Insufficient DNS Source Port Randmoization

2011-07-28 Thread Pete Fong
Hi Everybody, My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for DNS server. I have installed bind-9.7.3P3-0.2.1 Our external auditor used "NeXpose" for scanning my system. It showed "Insufficient DNS Source Port Randomization Vulnerability". Therefore I have followed BIND 9 Con

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Matus UHLAR - fantomas
On 28.07.11 15:33, Pete Fong wrote: My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is used for DNS server. I have installed bind-9.7.3P3-0.2.1 Our external auditor used "NeXpose" for scanning my system. It showed "Insufficient DNS Source Port Randomization Vulnerability". The insuffi

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Stephane Bortzmeyer
On Thu, Jul 28, 2011 at 03:33:11PM +0800, Pete Fong wrote a message of 27 lines which said: > I have adjusted named.conf configuration file as below : > > query-source address * port * ; > query-source-v6 address * port *; BIND randomizes properly by default. I would suggest to delete all th

no servers could be reached

2011-07-28 Thread uifid...@gmail.com
dig kia.czj ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> kia.czj ;; global options: printcmd ;; connection timed out; no servers could be reached my ip is 192.168.18.128 my named.conf options { listen-on port 53 { 192.168.18.128; 127.0.0.1; }; listen-on-v6 port 53 { ::1; };

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Pete Fong
Hi, Matus UHLAR No, The scanner PC and DNS server is connected by crossover cable in my environment. Therefore I have not any idea. Thanks a lot, Pete Fong 2011/7/28 Matus UHLAR - fantomas : > On 28.07.11 15:33, Pete Fong wrote: >> >> My Linux is OpenSuSE 11.4 with Kernel 2.6.37.6-0.5 which is

Re: Insufficient DNS Source Port Randmoization

2011-07-28 Thread Danilo Godec
If I understand correctly, the connection between the scanner PC and your DNS server is not really the issue here. What can cause problems is a firewall between your DNS server and the Internet. Danilo On 07/28/2011 10:08 AM, Pete Fong wrote: Hi, Matus UHLAR No, The scanner PC and D

Re: no servers could be reached

2011-07-28 Thread Daniel McDonald
On 7/28/11 3:16 AM, "uifid...@gmail.com" wrote: > my czj.zone > $TTL 86400 > czj. IN SOA localhost. root.localhost. ( > 1997022700 ; Serial > 28800 ; Refresh >

Re: no servers could be reached

2011-07-28 Thread Alan Clegg
On 7/28/2011 4:16 AM, uifid...@gmail.com wrote: > view localhost_resolver { > match-clients { localhost; }; > match-destinations { localhost; }; > recursion yes; > include "/etc/named.rfc1912.zones"; > }; > view czj { > match-clients { 192.168.18.128; localhost

Re: DNS update on host down

2011-07-28 Thread david klein
There are tools which do this, such as F5's GTM or Cisco's GSS; essentially, you have multiple servers in a pool/answer group, and during normal operations, they are handed out in either RR or WRR. If one server fails his health-check, he is taken out of the mix. I believe under the covers, it is e

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com
I'm trying to config a bind server which could answering queries (at least from 127.0.0.1 and 192.168.18.128) like "dig kia.czj" but I failed to. perhaps my ignorance about match-clients and match-destinations statements failed my attempt, or more likely, "SOA and NS of localhost. seems wrong".  I

Split PTR zone (internal and external)

2011-07-28 Thread CT
I am wondering what might be a good "workaround" for this legacy setup... Will do my best to explain.. IP Space - 1 Class B Global Unique (used Externally and Internally) - 1 Class B RFC1918 DNS Setup External DNS (Linux - Bind 9.8.x) - example-ext.com DNS domain - authoritative for PT

Re: Views and no answers ...

2011-07-28 Thread Thomas Schweikle
Am 28.07.2011 01:18, schrieb Bob: > These two views are identical in any way I can see, so the fault may > be in an included configuration file that is not included in your > message. > > Look for allow-query, allow-recursion or allow-cache statements in > your other config files. Did this. The o

Format of the IPv6 reversed zone

2011-07-28 Thread Khuu, Linh Contractor
Hello, I'm new to IPv6 configuring in BIND. I need help. The forward zone is simple enough with record, but the reversed zone is a bit confusing to me. For example, I want to add a hostname of www.example.com to 2001:1930:c00::2. This IPv6 address is /48. How can

Re: Format of the IPv6 reversed zone

2011-07-28 Thread Jay Ford
On Thu, 28 Jul 2011, Khuu, Linh Contractor wrote: I'm new to IPv6 configuring in BIND. I need help. The forward zone is simple enough with record, but the reversed zone is a bit confusing to me. For example, I want to add a hostname of www.example.com to 2001:1930:c00::2. This IPv6 addres

RE: Format of the IPv6 reversed zone

2011-07-28 Thread Khuu, Linh Contractor
Thanks Jay and Leonard for the pointers of IPv6 format. Linh Khuu -Original Message- From: Jay Ford [mailto:jay-f...@uiowa.edu] Sent: Thursday, July 28, 2011 2:22 PM To: Khuu, Linh Contractor Cc: 'bind-users@lists.isc.org' Subject: Re: Format of the IPv6 reversed zone On Thu, 28 Jul 20

Re: Format of the IPv6 reversed zone

2011-07-28 Thread Mark Elkins
On Thu, 2011-07-28 at 14:07 -0400, Khuu, Linh Contractor wrote: > Hello, > > I’m new to IPv6 configuring in BIND. I need help. The forward zone is > simple enough with record, but the reversed zone is a bit > confusing to me. > > For example, I want to add a hostname of www.example.com to

Re: Views and no answers ...

