Re: Differences between 9.3 and later versions
On Feb 23 2010, Matus UHLAR - fantomas wrote: since 9.5, the default for allow-recursion is { localhost; localnets; }; previous versions used iirc { all; }; On 23.02.10 16:48, Chris Thompson wrote: Actually, that change was made in 9.4. (Some of the cross-inheritance of the different query-* access controls wasn't there until 9.4.2, though). sorry, I was looking at ChangeLog provided in debian's bind 9.5.1 (not the debian changelog, the bind), and I didn't see any mention of releases between 9.5a* and 9.2... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Silvester Stallone: Father of the RISC concept. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Differences between 9.3 and later versions
On Tue, Feb 23, 2010 at 09:53:37AM -0500, jcarrol...@cfl.rr.com jcarrol...@cfl.rr.com wrote a message of 9 lines which said: However, whenever someone tries to nslookup (or dig) an external site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3 version all is well. allow-query and allow-query-cache are obvious suspects. I wonder if, at one moment between 9.3 and 9.7, allow-query switched to default No access except for localhost, for reasons explained in RFC 5358? Anyway, check their current value and see also the log of named. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Differences between 9.3 and later versions
On Tue, 23 Feb 2010, jcarrol...@cfl.rr.com wrote: Due to an security audit I have been given the task of upgrading our BIND from 9.3 to a new version (9.7 is preferred). Using the package from sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However, whenever someone tries to nslookup (or dig) an external site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3 version all is well. I've tried to find what new security feature is required, but alas I can't seem to get it. What changes affect resolving outside sites? The allow-query* options might be pertinent. Jay Ford, Network Engineering Group, Information Technology Services University of Iowa, Iowa City, IA 52242 email: jay-f...@uiowa.edu, phone: 319-335-, fax: 319-335-2951 ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Summary: Differences between 9.3 and later versions
This mailing list rocks. Many thanks to Stephane Bortzmeyer and Jay Ford. Both where spot on with allow-query. Now BIND 9.7 resolves to the outside. JC jcarrol...@cfl.rr.com wrote: Please do not crucify me. Due to an security audit I have been given the task of upgrading our BIND from 9.3 to a new version (9.7 is preferred). Using the package from sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However, whenever someone tries to nslookup (or dig) an external site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3 version all is well. I've tried to find what new security feature is required, but alas I can't seem to get it. What changes affect resolving outside sites? JC ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Differences between 9.3 and later versions
On 23.02.10 09:53, jcarrol...@cfl.rr.com wrote: Due to an security audit I have been given the task of upgrading our BIND from 9.3 to a new version (9.7 is preferred). Using the package from sunfreeware.com (Solaris 10/X86) the upgrade seem to work well. However, whenever someone tries to nslookup (or dig) an external site (i.e. cnn.com) they get REFUSED. If I back down to the 9.3 version all is well. I've tried to find what new security feature is required, but alas I can't seem to get it. What changes affect resolving outside sites? since 9.4, the allow-query-cache was introduced, which controls if non-recursive clients may fetch your cache content. Until then, clients who were allowed to query might see your cache, which was lowering the effect of disabling recursion to them. the allow-euery-cache and allow-recursion cross-inherit each other - if only one is set, the other one is assumed to be the same. This means that you don't have to disable anyone from querying your server and then enable querying local zones to prevent them from using server as semi-recursive. since 9.5, the default for allow-recursion is { localhost; localnets; }; previous versions used iirc { all; }; - if you didn't have recursion enabled, you may need to do so now. Note that enabling recursion to anyone is security risk. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Differences between 9.3 and later versions
On Feb 23 2010, Matus UHLAR - fantomas wrote: since 9.5, the default for allow-recursion is { localhost; localnets; }; previous versions used iirc { all; }; Actually, that change was made in 9.4. (Some of the cross-inheritance of the different query-* access controls wasn't there until 9.4.2, though). -- Chris Thompson Email: c...@cam.ac.uk ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users