Not - Re: New DNS server up and running
Robert Moskowitz
rgm at htt-consult.com
Thu Feb 21 11:44:38 UTC 2013
On 02/21/2013 02:38 AM, Sten Carlsen wrote:
> What about allow-query?
>
> At some point the default changed to allow only localhost.
oh. Yes I see; at bind 9.4.1.P1... And my old server is a bit earlier
than that! So this is most likely my problem. Will change and test
again. thanks.
>
> On 21/02/13 2:59, Robert Moskowitz wrote:
>>
>> On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
>>> It looks like no system, internal or external could access the DNS
>>> on my new server. IPTABLES was set for 53 both UDP and TCP.
>>> Firewall was OK. In fact a local system on the same subnet, thus
>>> NOT going through my firewall was denied access to the internal
>>> domain. Localhost of course works.
>> Oh, here is what I have for options in my internal view:
>>
>> match-clients { httnets; };
>> match-destinations { httnets; };
>> recursion yes;
>> empty-zones-enable yes;
>>
>> and httnets contains:
>>
>> acl "httnets" {
>> 127.0.0.1;
>> 208.83.67.128/26;
>> 192.168.32.0/24;
>> 192.168.64.0/24;
>> 192.168.96.0/24;
>> 192.168.128.0/24;
>> 192.168.192.0/24;
>> ::1;
>> 2607:f4b8:3:0::/64;
>> 2607:f4b8:3:1::/64;
>> 2607:f4b8:3:2::/64;
>> 2607:f4b8:3:3::/64;
>> 2607:f4b8:3:4::/64;
>> 2607:f4b8:3:5::/64;
>> 2607:f4b8:3:8::/64;
>> 2607:f4b8:3:9::/64;
>> 2607:f4b8:3:10::/64;
>> 2607:f4b8:3:11::/64;
>> 2607:f4b8:3:12::/64;
>> 2607:f4b8:3:13::/64;
>> };
>>
>> But I used my Verizon cellular wifi to connect a system from outside,
>> and when I did a DIG to my ip address, it was denied by named (as
>> seen in /var/log/messages), so the problem is broader than just my
>> internal view and why i think it is either the randomized port and
>> firewall interaction of selinux.
>>
>>
>>>
>>> So it is either the Linux firewall and bind port randomization, or
>>> it is SELINUX. How do I test to find out which?
>>>
>>> Since the new server is on the same IP address as the old, it is
>>> unplugged from the switch. I can switch back and forth between to
>>> two boxes, only taking the time for ARP table updates.
>>>
>>> So I hope someone can point me to what I have missed.
>>>
>>>
>>> On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
>>>> Phase I is hopefully complete. A new onlo.htt-consult.com is up in
>>>> place of the old one.
>>>>
>>>> This is a faster box with current software. I will 'leave it
>>>> alone' for a week, unless someone tells me something is wrong with it.
>>>>
>>>> Next I unlock my domain from NetSol and choose my new registrar and
>>>> move. Thank you on all the recommendations. Now to choose.
>>>>
>>>> I study up on DNSSEC, maybe read a book or two.
>>>>
>>>> Then after Passover, start the signing!
>>>>
>>>> So I will be, ahem, quite here for awhile. Yeah sure. Well I DO
>>>> have other systems and services to migrate.
>>>>
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> --
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
> "MALE BOVINE MANURE!!!"
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130221/bf78cb10/attachment.html>
More information about the bind-users
mailing list