<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<div class="moz-cite-prefix">On 02/21/2013 02:38 AM, Sten Carlsen
wrote:<br>
</div>
<blockquote cite="mid:5125CEF2.1000209@s-carlsen.dk" type="cite">
<meta http-equiv="Context-Type" content="text/html;
charset=ISO-8859-1">
What about allow-query?<br>
<br>
At some point the default changed to allow only localhost.<br>
</blockquote>
<br>
oh. Yes I see; at bind 9.4.1.P1... And my old server is a bit
earlier than that! So this is most likely my problem. Will change
and test again. thanks.<br>
<br>
<blockquote cite="mid:5125CEF2.1000209@s-carlsen.dk" type="cite"> <br>
<div class="moz-cite-prefix">On 21/02/13 2:59, Robert Moskowitz
wrote:<br>
</div>
<blockquote cite="mid:51257F7D.4070103@htt-consult.com"
type="cite"> <br>
On 02/20/2013 08:28 PM, Robert Moskowitz wrote: <br>
<blockquote type="cite">It looks like no system, internal or
external could access the DNS on my new server. IPTABLES was
set for 53 both UDP and TCP. Firewall was OK. In fact a local
system on the same subnet, thus NOT going through my firewall
was denied access to the internal domain. Localhost of course
works. <br>
</blockquote>
Oh, here is what I have for options in my internal view: <br>
<br>
match-clients { httnets; }; <br>
match-destinations { httnets; }; <br>
recursion yes; <br>
empty-zones-enable yes; <br>
<br>
and httnets contains: <br>
<br>
acl "httnets" { <br>
127.0.0.1; <br>
208.83.67.128/26; <br>
192.168.32.0/24; <br>
192.168.64.0/24; <br>
192.168.96.0/24; <br>
192.168.128.0/24; <br>
192.168.192.0/24; <br>
::1; <br>
2607:f4b8:3:0::/64; <br>
2607:f4b8:3:1::/64; <br>
2607:f4b8:3:2::/64; <br>
2607:f4b8:3:3::/64; <br>
2607:f4b8:3:4::/64; <br>
2607:f4b8:3:5::/64; <br>
2607:f4b8:3:8::/64; <br>
2607:f4b8:3:9::/64; <br>
2607:f4b8:3:10::/64; <br>
2607:f4b8:3:11::/64; <br>
2607:f4b8:3:12::/64; <br>
2607:f4b8:3:13::/64; <br>
}; <br>
<br>
But I used my Verizon cellular wifi to connect a system from
outside, and when I did a DIG to my ip address, it was denied by
named (as seen in /var/log/messages), so the problem is broader
than just my internal view and why i think it is either the
randomized port and firewall interaction of selinux. <br>
<br>
<br>
<blockquote type="cite"> <br>
So it is either the Linux firewall and bind port
randomization, or it is SELINUX. How do I test to find out
which? <br>
<br>
Since the new server is on the same IP address as the old, it
is unplugged from the switch. I can switch back and forth
between to two boxes, only taking the time for ARP table
updates. <br>
<br>
So I hope someone can point me to what I have missed. <br>
<br>
<br>
On 02/20/2013 02:07 PM, Robert Moskowitz wrote: <br>
<blockquote type="cite">Phase I is hopefully complete. A new
onlo.htt-consult.com is up in place of the old one. <br>
<br>
This is a faster box with current software. I will 'leave
it alone' for a week, unless someone tells me something is
wrong with it. <br>
<br>
Next I unlock my domain from NetSol and choose my new
registrar and move. Thank you on all the recommendations.
Now to choose. <br>
<br>
I study up on DNSSEC, maybe read a book or two. <br>
<br>
Then after Passover, start the signing! <br>
<br>
So I will be, ahem, quite here for awhile. Yeah sure. Well
I DO have other systems and services to migrate. <br>
<br>
<br>
_______________________________________________ <br>
Please visit <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list <br>
<br>
bind-users mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
<br>
</blockquote>
<br>
_______________________________________________ <br>
Please visit <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list <br>
<br>
bind-users mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
<br>
</blockquote>
<br>
_______________________________________________ <br>
Please visit <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
to unsubscribe from this list <br>
<br>
bind-users mailing list <br>
<a moz-do-not-send="true" class="moz-txt-link-abbreviated"
href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<br>
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Please visit <a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list
bind-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>
<a class="moz-txt-link-freetext" href="https://lists.isc.org/mailman/listinfo/bind-users">https://lists.isc.org/mailman/listinfo/bind-users</a></pre>
</blockquote>
<br>
</body>
</html>