Re: Can't modify an existing SPF record

Hi Roberto. What domain is this SPF for and exactly how are you trying to add the extra term? Cheers, Greg On Fri, 8 Jul 2022 at 16:38, Roberto Carna wrote: > Dear, from my webmin interface for BIND9, I try to add an additional > allowed sender host to our SPF record, but I get the following err

Re: Can't modify an existing SPF record

The SPF record type was deprecated in 2014 and the SPF definition string *must* now be contained as data in a TXT record. BIND will still load a zone containing SPF records, but it will check whether a TXT record also exists that contains the same string and will generate a log message telling you

Re: Basic setup instructions

Hi Gene. Please can you post a link to 'the website' you refer to? Where have you got to so far? BIND requires one config file - named.conf - which, at its simplest, doesn't need to contain much at all; the defaults should pretty much just work. But let's start with what you have now and, if possib

Re: Bind 9.11/RHEL7 Server Freezes FUTEX_WAKE_PRIVATE

Hi Peter. Off the top of my head, could it be this? random-device The source of entropy to be used by the server. Entropy is primarily needed for DNSSEC operations, such as TKEY transactions and dynamic update of signed zones. This options specifies the device (or file) from which to read entropy

Re: caching does not seem to be working for internal view

Hi Robert. May we see the file /etc/resolv.conf and your BIND configuration? It's difficult to guess what might be going on with only a small snippet of information. If you "ping somewhere" (or "ssh a-server", or whatever) the OS will consult resolv.conf to determine where to send DNS queries. If t

Re: caching does not seem to be working for internal view

Hi Robert. Turn on query logging by doing "rndc querylog". You should see a message saying that has been done in "named.log", to where each query will now be logged. If you have views, part of the query log will contain which view was matched. So this will tell you two things: 1. If the queries

Re: Proxy requests but filter out IPv4 address

Hi Matthias. In DNS there are many record types. For IP addresses there are two types: A for IPv4 addresses and for IPv6 addresses. If your client asks for the record it should get only IPv6 addresses. So what is your client asking for? Can you show us a real example where both IPv4 and I

Re: address/prefix length mismatch

Hi Elias. I can't say why this might have worked with 9.11 (if it did - I'd be surprised). But you should not/cannot define ACLs like this: 10.60.0.1/23; /23 means consider only the first 23 bits of the available 32 bits of an IPv4 address and ignore the rest (in this context. Please don't someone

Re: address/prefix length mismatch

Hi Sten. That is absolutely what you do *not* want to do. Writing it out in binary might help. /23 means the following: 1110 '1' bits mean, test an incoming address against the corresponding bit from the address in the mask. '0' bits mean, don't test an incoming add

Re: Question regarding newsyslog.conf and Bind logs

Hello J What is it you're actually trying to achieve here? Cheers, Greg On Thu, 25 Aug 2022 at 04:24, J Doe wrote: > Hello, > > I was wondering if anyone could provide feedback on whether the > following: newsyslog.conf file is correct to allow for daily log > rotation for my Bind 9.16.30 logs

Re: Question regarding newsyslog.conf and Bind logs

Hi again J. If I understand correctly, you want to enable querylog on a busy recursive server permanently, rotate the files once a day and don't care if you lose some logs because the number of queries on a busy day generates more data than the specified log file is allowed to contain. My question

Re: Zone transfer over VPN

Hi Michael. Have you tried without the "allow-transfer" statements at all? I find it usually works best to start simple, get it working, then apply security bit by bit. Do you have logs from all servers? What are they telling you specifically about what is the issue? Lastly, get packet captures of

test - please ignore

Thanks, Greg -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org h

Re: Seeing lots of DNS issues on OpenWRT

Hi Philip. I echo Fred's response; why forward? - Backup your config - remove/comment the "forwarders {}" statement - start a tcpdump to disc for port 53 (for evidence about what happens next) - stop/start 'named'. - try queries/look in the log/stop the tcpdump and analyse it in Wireshark. As an a

Re: Dig -x +trace?

Hi Mike. OK, let's try and do some practical things here. Firstly, please share your /etc/resolv.conf Secondly, please have two windows on the go. In the first, run "tcpdump -nvi all -w port 53". In the second, run your dig tests. Then share your results. If you are reluctant to share *actually*

Re: Dig -x +trace?

