bind-users Digest, Vol 1560, Issue 1

Manson, John John.Manson at mail.house.gov
Tue Jul 2 12:30:17 UTC 2013


Give each instance of named a unique name:
   A-named, b-named, etc

----- Original Message -----
From: bind-users-request at lists.isc.org [mailto:bind-users-request at lists.isc.org]
Sent: Tuesday, July 02, 2013 08:00 AM
To: bind-users at lists.isc.org <bind-users at lists.isc.org>
Subject: bind-users Digest, Vol 1560, Issue 1

Send bind-users mailing list submissions to
	bind-users at lists.isc.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.isc.org/mailman/listinfo/bind-users
or, via email, send a message with subject or body 'help' to
	bind-users-request at lists.isc.org

You can reach the person managing the list at
	bind-users-owner at lists.isc.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of bind-users digest..."


Today's Topics:

   1. Re: Reverse address entries (Sam Wilson)
   2. Re: Reverse address entries (Matus UHLAR - fantomas)
   3. Re: How to suppress ADDITIONAL SECTION per zone
      (Matus UHLAR - fantomas)
   4. configure syslog prefix (Klaus Darilion)


----------------------------------------------------------------------

Message: 1
Date: Mon, 01 Jul 2013 14:11:00 +0100
From: Sam Wilson <Sam.Wilson at ed.ac.uk>
To: comp-protocols-dns-bind at isc.org
Subject: Re: Reverse address entries
Message-ID:
	<Sam.Wilson-E707D1.14110001072013 at news.eternal-september.org>

In article <mailman.718.1372672345.20661.bind-users at lists.isc.org>,
 Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:

> >> On Jun 28, 2013, at 10:54 AM, "Ward, Mike S" <mward at SSFCU.org> wrote:
> >> > Hello all, is there any reason to setup reverse address entries for a 
> >> > zone?
> 
> >In article <mailman.710.1372442831.20661.bind-users at lists.isc.org>,
> > Charles Swiger <cswiger at mac.com> wrote:
> >> Certainly.  Various software performs what's called a double-reverse 
> >> lookup
> >> to confirm that the A and PTR records match.
> 
> On 01.07.13 10:48, Sam Wilson wrote:
> >Isn't that paranoid reverse lookup?  Since reverse lookups can be faked
> >(I'll spare the details here) some uses of in-addr.arpa also require a
> >subsequent forward lookup.  If there is no PTR record then the double
> >lookup doesn't happen.  I don't know of anything to be gained by
> >requiring a reverse lookup after a forward lookup.
> 
> He apparently meant exactly the same. Also calles FcRDNS - "forward
> confirmed" or "full circle" reverse DNS.

OK.  So what Mr. Swiger refers to is not relevant - it's no reason to 
add PTR records.

Sam

-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.


------------------------------

Message: 2
Date: Mon, 1 Jul 2013 15:14:10 +0200
From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
To: bind-users at lists.isc.org
Subject: Re: Reverse address entries
Message-ID: <20130701131410.GA14072 at fantomas.sk>
Content-Type: text/plain; charset=us-ascii; format=flowed

>> >In article <mailman.710.1372442831.20661.bind-users at lists.isc.org>,
>> > Charles Swiger <cswiger at mac.com> wrote:
>> >> Certainly.  Various software performs what's called a double-reverse
>> >> lookup
>> >> to confirm that the A and PTR records match.

>In article <mailman.718.1372672345.20661.bind-users at lists.isc.org>,
> Matus UHLAR - fantomas <uhlar at fantomas.sk> wrote:
>> He apparently meant exactly the same. Also calles FcRDNS - "forward
>> confirmed" or "full circle" reverse DNS.

On 01.07.13 14:11, Sam Wilson wrote:
>OK.  So what Mr. Swiger refers to is not relevant - it's no reason to
>add PTR records.

Yes, it is.

"Various software performs what's called a double-reverse lookup to confirm
that the A and PTR records match."

It means that various software checks your PTR and then A (or maybe
AAAA) records, and can fail if eny of them is not found ot rhe latter result
doesn't match the original IP address.

Now that IS a reason to add PTR for IP address, and they must point to
hostnames that point to the same IP.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Christian Science Programming: "Let God Debug It!".


------------------------------

Message: 3
Date: Mon, 1 Jul 2013 16:07:05 +0200
From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
To: bind-users at lists.isc.org
Subject: Re: How to suppress ADDITIONAL SECTION per zone
Message-ID: <20130701140704.GB14072 at fantomas.sk>
Content-Type: text/plain; charset=us-ascii; format=flowed

On 01.07.13 04:02, blrmaani wrote:
>We are noticing that a handful of our domains are being used for
> amplification attacks and we would like to reduce outgoing (DNS response)
> packet size.
>
>One solution is to reduce the additional sections in the response for these
> handful zones and I would like to know if there is any way to add
> something similar to "additional-from-auth no" per zone basis and achieve

It would be much better if you presented your problem in the beginning, not
just tell us what you want to do. 

In this case you should set "minimal-responses yes" globally, otherwise all
your other domains can get used for such attacks too.

Do you have separate servers for resolving and for domains?
Resolving servers could send all possible info to your own clients, while
authoritative servers would provide as low informations as needed.

Other possibility is to implement packet rate limiting - a patch was
discussed here a few days/weeks ago.

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
(R)etry, (A)bort, (C)ancer


------------------------------

Message: 4
Date: Tue, 02 Jul 2013 13:49:35 +0200
From: Klaus Darilion <klaus.mailinglists at pernau.at>
To: bind-users at isc.org
Subject: configure syslog prefix
Message-ID: <51D2BE4F.6060507 at pernau.at>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Hi!

I have several bind instances running on the same host. All of them use 
the same logging prefix, e.g:

named[11926]: zone mydomain/IN: Transfer started.
named[11926]: transfer of 'mydomain/IN' from 2.3.4.5#53: connected using 
2.3.4.5#44224
named[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': 
AXFR-style IXFR started: TSIG mydomain
named[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': 
AXFR-style IXFR ended


So I only have the PID to separate the different bind processes.

Some software allows to configure the syslog prefix, but I couldn't find 
that for bind.

Is there a workaround to get something like that?

named-incoming[11926]: zone mydomain/IN: Transfer started.
named-incoming[11926]: transfer of 'mydomain/IN' from 2.3.4.5#53: 
connected using 2.3.4.5#44224
named-outgoing[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': 
AXFR-style IXFR started: TSIG mydomain
named-outgoing[13479]: client 2.3.4.5#44224: transfer of 'mydomain/IN': 
AXFR-style IXFR ended

Thanks
Klaus


------------------------------

_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

End of bind-users Digest, Vol 1560, Issue 1
*******************************************


More information about the bind-users mailing list