The reason I've heard a few times is that users are uncomfortable using only 1
address. In the past I've done 2 or 3 addresses just so that we can give out 3
addresses that all point to the same pool of servers.
Silly, I know, but sometimes it's easier to placate than to change
someone/groups
You can set interface-interval to a low number to make BIND scan for new
interfaces frequently:
interface-interval
interface-interval minutes;
interface-interval defines the time in MINUTES when scan all interfaces on the
server and will begin to listen on new interfaces (assuming they are no
When you do a dig, the TTL is the 2nd column:
;; ANSWER SECTION:
www.google.com. 604800 IN CNAME www.l.google.com.
www.l.google.com. 300 IN A 74.125.225.20
www.l.google.com. 300 IN A 74.125.225.19
www.l.google.com. 300 IN A
If I remember correctly, $GENERATE is a zone file syntax only. When you start
up BIND, it parses those out and loads the generated records as if you'd
written them out manually. $GENERATE just helps condense the zone file, but
has no impact on overall operation.
I'm sure someone from ISC coul
>> You're thinking that the rate limit is intended to protect YOUR server.
>> It's actually to prevent your server from being used as a reflector to
>> attack some OTHER server. The spoofed addresses all point to that
>> server.
>Sorry I just can't understand that why my server is being used to
Some hopefully quick questions regarding zone transfers:
We recently updated a bunch of zones to add new masters, not realizing
the firewall holes weren't there yet. This caused zone transfers to
queue and be deferred. So, my couple questions
1) Is there a way to get more information about what
Try the "listen-on" directive.
Read more here:
http://books.google.com.hk/books?id=zkZN52WhG8sC&printsec=frontcover&dq=
dns&ei=dA-3SJ7XEaWijgG7v4Qw&hl=en&sig=ACfU3U3PDWVTG3zFFj5QkZbfz5ZSy7i84Q
#PPA270,M1
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of J
figure out why the server behaves
differently for reverse zones than it would for forward zones.
Cheers,
Todd.
--
Todd Snyder
Data Networks Tools
bb.226.338.2617
Always On, Always Connected.
-
able to find
information about this behaviour in the book(s).
Merci!
Todd.
From: Ben Croswell [mailto:ben.crosw...@gmail.com]
Sent: Thursday, December 11, 2008 5:15 PM
To: Todd Snyder
Cc: bind-us...@isc.org
Subject: Re: recursion for reverse/in-addr.arpa
I've been doing some testing lately on query times. What I did was
create a new zone and create a * record within it. Then, from a shell,
I do "dig @server $RANDOM.test.testdomain.com". For more randomness,
you can combine: "dig @server $RANDOM.$RANDOM.test.testdomain.com"
That's how I've wor
If you don't host any zones on the server, then it would always recurse, no?
The server will always answer for zones it's authoritative for, as far as my
understanding.
You might need to explain more about your confguration/desired outcome than you
currently have.
Todd.
-Original Message
Good day,
I am stuggling to get my head around the 512 byte limit with regards to
DNS queries/responses. I am sure there is much in the RTFM category,
and I will continue to RTFM, but I wanted to ask a couple of specific
questions.
1) If a reply is over 512 bytes, which can't in theory be done v
Good day,
I am trying to wrap my head around a weird configuration I ran across
today, and see if my assumptions are correct.
Working with the TLD .testdomain.
We have the record:
test2.testdomain. IN NS ns01.blahblah.testdomain.
But, on the same server, we also have the zone
While running a checkzone, one of my users is getting this error:
dns_master_load: /var/named/var/named:1: isc_lex_gettoken() failed: I/O
error
dns_master_load: /var/named/var/named:1: I/O error
Google isn't helping me too much.
We're thinking maybe it's terminal related - a user has had succes
t.
At any rate, now you know. SecureCRT (tty = vt100) and bind don't play
nice.
Cheers,
Todd.
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Monday, February 02, 2009 11:59 AM
To: bind-us...@is
Good morning,
We utilize a number of include files as part of our named.conf. I am
looking to see if there is a clever way to dump the entire named.conf
(or, even better, the entire RUNNING named.conf), which includes all the
include files.
I say running config, because sometimes you do an rndc
If you are trying to reach RIM.com (makers of BlackBerry), we are at rim.com
;; QUESTION SECTION:
;rim.com. IN MX
;; ANSWER SECTION:
rim.com. 600 IN MX 10 mx05.rim.net.
rim.com. 600 IN MX 10 mx03.rim.net.
rim.com.
This is the BIND admins bible:
http://oreilly.com/catalog/9780596100575
Grab it and start having a read. You will want to upgrade your version of BIND
if at all possible as it's a little out of date, and much of the support you
may need may be difficult.
