Not - Re: New DNS server up and running

Robert Moskowitz rgm at htt-consult.com
Thu Feb 21 01:59:25 UTC 2013 

On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
> It looks like no system, internal or external could access the DNS on 
> my new server.  IPTABLES was set for 53 both UDP and TCP. Firewall was 
> OK.  In fact a local system on the same subnet, thus NOT going through 
> my firewall was denied access to the internal domain. Localhost of 
> course works.
Oh, here is what I have for options in my internal view:

     match-clients        { httnets; };
     match-destinations    { httnets; };
     recursion yes;
     empty-zones-enable yes;

and httnets contains:

acl "httnets" {
     127.0.0.1;
     208.83.67.128/26;
     192.168.32.0/24;
     192.168.64.0/24;
     192.168.96.0/24;
     192.168.128.0/24;
     192.168.192.0/24;
     ::1;
     2607:f4b8:3:0::/64;
     2607:f4b8:3:1::/64;
     2607:f4b8:3:2::/64;
     2607:f4b8:3:3::/64;
     2607:f4b8:3:4::/64;
     2607:f4b8:3:5::/64;
     2607:f4b8:3:8::/64;
     2607:f4b8:3:9::/64;
     2607:f4b8:3:10::/64;
     2607:f4b8:3:11::/64;
     2607:f4b8:3:12::/64;
     2607:f4b8:3:13::/64;
};

But I used my Verizon cellular wifi to connect a system from outside, 
and when I did a DIG to my ip address, it was denied by named (as seen 
in /var/log/messages), so the problem is broader than just my internal 
view and why i think it is either the randomized port and firewall 
interaction of selinux.


>
> So it is either the Linux firewall and bind port randomization, or it 
> is SELINUX.  How do I test to find out which?
>
> Since the new server is on the same IP address as the old, it is 
> unplugged from the switch.  I can switch back and forth between to two 
> boxes, only taking the time for ARP table updates.
>
> So I hope someone can point me to what I have missed.
>
>
> On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
>> Phase I is hopefully complete.  A new onlo.htt-consult.com is up in 
>> place of the old one.
>>
>> This is a faster box with current software.  I will 'leave it alone' 
>> for a week, unless someone tells me something is wrong with it.
>>
>> Next I unlock my domain from NetSol and choose my new registrar and 
>> move.  Thank you on all the recommendations.  Now to choose.
>>
>> I study up on DNSSEC, maybe read a book or two.
>>
>> Then after Passover, start the signing!
>>
>> So I will be, ahem, quite here for awhile.  Yeah sure.  Well I DO 
>> have other systems and services to migrate.
>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>

More information about the bind-users mailing list