Bind/Named 9.9 auth-nxdomain question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Bind/Named 9.9 auth-nxdomain question

Filipe Cifali

Hello,

I'm have a question:

IF (Ignoring RFC 1035 #do not shoot the messenger)

I need to make an authoritative server that gives 'AA' flags to every query, I would need to set only auth-nxdomain right?

I'm running this config:

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

options {
    directory "/var/bind/";
    check-names master ignore;
    check-names slave ignore;
    check-names response ignore;

    auth-nxdomain yes;
    minimal-responses yes;
    version "Dont Do It";
    allow-recursion { 127.0.0.1/8; my-query-ip/32; };
    allow-new-zones yes;
    lame-ttl 1800;
    max-cache-ttl 43200;
    max-cache-size 100M;
    notify explicit;
    cleaning-interval 900;
    max-ncache-ttl 18000;
    pid-file "/var/run/named/named.pid";
    listen-on { any; };
    listen-on-v6 { any; };
};

view "internet" IN {
    match-clients { any; };
};

logging {
  channel default_file { file "/var/bind/logs/default.log" versions 3 size 50m; severity info; print-time yes; };
  channel general_file { file "/var/bind/logs/general.log" versions 3 size 50m; severity info; print-time yes; };
  channel database_file { file "/var/bind/logs/database.log" versions 3 size 50m; severity error; print-time yes; };
  channel security_file { file "/var/bind/logs/security.log" versions 3 size 50m; severity info; print-time yes; };
  channel config_file { file "/var/bind/logs/config.log" versions 3 size 50m; severity critical; print-time yes; };
  channel resolver_file { file "/var/bind/logs/resolver.log" versions 3 size 50m; severity critical; print-time yes; };
  channel xfer-in_file { file "/var/bind/logs/xfer-in.log" versions 3 size 50m; severity critical; print-time yes; };
  channel xfer-out_file { file "/var/bind/logs/xfer-out.log" versions 3 size 50m; severity critical; print-time yes; };
  channel notify_file { file "/var/bind/logs/notify.log" versions 3 size 50m; severity critical; print-time yes; };
  channel client_file { file "/var/bind/logs/client.log" versions 3 size 50m; severity critical; print-time yes; };
  channel unmatched_file { file "/var/bind/logs/unmatched.log" versions 3 size 50m; severity critical; print-time yes; };
  channel queries_file { file "/var/bind/logs/queries.log" versions 3 size 50m; severity info; print-time yes; };
  channel network_file { file "/var/bind/logs/network.log" versions 3 size 50m; severity critical; print-time yes; };
  channel update_file { file "/var/bind/logs/update.log" versions 3 size 50m; severity critical; print-time yes; };
  channel dispatch_file { file "/var/bind/logs/dispatch.log" versions 3 size 50m; severity critical; print-time yes; };
  channel dnssec_file { file "/var/bind/logs/dnssec.log" versions 3 size 50m; severity critical; print-time yes; };

  category default { default_file; };
  category general { general_file; };
  category database { database_file; };
  category security { security_file; };
  category config { config_file; };
  category resolver { resolver_file; };
  category xfer-in { xfer-in_file; };
  category xfer-out { xfer-out_file; };
  category notify { notify_file; };
  category client { client_file; };
  category unmatched { unmatched_file; };
  category queries { queries_file; };
  category network { network_file; };
  category update { update_file; };
  category dispatch { dispatch_file; };
  category dnssec { dnssec_file; };
  category lame-servers { null; };
};

key "rndckey" {
      algorithm hmac-md5;
      secret "my-little-key";
};

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

$ dig @my-local-ip typingsomerandomwords.doesntwork                                                     
                                                                                                            
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.47.rc1.el6_8.4 <<>> @my-local-ip typingsomerandomwords.doesntwork       
; (1 server found)                                                                                          
;; global options: +cmd                                                                                     
;; Got answer:                                                                                              
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 26340                                                  
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0                                        
                                                                                                            
;; QUESTION SECTION:                                                                                        
;typingsomerandomwords.doesntwork. IN   A                                                                   
                                                                                                            
