be online
and respond to the notify properl
On 6/30/19 3:38 AM, Lefteris Tsintjelis via bind-users wrote:
If you do it manually yes; if you do it automatically from a cron job,
everything is timed.
How does using a cron job change things?
Let's Encrypt (or other ACME providers) behaves the same way for manual
client operation as they d
On 6/30/19 11:34 AM, Grant Taylor via bind-users wrote:
I'm quite confident that Dynamic* zones are /NOT/ /required/ to support
automation of ACME client operation using DNS for authentication /
authorization.
That being said, I do think that Dynamic* zones are probably one of the
/e
On 7/3/19 2:04 PM, Lightner, Jeffrey wrote:
You have to use separate IPs for the separate views on the master and
the slave.
I thought you could use different TSIG keys to identify different zones
with a single IP at each end.
Is that not the case?
--
Grant. . . .
unix || die
smime.p7s
On 7/18/19 3:24 PM, John Thurston wrote:
I have a number of 'forward' zones defined. Many of them look exactly
the same except for their name. It would be helpful to abstract the
addresses of my forwarders out and name them only once. But I can't find
any way to do this.
An ACL doesn't make s
On 9/29/19 11:22 AM, John Robson via bind-users wrote:
Hi all,
Hi,
BUT - what I'd like to do is have `*.foo.example.org` (or even a
specific listing of subdomains) point to that IP as well - to enable
the various vhost based services on the test machines to be accessed
without having to mes
On 10/2/19 5:45 AM, John Robson via bind-users wrote:
Again - I am sure I've missed something obvious, but can't see what.
I'm not completely following what you're doing. But your wording causes
me to pause, make a comment, and ask for clarification.
Comment: slave (and master) is not the
On 10/9/19 8:19 AM, John Robson via bind-users wrote:
But I suspect that we're going to have to redo more of the DNS
infrastructure than just this at some point fairly soon - so to some
extent I'll let someone else fix it later... (I know)
If you can, safe the poor future sole, possibly yourse
On 10/17/19 3:16 PM, CpServiceSPb . wrote:
But when Bind9 forwards queries to external servers, it do it via wan
interface but uses at the first onset server external IP as sources,
I'm not surprised by this.
which is not changed by SNAT or MASQUERADE Iptables.
It can be, but it depends on
On 12/26/19 7:48 PM, Edouard Guigné wrote:
I have set a bind server for my domain "pasteur-cayenne.fr" which is
primary authorative zone server for this domain.
"pasteur-cayenne.fr" and "… this domain." are imperative.
Secondary servers for this domain are set to orange (ns6.oleane.net and
ns
On 12/27/19 7:04 AM, Matus UHLAR - fantomas wrote:
there's obviously something broken in this setup. You don't have to
call the ISP if the reverse DNS changes.
Why do you say that?
What do you see that's broken in the OP's configuration?
I personally didn't see anything broken. Hence why r
On 12/27/19 10:48 AM, Matus UHLAR - fantomas wrote:
I think that it should be either change local DNS or call ISP to change
it, not both at once. Having both usually creates/hides different kinds
of problems.
Yes, ideally the configuration lives in one place. Multi-master is
always problema
On 12/27/19 10:49 AM, Reindl Harald wrote:
in the real world they just delegate the reverse-zone to your nameserver
like it#s done for our /24 range for years
Please clarify what the "reverse-zone" is that you're talking about. Is
it "246.2.186.in-addr.arpa." or "17.246.2.186.in-addr.arpa."?
On 12/27/19 1:22 PM, Reindl Harald wrote:
nobody out there will delegate single /255 ip's
I've had multiple different ISP's delegate reverse DNS for single IPs
(/32 or /128) multiple times.
Some used RFC 2317 Classless IN-ADDR.ARPA Delegation, others used
standard delegation.
Some ~> many
On 12/27/19 3:43 PM, Paul Kosinski via bind-users wrote:
P.S. Unfortunately our 2 current IPs, although adjacent, are not /31,
and thus would require 2 delegations
There's always going to be at least one record, be it an NS for
delegation or CNAME for 2317, for each IP that's not being delegat
On 12/30/19 1:34 PM, N6Ghost wrote:
1: is the IP space delegated or not?
What is delegated IP space in this context?
Are you referring to a separate prefix that is routed to the customer?
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
__
On 12/30/19 1:42 PM, N6Ghost wrote:
delegations are always by block... ie /20, /24, /25 etc
I feel like there is term conflation.
To me:
· Delegations are DNS and are done on the dot boundary.
· Routes are done on the block boundary.
The two can be related, but quite distinct.
--
Gr
On 12/30/19 12:07 PM, Matus UHLAR - fantomas wrote:
of course.
The idea of an ISP telling me how to configure my DNS server causes
indigestion, possibly severe.
My registrar, the parent domain owner / operator, doesn't get to tell me
how to configure my DNS server. The only thing they get
On 12/30/19 6:22 PM, N6Ghost wrote:
but generally you acquire IP space in blocks not single address's.
and those blocks are what you use to build your internal and external
reverse zone files.
Agreed.
But you wouldn't be using RFC 2317 Classless IN-ADDR.ARPA delegation
because the reverse D
On 1/18/20 7:06 AM, N. Max Pierson wrote:
Hi List,
Hi M,
First off, I should note that I am a novice with administering Bind, so
please bear with me.
We all started somewhere. Hopefully we all continue to learn new
things. ;-)
We are looking to be more pro-active and security minded in
On 1/19/20 3:25 AM, N. Max Pierson wrote:
Hi Grant,
Hi,
I should have been a little more descriptive in the scenario by giving
the purpose of these name servers. They are basically being deployed
as a managed DNS service that we offer. We are a MSP for the most
part and the DNS infrastructu
On 1/19/20 4:01 AM, N. Max Pierson wrote:
I honestly couldn’t tell you either way as I have not even begun
to start to dive into DNSSEC.
