TXT record problem (Timed out)

Mark Andrews Mark_Andrews at isc.org
Thu Aug 24 23:50:24 UTC 2006


> In article <eckdv1$li2$1 at sf1.isc.org>,
>  Mark Andrews <Mark_Andrews at isc.org> wrote:
> 
> > > Hi,
> > >   my dns server is behind a firewall, and TCP and UDP port 53 have been 
> > >   opene
> > > d. Is there another port should be opened?
> > >   After running dig version.bind chaos txt or named -v, I got BIND 9.1.3.
> > >   Thanks and regards,
> > 
> > 	No one should be running BIND 9.1.3 anymore.  Upgrade.
> 
> While that may be good advice, what's the chance that this is even 
> remotely related to his problem?

	I doubt it has anything, as the version.bind/txt/ch query
	failed and that has always worked which indicates that it
	is not named.  This has already been pointed out by others
	and indicates a firewall problem.

	What had not been pointed out is that there are lots of
	major bugs including security bugs in what he is running.

	e.g.
		http://www.cert.org/advisories/CA-2002-15.html

	I suspect the whole OS needs to be upgraded.  I don't know
	of any OS that shipped w/ BIND 9.1.3 that doesn't have other
	security flaws.

	Named is one of a few applications that is always exposed
	to external threats.  You can often get away with not
	upgrading on a internal threat.  You can rarely get away
	with not upgrading on a external threat.  This machine is
	exposed to external threats.
 
> I wish in my tech support job I could get away with ignoring questions 
> of customers who aren't running a recent release.

	BIND 9.1 has been out of support for 4 years.  This is free
	support and asking someone to compile a recent version
	before getting free support is a reasonable request.  It
	also gets rid of a multitude of potential problems.

	Anyone running a multi-threaded version of named shouldn't
	be running anything less than BIND 9.2.4 as all versions
	prior to that have a major race condition.  This means most
	Linux boxes shouldn't be running anything prior to BIND 9.2.4.

	Mark
 
> -- 
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE post questions in newsgroups, not directly to me ***
> *** PLEASE don't copy me on replies, I'll read them in the group ***
--
ISC Training!  October 16-20, 2006, in the San Francisco Bay Area,
covering topics from DNS to DHCP.  Email training at isc.org.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list