;; Query time: 199 msec                                                                                     
;; SERVER: my-local-ip#53(my-local-ip)                                                                    
;; WHEN: Thu Nov  9 18:29:37 2017                                                                           
;; MSG SIZE  rcvd: 50                                                                                       

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


09-Nov-2017 16:29:22.392 client my-query-ip#39791 (typingsomerandomwords.doesntwork): view internet: query: typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:22.392 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:27.581 client my-query-ip#39791 (typingsomerandomwords.doesntwork): view internet: query: typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:27.581 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:32.392 client my-query-ip.19#39791 (typingsomerandomwords.doesntwork): view internet: query: typingsomerandomwords.doesntwork IN A + (my-local-ip)
09-Nov-2017 16:29:32.392 createfetch: typingsomerandomwords.doesntwork A
09-Nov-2017 16:29:32.393 client my-query-ip#39791 (typingsomerandomwords.doesntwork): view internet: query failed (SERVFAIL) for typingsomerandomwords.doesntwork/IN/A at query.c:7007

# ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


I'm stuck into this, the docs doesn't say auth-nxdomain is not available to auth servers and I know it's a bad idea, but it's a bad idea that can be achieved by DLZ drivers via queries and the config should behave in a similar way (or the doc should be a bit more clear about who can use and how it works).


--

...................................................................................................................................................................................................


Filipe Cifali Stangler | ANALISTA DE INFRAESTRUTURA
[hidden email] | www.kinghost.com.br
Tire suas dúvidas gratuitamente: 0800.881.5464
Capitais e polos regionais: 4003.5464
Atendimento fora do Brasil e Celulares: (51) 3301.5464


banner - email
Este e-mail e seus anexos são confidenciais e podem conter informações privilegiadas ou protegidas contra
divulgação e/ou reprodução. Se você não é o destinatário identificado acima, por favor, apague esta mensagem
de seu sistema e notifique o remetente imediatamente.
This e-mail message or any attachment thereto are confidential and may be privileged or otherwise protected
from disclosure and/or reproduction. If you are not intendet recipient, please delete it from your system and
notify the sender immediately.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind/Named 9.9 auth-nxdomain question

Tony Finch
Filipe Cifali <[hidden email]> wrote:
>
> I need to make an authoritative server that gives 'AA' flags to every query, I
> would need to set only auth-nxdomain right?

Don't use auth-nxdomain, it has been obsolete for 15 years.

> I'm running this config:

That looks like a recursive server configuration to me - there aren't any
zones configured.

I don't really understand what you are trying to acheive, but if you just
want to say "no" to everything then you want a config like the following,
where db.null is the usual empty zone.

options {
        directory "/var/bind";
        additional-from-cache no;
        empty-zones-enable no;
        minimal-responses yes;
        recursion no;
};

zone "." {
        type master;
        file "db.null";
};

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Dogger, Fisher, German Bight: Northwest 6 to gale 8, occasionally severe gale
9 at first. Rough or very rough, occasionally high at first. Showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind/Named 9.9 auth-nxdomain question

Filipe Cifali
On 11/10/2017 10:05 AM, Tony Finch wrote:
Filipe Cifali [hidden email] wrote:
I need to make an authoritative server that gives 'AA' flags to every query, I
would need to set only auth-nxdomain right?
Don't use auth-nxdomain, it has been obsolete for 15 years.

Ok, I understand that just seems a bit strange that an obsolete option to not be documented and available to the server?


I'm running this config:
That looks like a recursive server configuration to me - there aren't any
zones configured.

I don't really understand what you are trying to acheive, but if you just
want to say "no" to everything then you want a config like the following,
where db.null is the usual empty zone.

options {
	directory "/var/bind";
	additional-from-cache no;
	empty-zones-enable no;
	minimal-responses yes;
	recursion no;
};

zone "." {
	type master;
	file "db.null";
};

Tony.

We are running

    allow-new-zones yes;

for this setup to work, so we have one file w/ all the zones and configs that is managed by rndc calls (for adding/flushing/updating/removing)

I'm trying to have an Auth Server that says the auth flags ('aa') even on NXDOMAIN. This is what the auth-nxdomain should do I suppose.

