Re: WLUG Meeting Feb 11th 2021! Topic: Good question!
That is not what I see when I query one of the major name servers. I would guess your server is configured differently... rne@P5:~$ dig @1.1.1.1 isc.org ; <<>> DiG 9.16.1-Ubuntu <<>> @1.1.1.1 isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31866 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;isc.org. IN A ;; ANSWER SECTION: isc.org. 9 IN A 149.20.1.66 ;; Query time: 24 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Thu Feb 11 10:03:30 EST 2021 ;; MSG SIZE rcvd: 52 -BE -----Original Message-----
From: Keith Wright via WLUG <wlug@lists.wlug.org> Sent: Feb 11, 2021 1:04 AM To: Worcester Linux Users' Group General Discussion <wlug@lists.wlug.org> Cc: wlug@lists.wlug.org, Andre.Lehovich@gmx.com, Keith Wright <kwright@keithdiane.us> Subject: [WLUG] Re: WLUG Meeting Feb 11th 2021! Topic: Good question!
Andre Lehovich via WLUG <wlug@lists.wlug.org> writes:
dig @66.92.74.188 isc.org
Here you go, hope it's useful...
Thank you. That's a lot of information.
quetzal:~ al$ dig @66.92.74.188 isc.org
; <<>> DiG 9.10.6 <<>> @66.92.74.188 isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11995 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27 ;; WARNING: recursion requested but not available ^^^^^^^^^ ^^^^^^^^^ ^^^ ^^^ ^^^^^^^^^ That looks good. I don't want to be doing recursion for you (nothing personal).
But where did all the rest of that come from? I've never seen anything like that! Did my server send all that? Why??
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN A
;; AUTHORITY SECTION: . 348191 IN NS c.root-servers.net. . 348191 IN NS d.root-servers.net. . 348191 IN NS e.root-servers.net. . 348191 IN NS f.root-servers.net. . 348191 IN NS g.root-servers.net. . 348191 IN NS h.root-servers.net. . 348191 IN NS i.root-servers.net. . 348191 IN NS j.root-servers.net. . 348191 IN NS k.root-servers.net. . 348191 IN NS l.root-servers.net. . 348191 IN NS m.root-servers.net. . 348191 IN NS a.root-servers.net. . 348191 IN NS b.root-servers.net.
;; ADDITIONAL SECTION: a.root-servers.net. 348191 IN A 198.41.0.4 a.root-servers.net. 348191 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 348191 IN A 199.9.14.201 b.root-servers.net. 348191 IN AAAA 2001:500:200::b c.root-servers.net. 348191 IN A 192.33.4.12 c.root-servers.net. 348191 IN AAAA 2001:500:2::c d.root-servers.net. 348191 IN A 199.7.91.13 d.root-servers.net. 348191 IN AAAA 2001:500:2d::d e.root-servers.net. 348191 IN A 192.203.230.10 e.root-servers.net. 348191 IN AAAA 2001:500:a8::e f.root-servers.net. 348191 IN A 192.5.5.241 f.root-servers.net. 348191 IN AAAA 2001:500:2f::f g.root-servers.net. 348191 IN A 192.112.36.4 g.root-servers.net. 348191 IN AAAA 2001:500:12::d0d h.root-servers.net. 348191 IN A 198.97.190.53 h.root-servers.net. 348191 IN AAAA 2001:500:1::53 i.root-servers.net. 348191 IN A 192.36.148.17 i.root-servers.net. 348191 IN AAAA 2001:7fe::53 j.root-servers.net. 348191 IN A 192.58.128.30 j.root-servers.net. 348191 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 348191 IN A 193.0.14.129 k.root-servers.net. 348191 IN AAAA 2001:7fd::1 l.root-servers.net. 348191 IN A 199.7.83.42 l.root-servers.net. 348191 IN AAAA 2001:500:9f::42 m.root-servers.net. 348191 IN A 202.12.27.33 m.root-servers.net. 348191 IN AAAA 2001:dc3::35
;; Query time: 150 msec ;; SERVER: 66.92.74.188#53(66.92.74.188) ;; WHEN: Wed Feb 10 20:31:08 PST 2021 ;; MSG SIZE rcvd: 819
_______________________________________________ WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/JBBKO5...
WLUG mailing list -- wlug@lists.wlug.org To unsubscribe send an email to wlug-leave@lists.wlug.org Create Account: https://wlug.mailman3.com/accounts/signup/ Change Settings: https://wlug.mailman3.com/postorius/lists/wlug.lists.wlug.org/ Web Forum/Archive: https://wlug.mailman3.com/hyperkitty/list/wlug@lists.wlug.org/message/2A6P2G...
