Not - Re: New DNS server up and running

Robert Moskowitz rgm at htt-consult.com
Thu Feb 21 11:44:38 UTC 2013 

On 02/21/2013 02:38 AM, Sten Carlsen wrote:
> What about allow-query?
>
> At some point the default changed to allow only localhost.

oh.  Yes I see; at bind 9.4.1.P1...  And my old server is a bit earlier 
than that!  So this is most likely my problem.  Will change and test 
again.  thanks.

>
> On 21/02/13 2:59, Robert Moskowitz wrote:
>>
>> On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
>>> It looks like no system, internal or external could access the DNS 
>>> on my new server.  IPTABLES was set for 53 both UDP and TCP. 
>>> Firewall was OK.  In fact a local system on the same subnet, thus 
>>> NOT going through my firewall was denied access to the internal 
>>> domain. Localhost of course works.
>> Oh, here is what I have for options in my internal view:
>>
>>     match-clients        { httnets; };
>>     match-destinations    { httnets; };
>>     recursion yes;
>>     empty-zones-enable yes;
>>
>> and httnets contains:
>>
>> acl "httnets" {
>>     127.0.0.1;
>>     208.83.67.128/26;
>>     192.168.32.0/24;
>>     192.168.64.0/24;
>>     192.168.96.0/24;
>>     192.168.128.0/24;
>>     192.168.192.0/24;
>>     ::1;
>>     2607:f4b8:3:0::/64;
>>     2607:f4b8:3:1::/64;
>>     2607:f4b8:3:2::/64;
>>     2607:f4b8:3:3::/64;
>>     2607:f4b8:3:4::/64;
>>     2607:f4b8:3:5::/64;
>>     2607:f4b8:3:8::/64;
>>     2607:f4b8:3:9::/64;
>>     2607:f4b8:3:10::/64;
>>     2607:f4b8:3:11::/64;
>>     2607:f4b8:3:12::/64;
>>     2607:f4b8:3:13::/64;
>> };
>>
>> But I used my Verizon cellular wifi to connect a system from outside, 
>> and when I did a DIG to my ip address, it was denied by named (as 
>> seen in /var/log/messages), so the problem is broader than just my 
>> internal view and why i think it is either the randomized port and 
>> firewall interaction of selinux.
>>
>>
>>>
>>> So it is either the Linux firewall and bind port randomization, or 
>>> it is SELINUX.  How do I test to find out which?
>>>
>>> Since the new server is on the same IP address as the old, it is 
>>> unplugged from the switch.  I can switch back and forth between to 
>>> two boxes, only taking the time for ARP table updates.
>>>
>>> So I hope someone can point me to what I have missed.
>>>
>>>
>>> On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
>>>> Phase I is hopefully complete.  A new onlo.htt-consult.com is up in 
>>>> place of the old one.
>>>>
>>>> This is a faster box with current software.  I will 'leave it 
>>>> alone' for a week, unless someone tells me something is wrong with it.
>>>>
>>>> Next I unlock my domain from NetSol and choose my new registrar and 
>>>> move.  Thank you on all the recommendations. Now to choose.
>>>>
>>>> I study up on DNSSEC, maybe read a book or two.
>>>>
>>>> Then after Passover, start the signing!
>>>>
>>>> So I will be, ahem, quite here for awhile.  Yeah sure.  Well I DO 
>>>> have other systems and services to migrate.
>>>>
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> -- 
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>         "MALE BOVINE MANURE!!!"
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130221/bf78cb10/attachment.html>

More information about the bind-users mailing list