Knowledge Base ISC Main Website Ask a Question/Contact ISC
Quick Jump Menu
1 What is a DNS Amplification Attack?

A DNS Amplification Attack is a Distributed Denial of Service (DDOS) tactic that belongs to the class of reflection attacks -- attacks in which an attacker delivers traffic to the victim of their attack by reflecting it off of a third party so that the origin…

2 Nameserver Basics: What is an Authoritative Server? What is a Recursive Server?

On occasion, when a security defect is found in BIND, ISC issues a security advisory. Sometimes the "Impact" section of these advisories contains a qualification as to what kind of nameserver is affected by the defect, i.e. if the bug is known to affect only…

3 BIND's Support Model

BIND's Mix of Community Support, Professional Support, and the DDI Eco-System BIND is a managed open source solution. This support model provides the global community of users with the best of two worlds - the open source community of your colleagues using…

4 Why don't my zones reload when I do an "rndc reload" or SIGHUP?

A zone can be updated either by editing zone files and reloading the server or by dynamic update, but not both. If you have enabled dynamic update for a zone using the "allow-update" option or by using "update-policy", you are not supposed to edit the zone…

5 What do +EDC and other letters I see in my query log mean?

This is documented in the BIND Administrator Reference Manual (which you'll find both on our website and in the BIND source code tarball): https://www.isc.org/software/bind/documentation Look for the section that deals with logging categories, and specifically…

6 Why do queries for NSEC3 records fail to return the NSEC3 record?

Although NSEC3 records are present as part of a signed DNS zone's representation (in master files and zone transfers), they are strictly metadata and cannot be queried for directly. The owner names of NSEC3 records do not form a part of the DNS domain tree.…

7 Why is named listening on UDP port other than 53?

Named uses a system selected port to make queries of other nameservers. This behavior can be overridden by using query-source to lock down the port and/or address. See also notify-source and transfer-source.

8 Please explain how BIND 9 uses memory to store DNS zones. Sometimes it seems to use several times the amount it needs.

When reloading a zone named may have multiple copies of the zone in memory at one time. The zone it is serving and the one it is loading. If reloads are ultra fast it can have more still. e.g. Ones that are transferring out, the one that it is serving and…

9 Is there a bugzilla (or other tool) database that mere mortals can have (read-only) access to for bind?

ISC has two bug tracking systems. The Kea project has an open bug database, integrated with the Trac wiki at kea.isc.org. Anyone may register for a log-in to that database, and there is public read-only access. BIND and ISC DHCP use a private bug database.…

10 Will named be affected by changes to daylight savings rules in my location?

Usually no, as it is most common for machines to keep track of time using UTC and apply adjustments to display in local time according to OS-specific configuration rules. For most OS's this change just means that you need to update the conversion rules from…

1 2 Next