$0.02
Todd.
From: bind-users-bounces
If you haven’t restarted the server, you could do an rndc dumpdb and grab the
zone content I’d think
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Jay Moore
Sent: Tuesday, October 05, 2010 1:13 PM
To: bind-users@list
What I have done is add another IP to boxes with views, one per view (ie:
127.0.1.1/2/3/4). Then put one of those ips in each view match statement.
When you do your dig, you tell it to source from a specific interface (dig -b
127.0.1.1 @localhost record.ext). That will ensure that you can hit
What version of bind, on what OS?
There may be some things you can do with iptables to limit connections
http://www.debian-administration.org/articles/187
I don't recall seeing anything native to BIND that would allow for limits per
src.
t.
-Original Message-
From: bind-users-bounces+
dig -b {srcip}
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of John
Williams
Sent: Thursday, December 09, 2010 9:51 AM
To: bind-users@lists.isc.org
Subject: DIG Source IP
If I have a Linux h
It seems to do a regular lookup, plus maybe an ANY
But I've also noticed that it seems to find test.domain.com. I often put a
'test.whatever.com. IN A 127.0.0.1' into zones and a couple I checked it found
them, even though it shouldn't have by "normal" means
it also found a 'blog' record I had
Change:
file "/var/log/query.log" version; 3 size 5m;
to:
file "/var/log/query.log" versions 3 size 5m;
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of Nate
Homier
Sent: Thursday, March 03,
>> With a static-stub zone (new in BIND 9.8), your server would not prime its
>> cache with the bad NS
>> rrset from the authoritative server. It would simply start all query
>> resolution for the domain in
>> question (possibly bigger than the zone) at that server, thus bypassing the
>> bad NS
there is a perl module out there that may help:
http://cpan.uwinnipeg.ca/htdocs/BIND-Config-Parser/BIND/Config/Parser.html
I don't know - I'm not much of a perl monkey (or any of one, really), but I may
work for what you'd like.
t.
-Original Message-
From: bind-users-bounces+tsnyder=ri
>
> > I have had a tendency to dig axfr from my Windows workstation
>
> +1 to you for using `dig' on Windows; most don't even know it exists
> and suffer the `nslookup' pain. ;-)
>
First thing I do on a new windows box is download the BIND package and throw
dig on the box ... well, right after
>> do you propose he specify the ratios with BIND?
>>
>> One (icky) solution is to hand out more addresses for one server than
>> the otherŠ
>>
>> www.example.com IN A 192.168.1.1
>> www.example.com IN A 192.168.1.2
>> www.example.com IN A 192.168.1.3
>> www.example.com IN A 192.168.2
I had to do this a couple times lately .. this is the simplest way I've
found. It's not elegant or nifty, but it works.
on the master:
grep zone named.conf | awk '{print $2} | sort > master.zones
on the slave:
grep zone named.conf | awk '{print $2} | sort > slave.zones
get the files on the sa
e safe.
t.
-Original Message-
From: John D. Vo [mailto:j...@eagle.net]
Sent: Friday, March 20, 2009 3:27 PM
To: Todd Snyder
Cc: bind-users@lists.isc.org
Subject: Re: number of zones not matching
Yes, Todd. 9.2.2.
Todd Snyder wrote:
> I had to do this a couple times lately .. this is the simples
> BIND does NOT load RFC1918 zones. The Internet-Draft that will
> allow that has been stalled for over a year now. Once that
draft
> clears the working group the #if 0/#endif around the RFC 1918
> zones will be removed.
Perhaps I am confused by terminology.
I am referri
Good day,
I saw some strange behaviour from BIND and am trying to understand it.
In one of the labs, someone mucked up a DNS change and made the serial
lower than the previous version.
Some of the nameservers complained:
Mar 23 15:07:24 ns1001 named[5913]: zone 5.1.10.in-addr.arpa/IN: serial
I am looking for a clever way to do the new serial number. Date will do
the first bit no problem (date +%Y%m%d), but I'd love to find a clever
way to auto increment the last 2 digits unless it's a new day. Then I
could use the same script every time.
/puts on thinking cap.
-Original Message
I know that people may laugh, but when I need to look at the stats, I
pump the data into excel. A quick script turns that data into csv, pull
into excel, highlght, graph, done!
I've seen people using Cacti for graphing the numbers. RRD would work
too, I believe. I expect you could feed the data
-protocols-dns-b...@isc.org
Subject: Re: Servers loading zones with lower serials
In article , "Todd Snyder"
wrote:
> Good day,
>
> I saw some strange behaviour from BIND and am trying to understand it.
