Re: [opensuse] DNS security
Hi, Richard Creighton schrieb: My question is how can I limit what external sites can query, ie, *I* or my network machines may need to lookup any of those same queries (though I can't see why at the moment), but external sites have no business doing so. External sites *may* have legitimate reasons to look up certain public addresses like mail or www or similar information so I can't just shut off port 53 to outsiders.I remember once upon a time reading about this problem and a solution, but now, for the life of me, I can't find it.Any Ideas? Access to use your DNS server for recursive queries is controlled in your named.conf in section options. Especially I have for example: allow-query { ::1/128; 127.0.0.1; localnets; }; recursion yes; Which means that only localhost and localnets are allowed to use your DNS server to resolve any fqdn. Access to your own local zones is granted in the respective zone section where you may want to define: allow-query { any; }; if your hosts should be reachable externally. Wolfgang -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] DNS security
Wolfgang Rosenauer wrote: snip Access to use your DNS server for recursive queries is controlled in your named.conf in section options. Especially I have for example: allow-query { ::1/128; 127.0.0.1; localnets; }; recursion yes; Which means that only localhost and localnets are allowed to use your DNS server to resolve any fqdn. Access to your own local zones is granted in the respective zone section where you may want to define: allow-query { any; }; if your hosts should be reachable externally. Wolfgang Thank you Wolfgangnow another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so Richard -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] DNS security
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Richard Creighton wrote: Wolfgang Rosenauer wrote: snip Access to use your DNS server for recursive queries is controlled in your named.conf in section options. Especially I have for example: allow-query { ::1/128; 127.0.0.1; localnets; }; recursion yes; Which means that only localhost and localnets are allowed to use your DNS server to resolve any fqdn. Access to your own local zones is granted in the respective zone section where you may want to define: allow-query { any; }; if your hosts should be reachable externally. Wolfgang Thank you Wolfgangnow another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so Richard Well you are doing better than I am :-) YaST does not even report on my configured zones but I suspect this is because I am using a view based setup. But I do not use YaST for administering either my DNS (or samba) configuration anyway so it is not a major issue for me. As far as I can work out there is no setting for this in YaST. If you are looking for a GUI webmin might be worth looking at, it does include a DNS management module. However, if you have a wireless network I would make certain that the intrusion was external in origin and that your wireless security has not been compromised in some way. Just because the query apparently comes from an external address does not in itself mean that the connection is external. - -- == I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup == -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGozvCasN0sSnLmgIRAr7JAJ0VtCM86z3lgg2lTWQWXvM78zecLQCdHUuY 9gqSHvnV9AIVX6AWWezIPww= =wEKK -END PGP SIGNATURE- -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] DNS security
Richard Creighton wrote: Thank you Wolfgangnow another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so Which SUSE flavour/version do you use? I don't know for sure if YaST2 on 10.2 is able to do it but I think so. I didn't use yast2-dns-server on 10.2 yet and maybe you have to add new options yourself if there is no preconfigured setting. I also think that YaST shouldn't overwrite your manual settings and I would consider it a bug if it does. I've just tested on SLES9 and the YaST module provides everything needed there. Wolfgang -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] DNS security
Wolfgang Rosenauer wrote: Richard Creighton wrote: Thank you Wolfgangnow another stupid question for you if you don't mind too much please. I can't see where in the YAST program this can be done other perhaps in the sysconfig editor, but if in there, where? If not, I'll head out into 'vi' land but I hate modifying the config files by hand because SUSE seems to come along later and change them again, occasionally overwriting changes I've made manually. So, I tread in this area carefully when this possibility exists and I know YAST does diddle with the DNS configuration files...so Which SUSE flavour/version do you use? I don't know for sure if YaST2 on 10.2 is able to do it but I think so. I didn't use yast2-dns-server on 10.2 yet and maybe you have to add new options yourself if there is no preconfigured setting. I also think that YaST shouldn't overwrite your manual settings and I would consider it a bug if it does. I've just tested on SLES9 and the YaST module provides everything needed there. Wolfgang I use 10.2 and 10.3a5 (I would use 10.3a6 but it destroyed my machine so I had to reinstall completely (GRUB Error)). I have never seen the part about forwarding just to my own network...I'll look again because I'm probably blind :)Thanks Richard -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] DNS security
G T Smith wrote: snip If you are looking for a GUI webmin might be worth looking at, it does include a DNS management module. I'll look into that. I wanted to keep SUSE 'virgin' where possible because it helps when upgrading versions change. Ancillary support programs sometimes stop working due to library version/directory structure changes, etc., and until the ancillary programs get upgraded, sometimes you lose your tools unless you can roll your own in the case your tools author no longer supports it. However, if you have a wireless network I would make certain that the intrusion was external in origin and that your wireless security has not been compromised in some way. Just because the query apparently comes from an external address does not in itself mean that the connection is external. In this case, no wireless. I have been fighting ssh worms (found a good solution for that one thankfully) and in noticing the logs, found the DNS entries which prompted my questions and when I couldn't locate either the answer or the method on my own, I turned to opensuse-users where there is a wealth of knowledge and experience. Thanks Richard -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [opensuse] DNS security
Richard Creighton wrote: G T Smith wrote: snip If you are looking for a GUI webmin might be worth looking at, it does include a DNS management module. I'll look into that. I wanted to keep SUSE 'virgin' where possible because it helps when upgrading versions change. Ancillary support programs sometimes stop working due to library version/directory structure changes, etc., and until the ancillary programs get upgraded, sometimes you lose your tools unless you can roll your own in the case your tools author no longer supports it. Webmin is very good in that regard - I've been using it for more than 10 years, and it has worked on solaris, aix, and various flavors of linux without a hitch. It also understands zones. Yast can modify some files, e.g. /etc/named.conf.include, but the trick is to cooperate with it - and I've never seen yast change a zone file or named.conf. Joe -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]