Hi Mike. No need to shoot. I missed your first message to the list. Have you tried other popular open resolver services, to compare how they each behave and see whether there are differences between them? Or, since you have `dig` I'm guessing you probably also have BIND? If so, have you tried usin

Re: Question About Internal Recursive Resolvers

Hi Bob. In a previous life I did just this. Large resolvers for customers and internal users, defaulting to the Internet but with specific configuration to internal auth-only servers for private zones (I used stub but static-stub and mirror are alternatives - they each behave slightly differently).

Re: Question About Internal Recursive Resolvers

Hi John. Yes, you *could* forward and that was a setup I inherited a good few years ago. The appeal is obvious: it's easy to do; just chuck queries over there and get answers. But forwarding keeps the RD bit set, meaning that the server being forwarded to should a) have recursion enabled (though it

Re: Question About Internal Recursive Resolvers

Hi Grant. My understanding is this, which is almost identical to what I did in a former life: client ---recursive_query---> recursive_DNS_server ---non_recursive_query---> internal_auth/Internet where: client == laptop/phone/server running stub resolver code recursive_DNS_server == what Bob is as

Re: CVE-2022-2795

Hi Greg. Short answer: no. Slightly less short answer: no, if you prevent the server from trying to follow delegations. It's that potentially wild goose chase that was the problem. In short: - Forwarding must cover everything the server needs to do (that isn't locally defined) i.e. global forwardi

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. As other people have said, more details please. To have a complete picture of what is going on, not only would we need to know what your dig tests look like, but also where dig is sending its queries and how that DNS server is configured. You can tell dig to send queries anywhere, u

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. No, we cannot easily reproduce this behaviour because we have no knowledge of the configs of either of those servers, the details of the zones you have configured, the contents of those zones or of the system on which you are running the dig command. As I said, we need to see everyth

Re: dig +norecurse behaviour changed with 9.16.33

Hi Veronique. As Petr said, please don't send a pcap. This is getting beyond the scope of the list and into proper support territory. For which I would recommend that CERN pay ISC for professional support services. Regarding your external example, I get this: %dig @192.65.187.5 foundservices.cern.

Re: What is the meaning of an ecs log

Hi Mik. The Client Subnet in DNS Queries RFC should explain all. Essentially there are two masks in the ECS option - source prefix length and scope prefix length. ECS-enabled recursive servers (like Google or BIND -S edition) will set the source prefix lengt

Re: How to configure , dig command support +subnet

Hello. What exact version of BIND are you running? "named -V" From dig it *looks* like you are running 9.18.9. ECS support only exists in the subscription editions of BIND (-S suffix) and to get that you need to be an eligible ISC support customer. Thanks, Greg On Tue, 13 Dec 2022 at 10:48, 徐娅 w

Re: CDNSKEY / CDS for key is now published - but why?

Hi Danilo. The CDS and CDNSKEY are published in your own zone, not anywhere else. You can confirm this by doing a dig for them directly, or AXFR if you permit transfers on your server. They are intended for use with registrars that *do* support automatic DS creation using one of them. If yours doe

Re: Accidentally ran rndc-confgen on a working BIND box

My bad. I spotted that afterwards. On Thu, 28 Nov 2024 at 13:48, Anand Buddhdev wrote: > On Tue, 26 Nov 2024 at 09:40, Greg Choules via bind-users < > bind-users@lists.isc.org> wrote: > > Hi Greg, > > Running "named-checkconf -p" will print your entire nam

Re: How do I make my bind recursively support edns

gt; *抄送:* "Duan Duan"<1422807...@qq.com>; "bind-users"< > bind-users@lists.isc.org>; > *主题:* Re: How do I make my bind recursively support edns > > I suspect the OP meant ECS. > -- > Mark Andrews > > On 24 Nov 2024, at 07:43, Greg Choules via b

Re: How do I make my bind recursively support edns

Hi. Please can you clarify what you mean and what you're trying to achieve? EDNS support generally has existed in all versions of BIND for many years. Cheers, Greg On Sat, 23 Nov 2024 at 15:43, 从今以后 via bind-users wrote: > Hey ,guys > > How do I make my bind recursively support edns ? > > The o

Re: Accidentally ran rndc-confgen on a working BIND box

>From the ARM, when "rndc-confgen -a" is run:: > This option sets automatic rndc configuration, which creates a file rndc.key in /etc (or a different sysconfdir specified when BIND was built) that is read by both rndc and named on startup. The rndc.key file defines a default command channel and auth

Re: Accidentally ran rndc-confgen on a working BIND box

Hi Luis. Running "named-checkconf -p" will print your entire named configuration, following any include files. There *must* be a "controls" section in there or rndc could not work, since, from the ARM: > all communication with the server is authenticated with digital signatures... I encourage you t

Re: Geo DNS for 1 domain in view impossible?