>
> In one of the labs, someone mucked up a DNS change and made the
You say "my" DNS servers - if you own them, why not just look at the
named.conf? "grep zone named.conf" should tell you pretty quickly.
If you are using external hosting, you will need to talk to your
provider. They should be able to provide you a list.
t.
-Original Message-
From: bin
>BIND already creates an internal view "_bind" with class CH to contain
the zones version.bind, hostname.bind, authors.bind, etc. I was thinking
in >terms of zones.bind living there as well.
>Of course there's the barber-shaving question: should zones.bind
contain an entry describing itself?
> I agree with Rick Dicaire that this should not be done as a zone at
all.
> Instead, this should be implemented in rndc. I do agree with the
premise that it
> would be nice to be able to have a list of all zones on the server.
I would tend to agree that rndc is the best place for it, except in
or
allow-transfers { acl1; acl2; };
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Jonathan
Petersson
Sent: Thursday, April 09, 2009 3:20 AM
To: Jeff Pang
Cc: Bind Mailing
Subject: Re: about allow-transfer
allow-transfer
Good day,
(BIND 9.6.0-P1)
Although, to me, delegation seems like a fairly simple configuration, I
seem to be having problems. What I am trying to do is very simple - I
have a lab, and I want to delegate part of the namespace to someone else
in the lab. My configuration looks like this:
(zone l
>It works that way, sometimes.
>
>If recursion is enabled on your server, it will query the other servers
in
>the NS records on behalf of the resolver and return what it finds. If
>recursion is off, it will just return the NS records and the resolver
is
>expected to follow them (and some really
-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Tuesday, May 05, 2009 11:08 AM
To: bind-us...@isc.org
Subject: Delegation or PEBKAC problems?
Good day,
(BIND 9.6.0-P1)
Although, to me, delegation seems like a fairly simple configuration, I
seem to be having problems. What I am trying to do is
nd I'm
getting the behaviour I was looking for - so the server seems to behave
as I thought in "forward first" mode, but not in "forward only" mode.
Has the logic here changed, or am I misinterpreting the book?
Thanks!
Todd.
-Original Message-----
From: bind-users
+trace forces the server to go to the root. It doesn't necessarily
represent the path your query would normally take. If the server you
are querying is authoritative for the zone you are querying, it will
still trace from the root. This feature is, sadly, not as useful in an
internal DNS configu
Do you have "notify no;" in your config options?
-Original Message-
From: bind-users-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Michael Di Martino
Sent: Thursday, May 28, 2009 10:17 AM
To: bind-users@lists.isc.org
Subject: Transfer delays
List Members,
Good afternoon,
I am writing some verification steps for a change. The change in
question is to remove a zone from a server and replace it with a
delegation. I need to validate that the local server is no longer
answering authoritatively, instead making sure I'm getting a delegated
answer.
I ha
Thanks very much for the help - I was having a brain issue! That is
much simpler than I was trying to devise.
Thanks to Andy as well.
Cheers!
Todd.
-Original Message-
From: Matthew Pounsett [mailto:m...@conundrum.com]
Sent: Monday, June 01, 2009 3:49 PM
To: Todd Snyder
Cc: bind-users
Checkout the "transfer-source" directive for the transfers, and the
"notify-source" directive. I've not used the latter, so I'm not exactly
sure if it fits, but I expect that it will.
DNS and BIND @Google Books is a useful reference:
http://books.google.com.hk/books?id=zkZN52WhG8sC&printsec=
Good day,
Looking through configuration of one of my servers (ns01.local), I have
example.com loading, and test.example.com loading.
In example.com, someone has delegated test.example.com back to the
server:
test.example.comIN NS ns01.local
Since I am loading test.exam
Good day,
I've run into a bit of an oddity, and I'm hoping someone might have an
idea.
I have a nameserver running BIND 9.3.5-p1 that doesn't want to log to
the syslog daemon. I have 2 identically configured servers, one of them
works, one doesn't.
My logging configuration looks like:
Good day,
I am working at building BIND, and I will admit right now that I am not
much of a developer. I noticed that when you compile/make/install BIND,
it creates /var/named/chroot as the default chroot jail. We don't use
that particular standard, and have been simply moving things afterwards.
-boun...@lists.isc.org
[mailto:bind-users-boun...@lists.isc.org] On Behalf Of Todd Snyder
Sent: Wednesday, June 10, 2009 11:45 AM
To: bind-users@lists.isc.org
Subject: Changing CHROOT at BIND compile time
Good day,
I am working at building BIND, and I will admit right now that I am not
much
Good day all,
I am looking at making some sweeping changes to some zone files,
cleaning up NS records primarily. As I'm pondering the impact of this,
I got to thinking about how to validate every single record in my
namespace, and therefore the entirety of my change.
