Re: Not - Re: New DNS server up and running
On 02/21/2013 02:38 AM, Sten Carlsen wrote: What about allow-query? At some point the default changed to allow only localhost. oh. Yes I see; at bind 9.4.1.P1... And my old server is a bit earlier than that! So this is most likely my problem. Will change and test again. thanks. On 21/02/13 2:59, Robert Moskowitz wrote: On 02/20/2013 08:28 PM, Robert Moskowitz wrote: It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going through my firewall was denied access to the internal domain. Localhost of course works. Oh, here is what I have for options in my internal view: match-clients{ httnets; }; match-destinations{ httnets; }; recursion yes; empty-zones-enable yes; and httnets contains: acl httnets { 127.0.0.1; 208.83.67.128/26; 192.168.32.0/24; 192.168.64.0/24; 192.168.96.0/24; 192.168.128.0/24; 192.168.192.0/24; ::1; 2607:f4b8:3:0::/64; 2607:f4b8:3:1::/64; 2607:f4b8:3:2::/64; 2607:f4b8:3:3::/64; 2607:f4b8:3:4::/64; 2607:f4b8:3:5::/64; 2607:f4b8:3:8::/64; 2607:f4b8:3:9::/64; 2607:f4b8:3:10::/64; 2607:f4b8:3:11::/64; 2607:f4b8:3:12::/64; 2607:f4b8:3:13::/64; }; But I used my Verizon cellular wifi to connect a system from outside, and when I did a DIG to my ip address, it was denied by named (as seen in /var/log/messages), so the problem is broader than just my internal view and why i think it is either the randomized port and firewall interaction of selinux. So it is either the Linux firewall and bind port randomization, or it is SELINUX. How do I test to find out which? Since the new server is on the same IP address as the old, it is unplugged from the switch. I can switch back and forth between to two boxes, only taking the time for ARP table updates. So I hope someone can point me to what I have missed. On 02/20/2013 02:07 PM, Robert Moskowitz wrote: Phase I is hopefully complete. A new onlo.htt-consult.com is up in place of the old one. This is a faster box with current software. I will 'leave it alone' for a week, unless someone tells me something is wrong with it. Next I unlock my domain from NetSol and choose my new registrar and move. Thank you on all the recommendations. Now to choose. I study up on DNSSEC, maybe read a book or two. Then after Passover, start the signing! So I will be, ahem, quite here for awhile. Yeah sure. Well I DO have other systems and services to migrate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not - Re: New DNS server up and running
On 02/21/2013 02:38 AM, Sten Carlsen wrote: What about allow-query? OK. That was it. The default named.conf had: allow-query { localhost; }; and I commented that out, but ASSuMEd that if the default conf was forcing it to localhost, the default must be any. Yeah, right. So right now I am running with my internal nets for the internal view, and any for the external view. ISC has an FAQ on this and talk about allowing external authoritative query, but not cache query. I will have to play around a bit with that. At some point the default changed to allow only localhost. On 21/02/13 2:59, Robert Moskowitz wrote: On 02/20/2013 08:28 PM, Robert Moskowitz wrote: It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going through my firewall was denied access to the internal domain. Localhost of course works. Oh, here is what I have for options in my internal view: match-clients{ httnets; }; match-destinations{ httnets; }; recursion yes; empty-zones-enable yes; and httnets contains: acl httnets { 127.0.0.1; 208.83.67.128/26; 192.168.32.0/24; 192.168.64.0/24; 192.168.96.0/24; 192.168.128.0/24; 192.168.192.0/24; ::1; 2607:f4b8:3:0::/64; 2607:f4b8:3:1::/64; 2607:f4b8:3:2::/64; 2607:f4b8:3:3::/64; 2607:f4b8:3:4::/64; 2607:f4b8:3:5::/64; 2607:f4b8:3:8::/64; 2607:f4b8:3:9::/64; 2607:f4b8:3:10::/64; 2607:f4b8:3:11::/64; 2607:f4b8:3:12::/64; 2607:f4b8:3:13::/64; }; But I used my Verizon cellular wifi to connect a system from outside, and when I did a DIG to my ip address, it was denied by named (as seen in /var/log/messages), so the problem is broader than just my internal view and why i think it is either the randomized port and firewall interaction of selinux. So it is either the Linux firewall and bind port randomization, or it is SELINUX. How do I test to find out which? Since the new server is on the same IP address as the old, it is unplugged from the switch. I can switch