Hi Dimitry. Views are selected by any/all of "match-clients" and "match-destinations". Once a view has been selected it is then completely responsible for handling the query, so there is no automatic fall through to the next view. However, in the "DE" view you could configure global forwarding/for

Re: Getting BIND to forward a zone to other name servers

Hi Mike. What version of BIND are you running? Firstly, please clarify your question and example configuration. You talk about "example.com" and subdomains of "exmaple.com", but your config shows "example.net". It's not easy to understand exactly what you're trying to achieve a) when your problem

Re: {Disarmed} Re: Getting BIND to forward a zone to other name servers

Hi Mike. You're welcome. I know what it's like when you just don't get why something isn't doing what you thought it should. What are 10.0.2.10 and 10.0.2.11? You don't show them in your config, but then you say "In summary: I'm trying to get 10.0.2.10 and 10.0.2.11 to serve internal.exmaple.com ..

Re: Hyperlocal recursive servers questions

Hi Roberto. Instead of defining "." as type "static-stub" you should define it as type "mirror". This shows you how: https://bind9.readthedocs.io/en/v9.18.32/reference.html#namedconf-statement-type%20mirror Cheers, Greg On Fri, 27 Dec 2024 at 21:41, Roberto Braga wrote: > Hello, if you could he

Re: cname for apex record

Hi Brian. You can't redirect your entire zone from inside the zone itself. CNAME absolutely will not do it, by design (also DNAME). The reason is, the way that DNS works. wadsworth.org has been delegated to a bunch of DNS servers (see below), which are presumably run by you and associated entities

Re: forwarding non-domain queries

Hi Brian. I'm confused. In previous mails you confirmed that you had removed the hint zone completely. To be absolutely clear what I meant before, it would look something like this in named.conf: ... options { ... }; ... # zone "." { #type hint; #file "db.hint"; # }; I have shown that t

Re: Primary/Secondary (Was: Master/Slave)

Hi Paul. What's a "primary master" as opposed to (presumably?) a "secondary master"? Maybe there are just too many combinations and permutations of type of box for a single word to convey all meanings, though I haven't encountered any yet. Even in an environment like Active Directory, where all se

Re: forwarding non-domain queries

In that case, something's not right. Please send your "named.conf". Cheers, Greg On Thu, 6 Feb 2025 at 14:52, Cuttler, Brian R (HEALTH) < brian.cutt...@health.ny.gov> wrote: > Greg, > > > > Yes, I did remove that stanza and restart the daemon, clean shutdown and > restart, not just a reload. > G

Re: map as record

Hi Michal. Please share your configuration and the zone file so that we can see what you are trying to do. Thanks, Greg On Wed, 29 Jan 2025 at 08:28, Michal Bednář wrote: > Hello, > i try too make domain record map.domain.tld . I cannot make this in bind9. > Map is probably keyword > in zone fi

Re: forwarding non-domain queries

Good idea, Brian. People should test more. Hope it goes well. Packet captures and Wireshark are your friends. Cheers, Greg On Tue, 10 Dec 2024 at 15:25, Cuttler, Brian R (HEALTH) < brian.cutt...@health.ny.gov> wrote: > Greg, > > > > I have a test server I will enable the changes on before I roll

Re: forwarding non-domain queries

Hi Brian. If that's what you want to do; answer authoritatively from local zones you own and forward everything else to Corporate, then you have it correct. "forwarders {...etc" and "forward only;" go in the "options" block. Since you are forwarding everything that's not local *and* disabling recu

Re: forwarding non-domain queries

Hi Brian. So in your config you still have a section like this? zone ".: { type hint; file ; }; You don't need it a) at all anyway, for the reason I gave and b) because you are forwarding everything non-local and if you specify "forward only;" for both global forwarding (last resort, simila

