On 02/21/2013 02:38 AM, Sten Carlsen wrote:
What about allow-query?
At some point the default changed to allow only localhost.
oh. Yes I see; at bind 9.4.1.P1... And my old server is a bit earlier
than that! So this is most likely my problem. Will change and test
again. thanks.
On 21/02/13 2:59, Robert Moskowitz wrote:
On 02/20/2013 08:28 PM, Robert Moskowitz wrote:
It looks like no system, internal or external could access the DNS
on my new server. IPTABLES was set for 53 both UDP and TCP.
Firewall was OK. In fact a local system on the same subnet, thus
NOT going through my firewall was denied access to the internal
domain. Localhost of course works.
Oh, here is what I have for options in my internal view:
match-clients { httnets; };
match-destinations { httnets; };
recursion yes;
empty-zones-enable yes;
and httnets contains:
acl "httnets" {
127.0.0.1;
208.83.67.128/26;
192.168.32.0/24;
192.168.64.0/24;
192.168.96.0/24;
192.168.128.0/24;
192.168.192.0/24;
::1;
2607:f4b8:3:0::/64;
2607:f4b8:3:1::/64;
2607:f4b8:3:2::/64;
2607:f4b8:3:3::/64;
2607:f4b8:3:4::/64;
2607:f4b8:3:5::/64;
2607:f4b8:3:8::/64;
2607:f4b8:3:9::/64;
2607:f4b8:3:10::/64;
2607:f4b8:3:11::/64;
2607:f4b8:3:12::/64;
2607:f4b8:3:13::/64;
};
But I used my Verizon cellular wifi to connect a system from outside,
and when I did a DIG to my ip address, it was denied by named (as
seen in /var/log/messages), so the problem is broader than just my
internal view and why i think it is either the randomized port and
firewall interaction of selinux.
So it is either the Linux firewall and bind port randomization, or
it is SELINUX. How do I test to find out which?
Since the new server is on the same IP address as the old, it is
unplugged from the switch. I can switch back and forth between to
two boxes, only taking the time for ARP table updates.
So I hope someone can point me to what I have missed.
On 02/20/2013 02:07 PM, Robert Moskowitz wrote:
Phase I is hopefully complete. A new onlo.htt-consult.com is up in
place of the old one.
This is a faster box with current software. I will 'leave it
alone' for a week, unless someone tells me something is wrong with it.
Next I unlock my domain from NetSol and choose my new registrar and
move. Thank you on all the recommendations. Now to choose.
I study up on DNSSEC, maybe read a book or two.
Then after Passover, start the signing!
So I will be, ahem, quite here for awhile. Yeah sure. Well I DO
have other systems and services to migrate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Best regards
Sten Carlsen
No improvements come from shouting:
"MALE BOVINE MANURE!!!"
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users