Not - Re: New DNS server up and running
Sten Carlsen
stenc at s-carlsen.dk
Thu Feb 21 07:38:26 UTC 2013
What about allow-query?
At some point the default changed to allow only localhost.
On 21/02/13 2:59, Robert Moskowitz wrote:
>
> On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
>> It looks like no system, internal or external could access the DNS on
>> my new server. IPTABLES was set for 53 both UDP and TCP. Firewall
>> was OK. In fact a local system on the same subnet, thus NOT going
>> through my firewall was denied access to the internal domain.
>> Localhost of course works.
> Oh, here is what I have for options in my internal view:
>
> match-clients { httnets; };
> match-destinations { httnets; };
> recursion yes;
> empty-zones-enable yes;
>
> and httnets contains:
>
> acl "httnets" {
> 127.0.0.1;
> 208.83.67.128/26;
> 192.168.32.0/24;
> 192.168.64.0/24;
> 192.168.96.0/24;
> 192.168.128.0/24;
> 192.168.192.0/24;
> ::1;
> 2607:f4b8:3:0::/64;
> 2607:f4b8:3:1::/64;
> 2607:f4b8:3:2::/64;
> 2607:f4b8:3:3::/64;
> 2607:f4b8:3:4::/64;
> 2607:f4b8:3:5::/64;
> 2607:f4b8:3:8::/64;
> 2607:f4b8:3:9::/64;
> 2607:f4b8:3:10::/64;
> 2607:f4b8:3:11::/64;
> 2607:f4b8:3:12::/64;
> 2607:f4b8:3:13::/64;
> };
>
> But I used my Verizon cellular wifi to connect a system from outside,
> and when I did a DIG to my ip address, it was denied by named (as seen
> in /var/log/messages), so the problem is broader than just my internal
> view and why i think it is either the randomized port and firewall
> interaction of selinux.
>
>
>>
>> So it is either the Linux firewall and bind port randomization, or it
>> is SELINUX. How do I test to find out which?
>>
>> Since the new server is on the same IP address as the old, it is
>> unplugged from the switch. I can switch back and forth between to
>> two boxes, only taking the time for ARP table updates.
>>
>> So I hope someone can point me to what I have missed.
>>
>>
>> On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
>>> Phase I is hopefully complete. A new onlo.htt-consult.com is up in
>>> place of the old one.
>>>
>>> This is a faster box with current software. I will 'leave it alone'
>>> for a week, unless someone tells me something is wrong with it.
>>>
>>> Next I unlock my domain from NetSol and choose my new registrar and
>>> move. Thank you on all the recommendations. Now to choose.
>>>
>>> I study up on DNSSEC, maybe read a book or two.
>>>
>>> Then after Passover, start the signing!
>>>
>>> So I will be, ahem, quite here for awhile. Yeah sure. Well I DO
>>> have other systems and services to migrate.
>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130221/84a699e3/attachment.html>
More information about the bind-users
mailing list