Re: forwarding non-domain queries

And my point is that you just don't need that hint zone definition at all, especially using custom NS in an environment such as this. Maybe try commenting it out and see if it makes any difference. Greg On Tue, 10 Dec 2024 at 14:48, Cuttler, Brian R (HEALTH) < brian.cutt...@health.ny.gov> wrote:

Re: forwarding non-domain queries

2024 at 07:26, Nick Tait via bind-users < bind-users@lists.isc.org> wrote: > On 10/12/2024 12:25, Greg Choules via bind-users wrote: > > Actually you don't need it anyway, even if you are doing recursion, as > > Internet root hints have been built into BIND for many year

Re: forwarding non-domain queries

Hi Brian. Just checking; you removed or commented this config? zone ".: { type hint; file ; }; A couple of points about dig: 1) The syntax dig (with no @) will send a query to the address(es) defined as your system DNS. On a *x system this is defined in /etc/resolv.conf with the "nameserve

Re: Bind and DHCP

Hi Karol. You can run them both together, if you like. I think it comes down to a personal choice between economics, simplicity, cleanliness of design and performance. If you want your DNS server to handle many 1,000 QPS it might be better dedicating resource to that and put Kea (I assume Kea?) on

Re: localhost name lookup

Hi Robert. Having localhost in /etc/hosts works if both of these conditions are satisfied, I think: 1) The client asking the question is on the same box. 2) /etc/nsswitch.conf has been configured to look in hosts first, DNS second If the client is local but nsswitch says to do DNS first then names

Re: ECS subnet

Hi. Is this a question about BIND, or Unbound? Note the name of the list. On Fri, 14 Feb 2025 at 16:36, Rainer Duffner wrote: > Hi, > > I have a setup where I have a BIND resolver behind an unbound resolver. > > The reason is that when I originally set this up, there was no way to > integrate an

Re: Authoritative and caching

Sending from the correct alias this time! On Sun, 16 Mar 2025 at 09:03, Greg Choules wrote: > Thank you. > The problem is that named is running as user "bind" but that user > doesn't have file system permissions to create and write to files (the .jnl > and .jbk files at least) in places that it

Re: Authoritative and caching

Hi Danjel. Please send "ls -al" of both "/etc/bind" and "/etc/bind/zones" Thanks, Greg On Sat, 15 Mar 2025 at 16:32, Danjel Jungersen via bind-users < bind-users@lists.isc.org> wrote: > I'm so sorry, but I have to trouble you guys again. > > The help below helped, I have no errors from checkconf

Re: Custom DNS Filtering Plugin in BIND 9

My take on this is that DNS resolver code is written to (try and) be as fast and efficient as possible and work pretty much entirely in RAM because that's the quickest storage available. Anything that interrupts that and tries to access some external database, however it's done, is bound to slow d

Re: Why do I get underscore DNS queries when my host is running a recursive server?

Please keep your replies on-list. This should help you understand its purpose: https://datatracker.ietf.org/doc/rfc9156/ Cheers, Greg On Mon, 31 Mar 2025 at 11:12, Champion Xie wrote: > Thank you for your information > by the way how to implement QNAME minimisation with domain names starting >

Re: Multiple views (more than 2)

Hi. That KB article shows you how to use TSIG keys as a view selector for zone transfer. If you want a single DNS server to give different answers to the same question based on client IP then you *could* (though I'm NOT recommending this, especially since it will be deprecated at some point) use "

Re: Multiple views (more than 2)

Hi Marek. Please can you show the config that used to work? Please can you also explain why it is desired to create more views? Maybe give an example of what you're trying to achieve. In general, matching views is done top down - test clients against the criteria in the first view. If they don't m

Re: Authoritative and caching

Hi Danjel. To obtain a packet capture use tcpdump, which is probably installed already. If not, add it using your preferred package manager. You can dump to the screen, but I find it more useful to dump to a file, which can then be analysed offline in Wireshark. A typical capture command might be:

Re: Is there any config to disable bind9 retry for rcode refused

Hi Neil. I don't think there is. Perhaps you should suggest it in a Gitlab issue? Just to be clear, though, please can you give an example of what you mean? A real life one would be best. Either a binary pcap or +vvv to screen of the query BIND makes and the REFUSED it receives followed by it retr