Correct, Keith's server is not configured to current best security practices. His server has what is called "upward referrals" turned on. https://www.dns-oarc.net/oarc/articles/upward-referrals-considered-harmful I believe what you want at a minimum is: additional-from-cache no; Also, it sounds like you are using your DNS server for two functions: caching for internal clients, and authoritative for your domain name(s). If so you probably should isolate both functions: "If your nameserver is both authoritative and caching, you really should separate the two functions. Caching nameservers are susceptible to poisoning and other types of attacks. You don't necessarily need separate hardware for each. You might need to use separate IP addresses, or possibly configure the authoritative nameserver to use an external address while the caching nameserver uses an internal address." See also: https://kb.isc.org/docs/bind-best-practices-authoritative and: https://kb.isc.org/docs/bind-best-practices-recursive On Thu, Feb 11, 2021 at 10:08:21AM -0500, Robert N. Evans via WLUG wrote:
That is not what I see when I query one of the major name servers. I would guess your server is configured differently...
rne@P5:~$ dig @1.1.1.1 isc.org
; <<>> DiG 9.16.1-Ubuntu <<>> @1.1.1.1 isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31866 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;isc.org. IN A
;; ANSWER SECTION: isc.org. 9 IN A 149.20.1.66
;; Query time: 24 msec ;; SERVER: 1.1.1.1#53(1.1.1.1) ;; WHEN: Thu Feb 11 10:03:30 EST 2021 ;; MSG SIZE rcvd: 52
-BE
-----Original Message-----
From: Keith Wright via WLUG <wlug@lists.wlug.org> Sent: Feb 11, 2021 1:04 AM To: Worcester Linux Users' Group General Discussion <wlug@lists.wlug.org> Cc: wlug@lists.wlug.org, Andre.Lehovich@gmx.com, Keith Wright <kwright@keithdiane.us> Subject: [WLUG] Re: WLUG Meeting Feb 11th 2021! Topic: Good question!
Andre Lehovich via WLUG <wlug@lists.wlug.org> writes:
dig @66.92.74.188 isc.org
Here you go, hope it's useful...
Thank you. That's a lot of information.
quetzal:~ al$ dig @66.92.74.188 isc.org
; <<>> DiG 9.10.6 <<>> @66.92.74.188 isc.org ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11995 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27 ;; WARNING: recursion requested but not available ^^^^^^^^^ ^^^^^^^^^ ^^^ ^^^ ^^^^^^^^^ That looks good. I don't want to be doing recursion for you (nothing personal).
But where did all the rest of that come from? I've never seen anything like that! Did my server send all that? Why??
;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;isc.org. IN A
;; AUTHORITY SECTION: . 348191 IN NS c.root-servers.net. . 348191 IN NS d.root-servers.net. . 348191 IN NS e.root-servers.net. . 348191 IN NS f.root-servers.net. . 348191 IN NS g.root-servers.net. . 348191 IN NS h.root-servers.net. . 348191 IN NS i.root-servers.net. . 348191 IN NS j.root-servers.net. . 348191 IN NS k.root-servers.net. . 348191 IN NS l.root-servers.net. . 348191 IN NS m.root-servers.net. . 348191 IN NS a.root-servers.net. . 348191 IN NS b.root-servers.net.
;; ADDITIONAL SECTION: a.root-servers.net. 348191 IN A 198.41.0.4 a.root-servers.net. 348191 IN AAAA 2001:503:ba3e::2:30 b.root-servers.net. 348191 IN A 199.9.14.201 b.root-servers.net. 348191 IN AAAA 2001:500:200::b c.root-servers.net. 348191 IN A 192.33.4.12 c.root-servers.net. 348191 IN AAAA 2001:500:2::c d.root-servers.net. 348191 IN A 199.7.91.13 d.root-servers.net. 348191 IN AAAA 2001:500:2d::d e.root-servers.net. 348191 IN A 192.203.230.10 e.root-servers.net. 348191 IN AAAA 2001:500:a8::e f.root-servers.net. 348191 IN A 192.5.5.241 f.root-servers.net. 348191 IN AAAA 2001:500:2f::f g.root-servers.net. 348191 IN A 192.112.36.4 g.root-servers.net. 348191 IN AAAA 2001:500:12::d0d h.root-servers.net. 348191 IN A 198.97.190.53 h.root-servers.net. 348191 IN AAAA 2001:500:1::53 i.root-servers.net. 348191 IN A 192.36.148.17 i.root-servers.net. 348191 IN AAAA 2001:7fe::53 j.root-servers.net. 348191 IN A 192.58.128.30 j.root-servers.net. 348191 IN AAAA 2001:503:c27::2:30 k.root-servers.net. 348191 IN A 193.0.14.129 k.root-servers.net. 348191 IN AAAA 2001:7fd::1 l.root-servers.net. 348191 IN A 199.7.83.42 l.root-servers.net. 348191 IN AAAA 2001:500:9f::42 m.root-servers.net. 348191 IN A 202.12.27.33 m.root-servers.net. 348191 IN AAAA 2001:dc3::35
;; Query time: 150 msec ;; SERVER: 66.92.74.188#53(66.92.74.188) ;; WHEN: Wed Feb 10 20:31:08 PST 2021 ;; MSG SIZE rcvd: 819
"Robert N. Evans via WLUG" <wlug@lists.wlug.org> writes:
That is not what I see when I query one of the major name servers. I would guess your server is configured differently...
Yes, know it's configured differently. On purpose. I have configured it _not_ to waste time answering stupid questions from random bots. If you want to know the address of isc.org, ask a major name server. My server is for answering questions about _my_ names. It needs to answer queries about keithdiane.us and free-comp-shop.com, for which it is authoritative, which means the major name servers get their info about those names from _here_. I would like to configure it to totally ignore such stupid requests, instead it seems to be answering with the best data it has in its cache. That turns out to be the most verbose yet useless information imaginable---a list of all the root name servers on the internet! -- Keith PS: Don't use my list. It's probably obsolete.
participants (3)
-
Chuck Anderson -
Keith Wright -
Robert N. Evans