What I'm thinking of is a sc
Martin,
It looks like you were relying on an odd mechanism to determine an
outage. What you were seeing is the server filling up all the available
recursive "slots" because they weren't getting answered, backing up the
queue. It wasn't necessarily an indication of an outage, it could have
meant
The problem with this approach is when you are running a couple thousand
servers - suddenly, you are running a couple thousand more instances of BIND
that need monitoring/patching/care/feeding.
A more clever resolver, or a simpler caching setup locally would be ideal.
Otherwise, you could redo
>If you're on a closed network and not using forwarders, then you'll
also
>need a hints file and associated hints-file definition in named.conf,
of
>course, but even so, we're still not talking about adding a great deal
>of additional care and feeding...
It's not much, I'll gladly concede, but
There are a few approaches you could take, and it depends on what you are
trying to do.
If you are actually trying to block traffic to a specific server/servers, I'd
say use a firewall. If you're running on a linux box, it's pretty easy:
http://www.cyberciti.biz/faq/howto-null-route-an-attacke
Look at something like an F5 GTM ... it can do health checks on pools
and respond with only available/geographically close/etc ips...
http://www.f5.com/products/big-ip/product-modules/global-traffic-manager
.html
More than likely far too big for what you're looking for, but service
availability
You can create an include file, and put it right under your SOA/NS
records. The file should start with blanks... something like:
@ IN SOA ns.example.com. root. (
2009112601 ; Serial
1h ; Refresh
In BIND, no.
There are some solutions discussed (check the archives) around setting
up special zones with the meta data required for the slaves to create
their own slaves, I've even whipped up a POC, but I've not found a
ready-made tool yet.
Your best bet is to script something up. We have a sta
checkout "allow-query-cache"
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=rim@lists.isc.org] On Behalf Of
Riccardo Castellani
Sent: Tuesday, February 09, 2010 1:06 PM
To: bind-users@lists.isc.org
Subject: query (cache) 'xx
Good day,
We've started seeing this bug on a couple servers, but I see no mention
of it being fixed, so I don't know what version I should upgrade to.
Nor can I find anything that lays out the impact/risk of this.
Does anyone know the status of this bug?
Thanks!
From: bind-users-boun...@lists
Yes, assuming you want them to both have the same zone data.
We use a naming convention so we know when we're sharing a file. Each
view gets their zonefiles with "-viewname" (ie: example.com-internal)
appended. Common zones get "-common". This keeps us from modifying the
wrong file, and lets us
r help,
Todd.
--------
Todd Snyder, Systems Specialist
Data Networks Systems Engineering / Global DNS
bb 226.338.2617
dd 519.888.3176
Always On, Always Connected.
-
This transmission (including any attachments) may conta
Are the timed out queries recursive or authoritative?
I'd suggest tcpdump running on both the BIND servers and the client, so
you can match send/receive and show missed packets directly.
Cheers,
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind
>The DNS Servers are authoritive. I have more than 100 users for them,
and the
>number of queries performed per minute is very high due to the nature
of our
>organization. Moreover, I do not have a specific time window in which
the
>timeouts occur, so, it is impossible to run it 24/7! From your
Are all the slaves authoritative for all the zones? If so, unless
you're using forwarding, or some really odd delegation, queries
shouldn't be going to the master servers.
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=r
Alessandro,
Generally people won't want to lay out entire configurations for you. Spend a
little time with the DNS & BIND book which will be your loving companion as a
BIND admin (available on google books for free if your google-fu is good), and
come back with direct questions/configuration e
>From my experience, there is no way to do this. Once an answer is made
>authoritatively from your internal server, you can't tell it to go somewhere
>else. Authoritative is authoritative, and even if you know there's a better
>answer somewhere else, you're stuck with what you've gone.
What I
What version of BIND are you running? If you're getting FD limits, I'd think
it's an older version with a bug, and your problems might also be alleviated by
upgrading.
Todd.
-Original Message-
From: bind-users-bounces+tsnyder=rim@lists.isc.org
[mailto:bind-users-bounces+tsnyder=ri
If you wanted to throw CVS into the mix, it would make all this pretty easy.
You can have it run scripts on checkin, and you know all the files changed from
a cvs diff, so it’s easy to run that through the named-checkzone.
CVS doesn’t have to make things much more complicated. You could create
>> You need to specify different "file" locations for each of the slaved
>> zones (even if the data is the same) in each view.
>>
>Does that apply for master zones which are common (i.e. the same data)
>to both views as well?
In my experience, you can use a shared file for mastering. We have ado
72 matches
Mail list logo