Re: Using CNAME for _domainkey (DKIM)

My 2p is... You *shouldn't* do a lot of things, but people do anyway, because they can. If you maintain your own DKIM records then deliberately adding a CNAME upfront seems unnecessarily complicated. KISS. If someone else hosts them and CNAME is a pragmatic way to achieve that "ask them" behaviou

Re: Access Control Lists error

Hi. An ACL can match other ACLs, meaning that you can include the name of one ACL in the definition of another. Your config is being interpreted as: acl "tsg_acl" { Start the definition of an ACL called "tsg_acl", which will be followed by a list of things to match, each of which must end with a s

Re: Anycast DNS VIPs network IPv4

Hi Karol. If I understand you correctly, the choice of address to use is up to you and how it works best in your network. The DNS service addresses only need to be relevant to the network they sit in and the clients that need to reach them. In a private network, any 10 etc. address would work, as l

Re: Why do I get underscore DNS queries when my host is running a recursive server?

Hello. The underscore character was an old method for performing QNAME minimisation. Look in the CHANGES file for a note about it and the ARM for more detailed information. BIND 9.14 is five years old and has been unsupported for a long time. Please update to 9.18 or 9.20, which contain many impro

Re: My Introduction and current issues -

Hi. I also suspect it's not BIND, but how the OS is going about resolving names. Test your running BIND by using dig (please, not nslookup) @127.0.0.1 for domains you think you are having a problem with. Also check /etc/resolv.conf and see what address(es) is/are listed as nameservers. Third, use

Re: My Introduction and current issues -

127.anything is valid on the loopback interface as it is a /8. You will have to add addresses as aliases, but that is easy. Read the man pages first and check what addresses already exist on lo0. Ubuntu must have gotten 127.0.0.53 from somewhere. Get tcpdump and Wireshark working so you can see wha

Re: My Introduction and current issues -

@Danilo you are correct, the contents of /etc/resolv.conf are not set by BIND and BIND itself does not use them. But all applications running on that machine (including dig, unless you specify @) that want some kind of name resolution will make OS system calls and then the OS *will* use what's in r

Re: 3Rd Follow Up - Re: My Introduction and current issues

>From the correct alias this time! On Mon, 19 May 2025 at 22:46, Greg Choules wrote: > Your router (or your ISP behind it) is losing a lot of traffic. Here is a > timeline of frames with explanations of each, which would have been so much > simpler if you hadn't tried to hide your actual address

Re: long FQDN resolution

I was beaten to it! It's called QNAME minimisation and is specified here: https://datatracker.ietf.org/doc/html/rfc9156 In BIND it can be disabled with this statement: https://bind9.readthedocs.io/en/v9.20.8/reference.html#namedconf-statement-qname-minimization Hope that helps, Greg On Thu, 15 M

Re: 3Rd Follow Up - Re: My Introduction and current issues

Sure. Your decision, of course. But any network application is only going to work if the underlying network supporting it doesn't do silly things with its traffic. On Thu, 22 May 2025 at 15:23, wrote: > Thank you for all your assistance. I have made the decision to > decommission Bind9 and insta

Re: QNAME minimisation question

The help text for delv says you can specify a source using -b, the same as you can with dig: Usage: delv [@server] {q-opt} {d-opt} [domain] [q-type] [q-class] Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,

Re: question about resolving of AAAA amazoses.com

Hi Florian. Well since you mention it, may we see your BIND configuration? Also "named -V", please and, if you can, a packet capture (preferably binary pcap, not just a few lines of tcpdump output) showing what your server is doing at the time you see these messages in the logs. Cheers, Greg On F

Re: BIND doesn't listen to other loopback addresses

https://bind9.readthedocs.io/en/stable/reference.html#namedconf-statement-automatic-interface-scan Note the phrase "...and supported by the operating system...". Linux capabilities must also be enabled (i.e. not *disabled* at build time) for BIND to be able to keep scanning as addresses come and g

Re: Is there any method/config to pass through rcode refused

Hi Neil. Think about what a resolver is doing. A client asks it a question, usually with the RD bit set, meaning essentially, do whatever you have to do to get me my answer. So the resolver attempts to find that answer, somehow. If it already has it in cache, great. If it doesn't it may recurse,

<    1   2