I'm just trying to stay way from DLZ drivers for their poor performance in general.

--

...................................................................................................................................................................................................


Filipe Cifali Stangler | ANALISTA DE INFRAESTRUTURA
[hidden email] | www.kinghost.com.br
Tire suas dúvidas gratuitamente: 0800.881.5464
Capitais e polos regionais: 4003.5464
Atendimento fora do Brasil e Celulares: (51) 3301.5464


banner - email
Este e-mail e seus anexos são confidenciais e podem conter informações privilegiadas ou protegidas contra
divulgação e/ou reprodução. Se você não é o destinatário identificado acima, por favor, apague esta mensagem
de seu sistema e notifique o remetente imediatamente.
This e-mail message or any attachment thereto are confidential and may be privileged or otherwise protected
from disclosure and/or reproduction. If you are not intendet recipient, please delete it from your system and
notify the sender immediately.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind/Named 9.9 auth-nxdomain question

Tony Finch
Filipe Cifali <[hidden email]> wrote:
>
> I'm trying to have an Auth Server that says the auth flags ('aa') even on
> NXDOMAIN.

BIND (well, all DNS servers) have to do that. It doesn't need to be
configured. See the first example dig output below.

However the example query in your first message did not seem to match what
you are asking for. You were querying for a domain for which your server
was not authoritative, so it tried to recurse, but failed (some kind of
firewall?). Usually on an auth-only server you should disable recursion,
so your example query would return REFUSED. See the second example dig
output below.


> This is what the auth-nxdomain should do I suppose.

No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
recursive answers, for bug compatibility with BIND 8.


; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk @authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nxdomain.cam.ac.uk.    IN A

;; AUTHORITY SECTION:
cam.ac.uk.              3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
                                1510329268 ; serial
                                1800       ; refresh (30 minutes)
                                900        ; retry (15 minutes)
                                604800     ; expire (1 week)
                                3600       ; minimum (1 hour)
                                )

;; Query time: 1 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:27:05 GMT 2017
;; MSG SIZE  rcvd: 93


; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth @authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;notauth.               IN A

;; Query time: 0 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:34:11 GMT 2017
;; MSG SIZE  rcvd: 25


Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
rough, occasionally high in north. Showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind/Named 9.9 auth-nxdomain question

Mark Andrews

> On 11 Nov 2017, at 3:38 am, Tony Finch <[hidden email]> wrote:
>
> Filipe Cifali <[hidden email]> wrote:
>>
>> I'm trying to have an Auth Server that says the auth flags ('aa') even on
>> NXDOMAIN.
>
> BIND (well, all DNS servers) have to do that. It doesn't need to be
> configured. See the first example dig output below.
>
> However the example query in your first message did not seem to match what
> you are asking for. You were querying for a domain for which your server
> was not authoritative, so it tried to recurse, but failed (some kind of
> firewall?). Usually on an auth-only server you should disable recursion,
> so your example query would return REFUSED. See the second example dig
> output below.
>
>
>> This is what the auth-nxdomain should do I suppose.
>
> No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
> recursive answers, for bug compatibility with BIND 8.

More correctly it has to do with RFC 103[45] where NXDOMAIN is not to
be accepted without the AA bit being set to 1 which make it impossible to
return NXDOMAIN from a cache.  This is a specification error.  Some
clients, 2 decades ago, rejected NXDOMAIN without AA being set.  This
flag was to allow the recursive server to interoperate with them.