back and forth between to two boxes, only taking the time for ARP table updates. So I hope someone can point me to what I have missed. On 02/20/2013 02:07 PM, Robert Moskowitz wrote: Phase I is hopefully complete. A new onlo.htt-consult.com is up in place of the old one. This is a faster box with current software. I will 'leave it alone' for a week, unless someone tells me something is wrong with it. Next I unlock my domain from NetSol and choose my new registrar and move. Thank you on all the recommendations. Now to choose. I study up on DNSSEC, maybe read a book or two. Then after Passover, start the signing! So I will be, ahem, quite here for awhile. Yeah sure. Well I DO have other systems and services to migrate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users -- Best regards Sten Carlsen No improvements come from shouting: MALE BOVINE MANURE!!! ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Not - Re: New DNS server up and running
It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going through my firewall was denied access to the internal domain. Localhost of course works. So it is either the Linux firewall and bind port randomization, or it is SELINUX. How do I test to find out which? Since the new server is on the same IP address as the old, it is unplugged from the switch. I can switch back and forth between to two boxes, only taking the time for ARP table updates. So I hope someone can point me to what I have missed. On 02/20/2013 02:07 PM, Robert Moskowitz wrote: Phase I is hopefully complete. A new onlo.htt-consult.com is up in place of the old one. This is a faster box with current software. I will 'leave it alone' for a week, unless someone tells me something is wrong with it. Next I unlock my domain from NetSol and choose my new registrar and move. Thank you on all the recommendations. Now to choose. I study up on DNSSEC, maybe read a book or two. Then after Passover, start the signing! So I will be, ahem, quite here for awhile. Yeah sure. Well I DO have other systems and services to migrate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Not - Re: New DNS server up and running
On 02/20/2013 08:28 PM, Robert Moskowitz wrote: It looks like no system, internal or external could access the DNS on my new server. IPTABLES was set for 53 both UDP and TCP. Firewall was OK. In fact a local system on the same subnet, thus NOT going through my firewall was denied access to the internal domain. Localhost of course works. Oh, here is what I have for options in my internal view: match-clients{ httnets; }; match-destinations{ httnets; }; recursion yes; empty-zones-enable yes; and httnets contains: acl httnets { 127.0.0.1; 208.83.67.128/26; 192.168.32.0/24; 192.168.64.0/24; 192.168.96.0/24; 192.168.128.0/24; 192.168.192.0/24; ::1; 2607:f4b8:3:0::/64; 2607:f4b8:3:1::/64; 2607:f4b8:3:2::/64; 2607:f4b8:3:3::/64; 2607:f4b8:3:4::/64; 2607:f4b8:3:5::/64; 2607:f4b8:3:8::/64; 2607:f4b8:3:9::/64; 2607:f4b8:3:10::/64; 2607:f4b8:3:11::/64; 2607:f4b8:3:12::/64; 2607:f4b8:3:13::/64; }; But I used my Verizon cellular wifi to connect a system from outside, and when I did a DIG to my ip address, it was denied by named (as seen in /var/log/messages), so the problem is broader than just my internal view and why i think it is either the randomized port and firewall interaction of selinux. So it is either the Linux firewall and bind port randomization, or it is SELINUX. How do I test to find out which? Since the new server is on the same IP address as the old, it is unplugged from the switch. I can switch back and forth between to two boxes, only taking the time for ARP table updates. So I hope someone can point me to what I have missed. On 02/20/2013 02:07 PM, Robert Moskowitz wrote: Phase I is hopefully complete. A new onlo.htt-consult.com is up in place of the old one. This is a faster box with current software. I will 'leave it alone' for a week, unless someone tells me something is wrong with it. Next I unlock my domain from NetSol and choose my new registrar and move. Thank you on all the recommendations. Now to choose. I study up on DNSSEC, maybe read a book or two. Then after Passover, start the signing! So I will be, ahem, quite here for awhile. Yeah sure. Well I DO have other systems and services to migrate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users