ISC BIND 9.10.2-P3 Forwarding Caching Only Nameserver


I recently had to migrate a large DNS environment from about 23 Microsoft Domain Controllers to Infoblox DNS. I could have just deleted all the zones and set the forwarding on the Microsoft DNS servers but I wanted to leave the Microsoft DNS configuration and data in place to provide a quick backout option in the unlikely event that it was need (it was needed but the second time around using the named.conf file below was the charm).

PrintI ended up deploying ISC BIND 9.10.2-P3 across a mix of Windows 2003 and Windows 2008 domain controller servers, some 32-bit and some 64-bit.

As I alluded to above I originally had issues running BIND getting error messages such as the following after only a few hours running the service and clients failing to get name resolution.

27-Jul-2015 19:15:04.575 general: error: ..\client.c:2108: unexpected error:
27-Jul-2015 19:15:04.575 general: error: failed to get request's destination: failure
27-Jul-2015 19:15:04.981 general: error: ..\client.c:2108: unexpected error:
27-Jul-2015 19:15:04.981 general: error: failed to get request's destination: failure
27-Jul-2015 19:15:20.971 general: error: ..\client.c:2108: unexpected error:
27-Jul-2015 19:15:20.971 general: error: failed to get request's destination: failure

There were also a few other errors that apeared to be releated to the anti-DDoS mechanisms built into BIND;

27-Jul-2015 19:50:02.369 resolver: notice: clients-per-query increased to 15

So I went back and recrafted the named.conf file and came up with the following which seems to be working well for me now almost 5 days after the Infoblox DNS migration.

You’ll noticed that I commented out the localhost zone and the reverse zone as well. I didn’t think that BIND would run without them but sure enough it does. I also enabled query logging so I could see what type of abuse the DNS servers were getting. I found a couple of servers that were querying more than 40,000 times a minute for a management platform that had been retired almost 5+ years ago.

options {
  directory "c:\program files\isc bind 9\bin";
  // here are the servers we'll send all our queries to
  forwarders {;;};
  forward only;

  auth-nxdomain no;

  // need to include allow-query at a minimum
  allow-recursion { "any"; };
  allow-query { "any"; };
  allow-transfer { "none"; };

  // lets leave IPv6 off for now less to worry about
  listen-on-v6 { "none"; };

  // standard stuff
  version none;
  minimal-responses yes;
  // cache positive and negative results for only 5 minutes
  max-cache-ttl 300;
  max-ncache-ttl 300;

  // disable DDoS mechanisms in BIND
  clients-per-query 0;
  max-clients-per-query 0;


   channel example_log{
    file "C:\program files\isc bind 9\log\named.log" versions 3 size 250k;
    severity info;
    print-severity yes;
    print-time yes;
    print-category yes;

  channel queries_file {
    file "c:\program files\isc bind 9\log\queries.log" versions 10 size 10m;
    severity dynamic;
    print-time yes;

  category default{ example_log; };
  category queries { queries_file; };


//zone "localhost" in{
//  type master;
//  file "pri.localhost";
//  allow-update{none;};

//zone "" in{
//  type master;
//  file "localhost.rev";
//  allow-update{none;};

I setup my first nameserver running BIND 4.x back in 1995, more than 20 years ago while working at Manhattan College. While I'm pretty familiar with BIND a lot has changed since then and so I had to-do a fair bit of research to arrive at the configuration above.

Hopefully someone else will find it helpful.



Avaya ERS 3549GTS-PWR+ Stacking


I had an interesting experience yesterday working with a client who had a stack of 3 Avaya Ethernet Routing Switch 3549GTS-PWR+. The units were properly cabled but they wouldn't stack with each other. In the past while working with the Avaya Ethernet Routing Switch 4000 or 5000 series you only needed to physically connect the stacking cables and power on the switches and they wouldstack together. You might have to check which switch was set to base using the dip/selector switch on the back of the switches, but there wasn't much to it. I spent about 30 minutes fumbling with these […] Read More


Moving SHA-1 Certificates to the SHA-2 Certificates


This week I decided it was past time to address the visual warning that Google's Chrome and other web browsers are showing when connecting to the discussion forums. That site had been protected by a SHA-1 certificate issued by RapidSSL, which is owned by GeoTrust, which is now owned by Symantec. Now that I work in the retail sector my team has been very focused on replacing all the SHA-1 certificates that we use throughout our customer facing e-commerce infrastructure. No small job when you have hundreds of certificates out there with dozens if not hundreds of third-party vendors. When you'd […] Read More


Rollerblade Macroblade 90 – Impressive Skates


This morning I debuted a pair or Rollerblade Macroblade 90's on the Schuylkill River Trail between Pawlings Road and Rt 202 in Norristown, PA. It was a leisurely 13+ mile skate as I tested out my new skates only occasionally pushing the pace when I needed to pass some bikes. The skates are relatively comfortable, even while breaking them in. I ended up getting only small blisters on both feet (on my big toe nonetheless). The skates provided an extremely smooth and silent ride with great excellent power transfer in each stroke and great stability through each stride. As is […] Read More


Verizon FiOS – POP3 Settings

I realized yesterday that my Motorola Moto X smartphone had stopped syncing my Verizon email account and recalled a notification from Verizon that involved a configuration change. If your a Verizon customer you may need to check the settings on our mail client. Once I made the changes I was able to immediately connect and sync my email. Cheers!   […] Read More