[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] DNS problem - please help! {Scanned}
- Subject: Re: [cobalt-users] DNS problem - please help! {Scanned}
- From: Larry Smith <lesmith@xxxxxxxxx>
- Date: Wed Dec 31 07:27:02 2003
- Organization: ECSIS
- List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>
On Wednesday 31 December 2003 09:09, SW wrote:
> The denied query above are due to adding the allow-query directive in
> /etc/named.conf:
>
> options {
> directory "/etc/named";
> allow-recursion { xxx.xxx.xxx.xx/27; localhost; };
> allow-query { xxx.xxx.xxx.xx/27; localhost; };
> version "WPPi Name Server - NA";
> allow-transfer { xxx.xxx.xxx.xx; };
> -----------
> xxx.xxx.xxx.xx a bove is our ip block
> ----------
> We added the allow-query option after running a security check which
> recommened we add 'allow-recursion' and 'allow-query' to bind to prevent
> various vulabilities. But I thought these changes will still allow users to
> get dns info for mail and httpd info, etc.
Negative. You cannot "deny" queries to the rest of the world, and then expect
them to be able to find your name/IP addresses from your DNS server.
If you lock the gate to your fence around your yard - how is the mailman
supposed to deliver your mail to the box beside your door.... Remove the
"allow-query" option and it will "start" working again...
Security is always a "balance" - limit what you can but allow access as
needed/required for things to function.
--
Larry Smith
SysAd ECSIS.NET
sysad@xxxxxxxxx