Not - Re: New DNS server up and running

Robert Moskowitz rgm at htt-consult.com
Thu Feb 21 13:15:27 UTC 2013 

On 02/21/2013 02:38 AM, Sten Carlsen wrote:
> What about allow-query?

OK.  That was it.  The default named.conf had:

     allow-query     { localhost; };

and I commented that out, but ASSuMEd that if the default conf was 
forcing it to localhost, the default must be any.  Yeah, right.  So 
right now I am running with my internal nets for the internal view, and 
any for the external view.  ISC has an FAQ on this and talk about 
allowing external authoritative query, but not cache query.  I will have 
to play around a bit with that.

>
> At some point the default changed to allow only localhost.
>
> On 21/02/13 2:59, Robert Moskowitz wrote:
>>
>> On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
>>> It looks like no system, internal or external could access the DNS 
>>> on my new server.  IPTABLES was set for 53 both UDP and TCP. 
>>> Firewall was OK.  In fact a local system on the same subnet, thus 
>>> NOT going through my firewall was denied access to the internal 
>>> domain. Localhost of course works.
>> Oh, here is what I have for options in my internal view:
>>
>>     match-clients        { httnets; };
>>     match-destinations    { httnets; };
>>     recursion yes;
>>     empty-zones-enable yes;
>>
>> and httnets contains:
>>
>> acl "httnets" {
>>     127.0.0.1;
>>     208.83.67.128/26;
>>     192.168.32.0/24;
>>     192.168.64.0/24;
>>     192.168.96.0/24;
>>     192.168.128.0/24;
>>     192.168.192.0/24;
>>     ::1;
>>     2607:f4b8:3:0::/64;
>>     2607:f4b8:3:1::/64;
>>     2607:f4b8:3:2::/64;
>>     2607:f4b8:3:3::/64;
>>     2607:f4b8:3:4::/64;
>>     2607:f4b8:3:5::/64;
>>     2607:f4b8:3:8::/64;
>>     2607:f4b8:3:9::/64;
>>     2607:f4b8:3:10::/64;
>>     2607:f4b8:3:11::/64;
>>     2607:f4b8:3:12::/64;
>>     2607:f4b8:3:13::/64;
>> };
>>
>> But I used my Verizon cellular wifi to connect a system from outside, 
>> and when I did a DIG to my ip address, it was denied by named (as 
>> seen in /var/log/messages), so the problem is broader than just my 
>> internal view and why i think it is either the randomized port and 
>> firewall interaction of selinux.
>>
>>
>>>
>>> So it is either the Linux firewall and bind port randomization, or 
>>> it is SELINUX.  How do I test to find out which?
>>>
>>> Since the new server is on the same IP address as the old, it is 
>>> unplugged from the switch.  I can switch back and forth between to 
>>> two boxes, only taking the time for ARP table updates.
>>>
>>> So I hope someone can point me to what I have missed.
>>>
>>>
>>> On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
>>>> Phase I is hopefully complete.  A new onlo.htt-consult.com is up in 
>>>> place of the old one.
>>>>
>>>> This is a faster box with current software.  I will 'leave it 
>>>> alone' for a week, unless someone tells me something is wrong with it.
>>>>
>>>> Next I unlock my domain from NetSol and choose my new registrar and 
>>>> move.  Thank you on all the recommendations. Now to choose.
>>>>
>>>> I study up on DNSSEC, maybe read a book or two.
>>>>
>>>> Then after Passover, start the signing!
>>>>
>>>> So I will be, ahem, quite here for awhile.  Yeah sure.  Well I DO 
>>>> have other systems and services to migrate.
>>>>
>>>>
>>>> _______________________________________________
>>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>>> unsubscribe from this list
>>>>
>>>> bind-users mailing list
>>>> bind-users at lists.isc.org
>>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>>
>>>
>>> _______________________________________________
>>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
> -- 
> Best regards
>
> Sten Carlsen
>
> No improvements come from shouting:
>         "MALE BOVINE MANURE!!!"
>
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20130221/eb151d1d/attachment.html>

More information about the bind-users mailing list