Re: Not - Re: New DNS server up and running
On 02/21/2013 02:38 AM, Sten Carlsen wrote:
What about allow-query?
At some point the default changed to allow only localhost.
oh. Yes I see; at bind 9.4.1.P1... And my old server is a bit earlier
than that! So this is most likely my problem. Will change and test
again. thanks.
On 21/02/13 2:59, Robert Moskowitz wrote:
On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
It looks like no system, internal or external could access the DNS
on my new server. IPTABLES was set for 53 both UDP and TCP.
Firewall was OK. In fact a local system on the same subnet, thus
NOT going through my firewall was denied access to the internal
domain. Localhost of course works.
Oh, here is what I have for options in my internal view:
match-clients{ httnets; };
match-destinations{ httnets; };
recursion yes;
empty-zones-enable yes;
and httnets contains:
acl httnets {
127.0.0.1;
208.83.67.128/26;
192.168.32.0/24;
192.168.64.0/24;
192.168.96.0/24;
192.168.128.0/24;
192.168.192.0/24;
::1;
2607:f4b8:3:0::/64;
2607:f4b8:3:1::/64;
2607:f4b8:3:2::/64;
2607:f4b8:3:3::/64;
2607:f4b8:3:4::/64;
2607:f4b8:3:5::/64;
2607:f4b8:3:8::/64;
2607:f4b8:3:9::/64;
2607:f4b8:3:10::/64;
2607:f4b8:3:11::/64;
2607:f4b8:3:12::/64;
2607:f4b8:3:13::/64;
};
But I used my Verizon cellular wifi to connect a system from outside,
and when I did a DIG to my ip address, it was denied by named (as
seen in /var/log/messages), so the problem is broader than just my
internal view and why i think it is either the randomized port and
firewall interaction of selinux.
So it is either the Linux firewall and bind port randomization, or
it is SELINUX. How do I test to find out which?
Since the new server is on the same IP address as the old, it is
unplugged from the switch. I can switch back and forth between to
two boxes, only taking the time for ARP table updates.
So I hope someone can point me to what I have missed.
On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
Phase I is hopefully complete. A new onlo.htt-consult.com is up in
place of the old one.
This is a faster box with current software. I will 'leave it
alone' for a week, unless someone tells me something is wrong with it.
Next I unlock my domain from NetSol and choose my new registrar and
move. Thank you on all the recommendations. Now to choose.
I study up on DNSSEC, maybe read a book or two.
Then after Passover, start the signing!
So I will be, ahem, quite here for awhile. Yeah sure. Well I DO
have other systems and services to migrate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
MALE BOVINE MANURE!!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Not - Re: New DNS server up and running
On 02/21/2013 02:38 AM, Sten Carlsen wrote:
What about allow-query?
OK. That was it. The default named.conf had:
allow-query { localhost; };
and I commented that out, but ASSuMEd that if the default conf was
forcing it to localhost, the default must be any. Yeah, right. So
right now I am running with my internal nets for the internal view, and
any for the external view. ISC has an FAQ on this and talk about
allowing external authoritative query, but not cache query. I will have
to play around a bit with that.
At some point the default changed to allow only localhost.
On 21/02/13 2:59, Robert Moskowitz wrote:
On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
It looks like no system, internal or external could access the DNS
on my new server. IPTABLES was set for 53 both UDP and TCP.
Firewall was OK. In fact a local system on the same subnet, thus
NOT going through my firewall was denied access to the internal
domain. Localhost of course works.
Oh, here is what I have for options in my internal view:
match-clients{ httnets; };
match-destinations{ httnets; };
recursion yes;
empty-zones-enable yes;
and httnets contains:
acl httnets {
127.0.0.1;
208.83.67.128/26;
192.168.32.0/24;
192.168.64.0/24;
192.168.96.0/24;
192.168.128.0/24;
192.168.192.0/24;
::1;
2607:f4b8:3:0::/64;
2607:f4b8:3:1::/64;
2607:f4b8:3:2::/64;
2607:f4b8:3:3::/64;
2607:f4b8:3:4::/64;
2607:f4b8:3:5::/64;
2607:f4b8:3:8::/64;
2607:f4b8:3:9::/64;
2607:f4b8:3:10::/64;
2607:f4b8:3:11::/64;
2607:f4b8:3:12::/64;
2607:f4b8:3:13::/64;
};
But I used my Verizon cellular wifi to connect a system from outside,
and when I did a DIG to my ip address, it was denied by named (as
seen in /var/log/messages), so the problem is broader than just my
internal view and why i think it is either the randomized port and
firewall interaction of selinux.
