<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFCC" text="#000000">
What about allow-query?<br>
<br>
At some point the default changed to allow only localhost.<br>
<br>
<div class="moz-cite-prefix">On 21/02/13 2:59, Robert Moskowitz
wrote:<br>
</div>
<blockquote cite="mid:51257F7D.4070103@htt-consult.com" type="cite">
<br>
On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
<br>
<blockquote type="cite">It looks like no system, internal or
external could access the DNS on my new server. IPTABLES was
set for 53 both UDP and TCP. Firewall was OK. In fact a local
system on the same subnet, thus NOT going through my firewall
was denied access to the internal domain. Localhost of course
works.
<br>
</blockquote>
Oh, here is what I have for options in my internal view:
<br>
<br>
match-clients { httnets; };
<br>
match-destinations { httnets; };
<br>
recursion yes;
<br>
empty-zones-enable yes;
<br>
<br>
and httnets contains:
<br>
<br>
acl "httnets" {
<br>
127.0.0.1;
<br>
208.83.67.128/26;
<br>
192.168.32.0/24;
<br>
192.168.64.0/24;
<br>
192.168.96.0/24;
<br>
192.168.128.0/24;
<br>
192.168.192.0/24;
<br>
::1;
<br>
2607:f4b8:3:0::/64;
<br>
2607:f4b8:3:1::/64;
<br>
2607:f4b8:3:2::/64;
<br>
2607:f4b8:3:3::/64;
<br>
2607:f4b8:3:4::/64;
<br>
2607:f4b8:3:5::/64;
<br>
2607:f4b8:3:8::/64;
<br>
2607:f4b8:3:9::/64;
<br>
2607:f4b8:3:10::/64;
<br>
2607:f4b8:3:11::/64;
<br>
2607:f4b8:3:12::/64;
<br>
2607:f4b8:3:13::/64;
<br>
};
<br>
<br>
But I used my Verizon cellular wifi to connect a system from
outside, and when I did a DIG to my ip address, it was denied by
named (as seen in /var/log/messages), so the problem is broader
than just my internal view and why i think it is either the
randomized port and firewall interaction of selinux.
<br>
<br>
<br>
<blockquote type="cite">
<br>
So it is either the Linux firewall and bind port randomization,
or it is SELINUX. How do I test to find out which?
<br>
<br>
Since the new server is on the same IP address as the old, it is
unplugged from the switch. I can switch back and forth between
to two boxes, only taking the time for ARP table updates.
<br>
<br>
So I hope someone can point me to what I have missed.
<br>
<br>
<br>
On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
<br>
<blockquote type="cite">Phase I is hopefully complete. A new
onlo.htt-consult.com is up in place of the old one.
<br>
<br>
This is a faster box with current software. I will 'leave it
alone' for a week, unless someone tells me something is wrong
with it.
<br>
<br>
Next I unlock my domain from NetSol and choose my new
registrar and move. Thank you on all the recommendations.
Now to choose.
<br>
<br>
I study up on DNSSEC, maybe read a book or two.
<br>
<br>
Then after Passover, start the signing!
<br>
<br>
So I will be, ahem, quite here for awhile. Yeah sure. Well I
DO have other systems and services to migrate.
<br>
<br>
<br>
_______________________________________________
<br>
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list
<br>
<br>
bind-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
<br>
</blockquote>
<br>
_______________________________________________
<br>
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list
<br>
<br>
bind-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
<br>
</blockquote>
<br>
_______________________________________________
<br>
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to
unsubscribe from this list
<br>
<br>
bind-users mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
</body>
</html>