I can recommend the following book from Michael W. Lucas / @mwlauthor
and say that it provides a good, actionable, introduction to DNSSEC.
Link - DNSSEC Ma
On 1/20/20 9:06 AM, N. Max Pierson wrote:
My terminology seems to be the issue here, so let me try and
rephrase/elaborate : )
;-)
I was not aware there was anything built in that would let you
add/remove/change the zone itself from the master.
Yes, Catalog Zones. I think it's only a few ye
On 1/20/20 6:28 AM, Brian J. Murrell wrote:
I'm really not sure about what the name of this feature I am going to
describe would be. I would probably call it an "overlay view". But I
am sure there are better names.
I get why you say "overlay view", but I think I'd try to avoid the
"overlay"
On 2/18/20 7:34 AM, Ward, Mike S wrote:
Hello all, I have a small problem, and I was wondering if someone could
help me. My bind9 dns gets a query for loopback. I have tried and tried
to define the word loopback in the dns as a forward zone with reverse
loopkup, but doesn’t seem to take. I hav
On 11/27/24 05:09, Dimitry Bansikov wrote:
I need to simplify adding and removing a domain so that it is enough to
just add the zone file itself whitout editing the big list. Is this
possible?
Can you programmatically edit the file?
You might be able to re-structure the list of zone statement
On 12/1/24 11:30, Greg Choules via bind-users wrote:
However, in the "DE" view you could configure global forwarding/forward
only to the "default" view.
Would it be better to do this -- what I call loopback / trombone --
forwarding -or- leverage something like loading all zones in all views?
On 12/27/24 15:40, Roberto Braga wrote:
For this, I must use 2 servers:
I agree that you should use two servers. But I also believe you could
do what you're doing with one server, one OS image, and maybe even one
instance of BIND.
The first, like Recursive DNS itself, is what clients will
On 2/6/25 08:40, Greg Choules via bind-users wrote:
In DNS terms, for me, a "primary" has the single source of truth for
data in zones and a "secondary" transfers a temporary copy of that data
from a primary, or from another secondary (though daisy chain
secondaries at your peril). All are auth
On 1/30/25 3:25 PM, Fred Morris wrote:
I don't think everything on the planet needs to support encryption
out of the box if composable components are available.
I'm inclined to agree with you.
However, the only rebuttal that I've heard which I give any serious
credence to is the ability for t
Hi,
I'd appreciate some help in getting just the PTR record from the
following dig command:
dig +short -x 192.0.2.1
With the following germane content from the respective zones:
1.2.0.192.in-addr.arpa. IN CNAME nic.host.example.net.
nic.host.example.net. IN
On 1/8/25 10:14 AM, John Thurston wrote:
You may want those services co-hosted today. But if you want to separate
them next year, your life will be easier if they had unique IP addresses
from the start.
I agree that different IPs for each service is more flexible.
Though I've never found it d
On 1/24/25 17:09, phil via bind-users wrote:
ftr ubuntu also ships bind with a db.local file
I wonder if we're dancing around what upstream from ISC ships vs what
distros create therefrom and ship.
I'll have to check my copies of the venerable BIND book to be sure, but
I believe that it and
On 1/27/25 07:02, Carlos Horowicz via bind-users wrote:
IMHO this has nothing to do with DNSSEC,
HEAVYsigh
Why do things seem to focus on the encryption of DNS traffic and ignore
authentication of the information?
I'm sure that all of us are aware that it's perfectly possible for a DoT
/ D
On 12/24/24 09:54, G.W. Haywood wrote:
You can do that sort of thing on the fly. I'd probably be thinking
along the lines of Apache and mod_rewrite
mod_rewrite alters / translates / permutes the request as it comes into
Apache to some different path in the back-end.
You could also accompli
On 3/19/25 10:02 AM, Ondřej Surý wrote:
Thinking aloud - perhaps, we can extend the plugin API (and RPZ) in a
way to add the classification to the message processing and then the RPZ
processing could read the classification and take an action?
This sounds like my understanding of what the Resp
Hi,
I get the impression that I'm still misunderstanding you or perhaps we
don't have the same understanding of RPS / DLZ. Perhaps I need more coffee.
On 3/21/25 2:31 AM, Mónika Kiss wrote:
* Instead, I want the plugin to dynamically query this data by calling
my existing C program or
On 3/19/25 9:40 AM, Mónika Kiss wrote:
I have a domain categorization program written in C that dynamically
determines the risk level of a queried domain.
I need to integrate this categorization logic into a BIND 9 plugin that:
Mónika, have you looked into Dynamically Loadable Zones? You migh
On 5/22/25 9:23 AM, Karol Nowicki via bind-users wrote:
Does ISC Bind software by native has any dns tunneling prevention
embedded ?
I don't think there is anything that I would describe that way. But
there may be some rate limiting option(s) that you could use to at least
cripple using DNS
On 5/23/25 8:53 PM, Fred Morris wrote:
If you fail in an outright, reproducible, measurable fashion you give
your opponent predictability and confidence. As a defender you want to
undermine that and look like an under-resourced, poorly administered
network that somehow, we don't know exactly ho
New-Subject: host vs subnet routes
Old-Subject: BIND doesn't listen to other loopback addresses
On 7/6/25 1:02 AM, Ondřej Surý wrote:
The IPv4 loopback is actually quite weird in this regard that
127.0.0.1/8 is assigned by everything in 127/8 automagically works
without explicit address assig
201 - 297 of 297 matches
Mail list logo
