Not - Re: New DNS server up and running

Sten Carlsen stenc at s-carlsen.dk
Thu Feb 21 07:38:26 UTC 2013


What about allow-query?

At some point the default changed to allow only localhost.

On 21/02/13 2:59, Robert Moskowitz wrote:
>
> On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
>> It looks like no system, internal or external could access the DNS on
>> my new server.  IPTABLES was set for 53 both UDP and TCP. Firewall
>> was OK.  In fact a local system on the same subnet, thus NOT going
>> through my firewall was denied access to the internal domain.
>> Localhost of course works.
> Oh, here is what I have for options in my internal view:
>
>     match-clients        { httnets; };
>     match-destinations    { httnets; };
>     recursion yes;
>     empty-zones-enable yes;
>
> and httnets contains:
>
> acl "httnets" {
>     127.0.0.1;
>     208.83.67.128/26;
>     192.168.32.0/24;
>     192.168.64.0/24;
>     192.168.96.0/24;
>     192.168.128.0/24;
>     192.168.192.0/24;
>     ::1;
>     2607:f4b8:3:0::/64;
>     2607:f4b8:3:1::/64;
>     2607:f4b8:3:2::/64;
>     2607:f4b8:3:3::/64;
>     2607:f4b8:3:4::/64;
>     2607:f4b8:3:5::/64;
>     2607:f4b8:3:8::/64;
>     2607:f4b8:3:9::/64;
>     2607:f4b8:3:10::/64;
>     2607:f4b8:3:11::/64;
>     2607:f4b8:3:12::/64;
>     2607:f4b8:3:13::/64;
> };
>
> But I used my Verizon cellular wifi to connect a system from outside,
> and when I did a DIG to my ip address, it was denied by named (as seen
> in /var/log/messages), so the problem is broader than just my internal
> view and why i think it is either the randomized port and firewall
> interaction of selinux.
>
>
>>
>> So it is either the Linux firewall and bind port randomization, or it
>> is SELINUX.  How do I test to find out which?
>>
>> Since the new server is on the same IP address as the old, it is
>> unplugged from the switch.  I can switch back and forth between to
>> two boxes, only taking the time for ARP table updates.
>>
>> So I hope someone can point me to what I have missed.
>>
>>
>> On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
>>> Phase I is hopefully complete.  A new onlo.htt-consult.com is up in
>>> place of the old one.
>>>
>>> This is a faster box with current software.  I will 'leave it alone'
>>> for a week, unless someone tells me something is wrong with it.
>>>
>>> Next I unlock my domain from NetSol and choose my new registrar and
>>> move.  Thank you on all the recommendations.  Now to choose.
>>>
>>> I study up on DNSSEC, maybe read a book or two.
>>>
>>> Then after Passover, start the signing!
>>>
>>> So I will be, ahem, quite here for awhile.  Yeah sure.  Well I DO
>>> have other systems and services to migrate.
>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Best regards

Sten Carlsen

No improvements come from shouting:
       "MALE BOVINE MANURE!!!"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130221/84a699e3/attachment.html>


More information about the bind-users mailing list