DNSSEC and secondary DNS servers

@lbutlr kremels at kreme.com
Sat Sep 8 17:36:16 UTC 2018


On 08 Sep 2018, at 09:59, Niall O'Reilly <niall.oreilly at ucd.ie> wrote:
> On 8 Sep 2018, at 14:58, @lbutlr wrote:
> 
>> so I think there must be something else.
> 
> You might need to so some other housekeeping:
> 
> https://zonemaster.net/domain_check
> http://dnsviz.net/d/covisp.net/dnssec/

Oh, well, that is interesting. I though Bind always listened on port 53 for both TCP/UDP.

# sockstat -4 -l | grep :53
bind     named      48714 21 tcp4   65.121.55.42:53       *:*
bind     named      48714 23 tcp4   127.0.0.1:53          *:*
bind     named      48714 512 udp4  65.121.55.42:53       *:*
bind     named      48714 513 udp4  65.121.55.42:53       *:*
bind     named      48714 514 udp4  65.121.55.42:53       *:*
bind     named      48714 518 udp4  127.0.0.1:53          *:*
bind     named      48714 519 udp4  127.0.0.1:53          *:*
bind     named      48714 520 udp4  127.0.0.1:53          *:*

And there’s nothing interesting in pfctl

 # pfctl -s rules
block drop in quick on em0 from <sshguard> to any label "sshguardblock"
block drop in quick on em0 from <badguys> to any
pass in quick on em0 proto tcp from <goodguys> to (em0) port = ssh flags S/SA keep state
pass in on em0 proto tcp from any to (em0) port = ssh flags S/SA keep state (source-track rule, max-src-conn 5, max-src-conn-rate 4/300, overload <badguys> flush global, src.track 300)


-- 
Man is born free, but is everywhere in chains.



More information about the bind-users mailing list