2011-07-28 Thread Bob
You also have these acl's, which I find quite useful: allow-query {acl-list} allow-query-cache {acl-list} allow-recursion {acl-list} As I recall, all of them are valid inside a view. You could also try to throw in some debug logging. Here is what I do for troubleshooting: #> rndc querylog #> r

Re: Format of the IPv6 reversed zone

2011-07-28 Thread eugene tsuno
There is a little perl ipv6 calc that I use ipv6calc so I don't mis-typo it. ipv6calc --addr_to_ip6arpa 2001:1930:c00::2 No input type specified, try autodetection...found type: ipv6addr 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.3.9.1.1.0.0.2.ip6.arpa. The web page is dead, but the ftp

Re: no servers could be reached

2011-07-28 Thread Michael McNally
On 7/28/11 12:16 AM, uifid...@gmail.com wrote: my /etc/resolve.conf Note: ^^^ named-checkzone named-checkconf passed, I suppose the configure works but only get no servers could be reached.What's wrong with my config? Your resolv.conf is in the wrong place. Let's see what happens w

RE: no servers could be reached

2011-07-28 Thread Lightner, Jeff
Also has a wrong name: Should be resolv.conf NOT resolve.conf. -Original Message- From: bind-users-bounces+jlightner=water@lists.isc.org [mailto:bind-users-bounces+jlightner=water@lists.isc.org] On Behalf Of Michael McNally Sent: Thursday, July 28, 2011 3:47 PM To: bind-user

Re: Format of the IPv6 reversed zone

2011-07-28 Thread Alan Clegg
On 7/28/2011 3:35 PM, eugene tsuno wrote: > > There is a little perl ipv6 calc that I use ipv6calc so I don't mis-typo it. > > ipv6calc --addr_to_ip6arpa 2001:1930:c00::2 > No input type specified, try autodetection...found type: ipv6addr > 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.0.0.3.9.1

.hu ns records incorrect?

2011-07-28 Thread Carl Byington
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Am I missing something, or are the hu NS records incomplete? dig d.hu +trace ;; AUTHORITY SECTION: hu. 86400 IN NS e.hu. hu. 86400 IN NS ns-se.nic.hu. hu. 86400 IN

Re: .hu ns records incorrect?

2011-07-28 Thread Stephane Bortzmeyer
On Thu, Jul 28, 2011 at 01:18:29PM -0700, Carl Byington wrote a message of 35 lines which said: > dig: couldn't get address for 'b.hu': not found Strange. It works for me. b.hu. 86292 IN A 193.239.149.3 ___ Please vis

Re: Split PTR zone (internal and external)

2011-07-28 Thread Kevin Darcy
On 7/28/2011 12:26 PM, CT wrote: I am wondering what might be a good "workaround" for this legacy setup... Will do my best to explain.. IP Space - 1 Class B Global Unique (used Externally and Internally) - 1 Class B RFC1918 DNS Setup External DNS (Linux - Bind 9.8.x) - example-ext.com

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com
Sorry, it's a typo in the maillist, but not in my file system. My resolv.conf is in the right place. 2011/7/29 Michael McNally : > On 7/28/11 12:16 AM, uifid...@gmail.com wrote: >> >> my /etc/resolve.conf > > Note:     ^^^ >> >> named-checkzone named-checkconf passed, I suppose the configure w

Re: Split PTR zone (internal and external)

2011-07-28 Thread CT
On 7/28/2011 4:58 PM, Kevin Darcy wrote: On 7/28/2011 12:26 PM, CT wrote: I am wondering what might be a good "workaround" for this legacy setup... Will do my best to explain.. IP Space - 1 Class B Global Unique (used Externally and Internally) - 1 Class B RFC1918 DNS Setup External DNS

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com
still get "no servers could be reached", need help. #dig @127.0.0.1 nsc1.domainx ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @127.0.0.1 nsc1.domainx. ; (1 server found) ;; global options: printcmd ;; connection timed out; no servers could be reached cat /etc/resolv.conf ; generated by /sbin

Re: no servers could be reached

2011-07-28 Thread uifid...@gmail.com
#hostname CentOS3 Is it matter? 2011/7/29 uifid...@gmail.com : > still get "no servers could be reached", need help. > > #dig @127.0.0.1 nsc1.domainx > > ; <<>> DiG 9.3.6-P1-RedHat-9.3.6-16.P1.el5 <<>> @127.0.0.1 nsc1.domainx. > ; (1 server found) > ;; global options:  printcmd > ;; connection ti