>
>
> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk @authdns0.csx.cam.ac.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
> ;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;nxdomain.cam.ac.uk.    IN A
>
> ;; AUTHORITY SECTION:
> cam.ac.uk.              3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
>                                1510329268 ; serial
>                                1800       ; refresh (30 minutes)
>                                900        ; retry (15 minutes)
>                                604800     ; expire (1 week)
>                                3600       ; minimum (1 hour)
>                                )
>
> ;; Query time: 1 msec
> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
> ;; WHEN: Fri Nov 10 16:27:05 GMT 2017
> ;; MSG SIZE  rcvd: 93
>
>
> ; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth @authdns0.csx.cam.ac.uk
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
> ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;notauth.               IN A
>
> ;; Query time: 0 msec
> ;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
> ;; WHEN: Fri Nov 10 16:34:11 GMT 2017
> ;; MSG SIZE  rcvd: 25
>
>
> Tony.
> --
> f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
> Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
> rough, occasionally high in north. Showers. Good.
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: [hidden email]

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: Bind/Named 9.9 auth-nxdomain question

Filipe Cifali
On 11/10/2017 07:05 PM, Mark Andrews wrote:

      
On 11 Nov 2017, at 3:38 am, Tony Finch [hidden email] wrote:

Filipe Cifali [hidden email] wrote:
I'm trying to have an Auth Server that says the auth flags ('aa') even on
NXDOMAIN.
BIND (well, all DNS servers) have to do that. It doesn't need to be
configured. See the first example dig output below.

However the example query in your first message did not seem to match what
you are asking for. You were querying for a domain for which your server
was not authoritative, so it tried to recurse, but failed (some kind of
firewall?). Usually on an auth-only server you should disable recursion,
so your example query would return REFUSED. See the second example dig
output below.


This is what the auth-nxdomain should do I suppose.
No, auth-nxdomain incorrectly sets the AA bit on non-authoritative
recursive answers, for bug compatibility with BIND 8.
More correctly it has to do with RFC 103[45] where NXDOMAIN is not to
be accepted without the AA bit being set to 1 which make it impossible to
return NXDOMAIN from a cache.  This is a specification error.  Some
clients, 2 decades ago, rejected NXDOMAIN without AA being set.  This
flag was to allow the recursive server to interoperate with them.

Thanks, I understand now how it is supposed to be used.

Is there a way for me to help clear up the docs? I don't think I should fill a "bug" report about this.


      

; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec nxdomain.cam.ac.uk @authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35951
;; flags: qr aa; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;nxdomain.cam.ac.uk.    IN A

;; AUTHORITY SECTION:
cam.ac.uk.              3600 IN SOA ipreg.csi.cam.ac.uk. hostmaster.cam.ac.uk. (
                               1510329268 ; serial
                               1800       ; refresh (30 minutes)
                               900        ; retry (15 minutes)
                               604800     ; expire (1 week)
                               3600       ; minimum (1 hour)
                               )

;; Query time: 1 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:27:05 GMT 2017
;; MSG SIZE  rcvd: 93


; <<>> DiG 9.12.0b1 <<>> +multiline +noedns +norec notauth @authdns0.csx.cam.ac.uk
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 53652
;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;notauth.               IN A

;; Query time: 0 msec
;; SERVER: 2001:630:212:8::d:a0#53(2001:630:212:8::d:a0)
;; WHEN: Fri Nov 10 16:34:11 GMT 2017
;; MSG SIZE  rcvd: 25


Tony.
-- 
f.anthony.n.finch  [hidden email]  http://dotat.at/  -  I xn--zr8h punycode
Viking, North Utsire: Northwesterly 6 to gale 8, decreasing 5 for a time. Very
rough, occasionally high in north. Showers. Good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

    

--

...................................................................................................................................................................................................


Filipe Cifali Stangler | ANALISTA DE INFRAESTRUTURA
[hidden email] | www.kinghost.com.br
Tire suas dúvidas gratuitamente: 0800.881.5464
Capitais e polos regionais: 4003.5464
Atendimento fora do Brasil e Celulares: (51) 3301.5464


banner - email
Este e-mail e seus anexos são confidenciais e podem conter informações privilegiadas ou protegidas contra
divulgação e/ou reprodução. Se você não é o destinatário identificado acima, por favor, apague esta mensagem
de seu sistema e notifique o remetente imediatamente.
This e-mail message or any attachment thereto are confidential and may be privileged or otherwise protected
from disclosure and/or reproduction. If you are not intendet recipient, please delete it from your system and
notify the sender immediately.

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users