So it is either the Linux firewall and bind port randomization, or
it is SELINUX. How do I test to find out which?
Since the new server is on the same IP address as the old, it is
unplugged from the switch. I can switch back and forth between to
two boxes, only taking the time for ARP table updates.
So I hope someone can point me to what I have missed.
On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
Phase I is hopefully complete. A new onlo.htt-consult.com is up in
place of the old one.
This is a faster box with current software. I will 'leave it
alone' for a week, unless someone tells me something is wrong with it.
Next I unlock my domain from NetSol and choose my new registrar and
move. Thank you on all the recommendations. Now to choose.
I study up on DNSSEC, maybe read a book or two.
Then after Passover, start the signing!
So I will be, ahem, quite here for awhile. Yeah sure. Well I DO
have other systems and services to migrate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
MALE BOVINE MANURE!!!
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Not - Re: New DNS server up and running
It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going through my firewall was denied access to the internal domain. Localhost of course works. So it is either the Linux firewall and bind port randomization, or it is SELINUX. How do I test to find out which? Since the new server is on the same IP address as the old, it is unplugged from the switch. I can switch back and forth between to two boxes, only taking the time for ARP table updates. So I hope someone can point me to what I have missed. On 02/20/2013 02:07 PM, Robert Moskowitz wrote: Phase I is hopefully complete. A new onlo.htt-consult.com is up in place of the old one. This is a faster box with current software. I will 'leave it alone' for a week, unless someone tells me something is wrong with it. Next I unlock my domain from NetSol and choose my new registrar and move. Thank you on all the recommendations. Now to choose. I study up on DNSSEC, maybe read a book or two. Then after Passover, start the signing! So I will be, ahem, quite here for awhile. Yeah sure. Well I DO have other systems and services to migrate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not - Re: New DNS server up and running
On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
It looks like no system, internal or external could access the DNS on
my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was
OK. In fact a local system on the same subnet, thus NOT going through
my firewall was denied access to the internal domain. Localhost of
course works.
Oh, here is what I have for options in my internal view:
match-clients{ httnets; };
match-destinations{ httnets; };
recursion yes;
empty-zones-enable yes;
and httnets contains:
acl httnets {
127.0.0.1;
208.83.67.128/26;
192.168.32.0/24;
192.168.64.0/24;
192.168.96.0/24;
192.168.128.0/24;
192.168.192.0/24;
::1;
2607:f4b8:3:0::/64;
2607:f4b8:3:1::/64;
2607:f4b8:3:2::/64;
2607:f4b8:3:3::/64;
2607:f4b8:3:4::/64;
2607:f4b8:3:5::/64;
2607:f4b8:3:8::/64;
2607:f4b8:3:9::/64;
2607:f4b8:3:10::/64;
2607:f4b8:3:11::/64;
2607:f4b8:3:12::/64;
2607:f4b8:3:13::/64;
};
But I used my Verizon cellular wifi to connect a system from outside,
and when I did a DIG to my ip address, it was denied by named (as seen
in /var/log/messages), so the problem is broader than just my internal
view and why i think it is either the randomized port and firewall
interaction of selinux.
So it is either the Linux firewall and bind port randomization, or it
is SELINUX. How do I test to find out which?
Since the new server is on the same IP address as the old, it is
unplugged from the switch. I can switch back and forth between to two
boxes, only taking the time for ARP table updates.
So I hope someone can point me to what I have missed.
On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
Phase I is hopefully complete. A new onlo.htt-consult.com is up in
place of the old one.
This is a faster box with current software. I will 'leave it alone'
for a week, unless someone tells me something is wrong with it.
Next I unlock my domain from NetSol and choose my new registrar and
move. Thank you on all the recommendations. Now to choose.
I study up on DNSSEC, maybe read a book or two.
Then after Passover, start the signing!
So I will be, ahem, quite here for awhile. Yeah sure. Well I DO
have other systems and services to migrate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
