TXT record problem (Timed out)
Mark Andrews
Mark_Andrews at isc.org
Thu Aug 24 23:50:24 UTC 2006
> In article <eckdv1$li2$1 at sf1.isc.org>,
> Mark Andrews <Mark_Andrews at isc.org> wrote:
>
> > > Hi,
> > > my dns server is behind a firewall, and TCP and UDP port 53 have been
> > > opene
> > > d. Is there another port should be opened?
> > > After running dig version.bind chaos txt or named -v, I got BIND 9.1.3.
> > > Thanks and regards,
> >
> > No one should be running BIND 9.1.3 anymore. Upgrade.
>
> While that may be good advice, what's the chance that this is even
> remotely related to his problem?
I doubt it has anything, as the version.bind/txt/ch query
failed and that has always worked which indicates that it
is not named. This has already been pointed out by others
and indicates a firewall problem.
What had not been pointed out is that there are lots of
major bugs including security bugs in what he is running.
e.g.
http://www.cert.org/advisories/CA-2002-15.html
I suspect the whole OS needs to be upgraded. I don't know
of any OS that shipped w/ BIND 9.1.3 that doesn't have other
security flaws.
Named is one of a few applications that is always exposed
to external threats. You can often get away with not
upgrading on a internal threat. You can rarely get away
with not upgrading on a external threat. This machine is
exposed to external threats.
> I wish in my tech support job I could get away with ignoring questions
> of customers who aren't running a recent release.
BIND 9.1 has been out of support for 4 years. This is free
support and asking someone to compile a recent version
before getting free support is a reasonable request. It
also gets rid of a multitude of potential problems.
Anyone running a multi-threaded version of named shouldn't
be running anything less than BIND 9.2.4 as all versions
prior to that have a major race condition. This means most
Linux boxes shouldn't be running anything prior to BIND 9.2.4.
Mark
> --
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***
--
ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP. Email training at isc.org.
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list