Thanks Marc, this worked. Now I need to setup acl sets for the internal and external network. On Thu, Jul 3, 2008 at 10:46 AM, Marc Skinner <marc at e-skinner.net> wrote: > Might want to try this: > > acl bogusnets { 0.0.0.0/8; > 169.254.0.0/16; > 224.0.0.0/3; > }; > > acl internalnet { > 127.0.0.1; > 192.168.1.0/24; > }; > > acl mynet { > 127.0.0.1; > 192.168.1.0/24; > }; > > acl thisdns { > 127.0.0.1; > 192.168.1.whaever your DNS server is; > }; > > > > in options section: > > > allow-notify { > mynet; > }; > allow-query { > mynet; > }; > allow-recursion { > mynet; > }; > blackhole { > bogusnets; > }; > listen-on { > thisdns; > }; > listen-on-v6 { > none; > }; > query-source address * port 53; > version "!BIND!"; > > > > > > > > > > > James wrote: > >> Howdy, >> I have Fedora 9 installed and would like to use it as the DNS system in >> the house. >> The setup is as follows >> options { >> listen-on port 53 { 127.0.0.1 <http://127.0.0.1>; }; >> listen-on-v6 port 53 { ::1; }; >> directory "/var/named"; >> dump-file "/var/named/data/cache_dump.db"; >> statistics-file "/var/named/data/named_stats.txt"; >> memstatistics-file "/var/named/data/named_mem_stats.txt"; >> allow-query { localhost; }; >> recursion yes; >> forwarders { >> 68.87.77.130 <http://68.87.77.130>; >> 68.87.72.130 <http://68.87.72.130>; >> }; >> }; >> logging { >> channel default_debug { >> file "data/named.run"; >> severity dynamic; >> }; >> }; >> zone "." IN { >> type hint; >> file "named.ca <http://named.ca>"; >> }; >> >> include "/etc/named.rfc1912.zones"; >> zone "home.local" { >> type master; >> file "/var/named/home.local.hosts"; >> }; >> >> zone "1.168.192.in-addr.arpa" { >> type master; >> file "1.168.192.in-addr.arpa.zone"; >> allow-update { key "rndckey"; }; >> notify yes; >> I have the files in /var/named setup and configured. From the DNS system >> I can type >> nslookup 43p and get the following >> [root at fc9 named]# vi /etc/named.conf >> [root at fc9 named]# nslookup 43p >> Server: 127.0.0.1 <http://127.0.0.1> >> Address: 127.0.0.1#53 <http://127.0.0.1/#53> <http://127.0.0.1#53<http://127.0.0.1/#53> >> > >> Name: 43p.home.local >> Address: 192.168.1.52 <http://192.168.1.52> >> From a windows system I get the following >> C:\Users\dalan>nslookup 43p >> Server: UnKnown >> Address: 192.168.1.50:53 <http://192.168.1.50:53> >> *** UnKnown can't find 43p: Query refused >> From the AIX system I get >> (43p-aix) [dalan] nslookup 43p >> *** Can't find server name for address 192.168.1.50:Query refused >> *** Default servers are not available >> (43p-aix) [dalan] >> I have shut off the firewall and SE-Linux on the Fedora system. I'm not >> sure why the fedora system is blocking/refusing the request coming from >> another system. >> I even put the following entries in iptables. >> SERVER_IP="192.168.1.50 <http://192.168.1.50>" >> iptables -A INPUT -p udp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport >> 53 -m state --state NEW,ESTABLISHED -j ACCEPT >> iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport >> 1024:65535 -m state --state ESTABLISHED -j ACCEPT >> iptables -A INPUT -p udp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m >> state --state NEW,ESTABLISHED -j ACCEPT >> iptables -A OUTPUT -p udp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m >> state --state ESTABLISHED -j ACCEPT >> iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d $SERVER_IP --dport >> 53 -m state --state NEW,ESTABLISHED -j ACCEPT >> iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0 --dport >> 1024:65535 -m state --state ESTABLISHED -j ACCEPT >> iptables -A INPUT -p tcp -s 0/0 --sport 53 -d $SERVER_IP --dport 53 -m >> state --state NEW,ESTABLISHED -j ACCEPT >> iptables -A OUTPUT -p tcp -s $SERVER_IP --sport 53 -d 0/0 --dport 53 -m >> state --state ESTABLISHED -j ACCEPT >> I still have the same effect. >> Running the following shows that the system is refusing the connection. >> /usr/sbin/tcpdump -X port 53 >> >> [root at fc9 named]# /usr/sbin/tcpdump -X port 53 >> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode >> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes >> 21:39:38.512926 IP aix.sparish.local.52686 > fc9.sparish.local.domain: >> 46304+ PTR? 50.1.168.192.in-addr.arpa. (43) >> 0x0000: 4500 0047 ac22 0000 1e11 6ccd c0a8 0134 E..G."....l....4 >> 0x0010: c0a8 0132 cdce 0035 0033 7c2c b4e0 0100 ...2...5.3|,.... >> 0x0020: 0001 0000 0000 0000 0235 3001 3103 3136 .........50.1.16 >> 0x0030: 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar< >> http://8.192.in-addr.ar> >> 0x0040: 7061 0000 0c00 01 pa..... >> 21:39:38.519048 IP fc9.sparish.local.domain > aix.sparish.local.52686: >> 46304 Refused- 0/0/0 (43) >> 0x0000: 4500 0047 0000 4000 4011 b6ef c0a8 0132 E..G.. at .@......2 >> <mailto:E..G.. at .@......2> >> 0x0010: c0a8 0134 0035 cdce 0033 fc26 b4e0 8105 ...4.5...3.&.... >> 0x0020: 0001 0000 0000 0000 0235 3001 3103 3136 .........50.1.16 >> 0x0030: 3803 3139 3207 696e 2d61 6464 7204 6172 8.192.in-addr.ar< >> http://8.192.in-addr.ar> >> 0x0040: 7061 0000 0c00 01 pa..... >> Any help would be welcome >> Thanks >> ------------------------------------------------------------------------ >> >> _______________________________________________ >> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota >> tclug-list at mn-linux.org >> http://mailman.mn-linux.org/mailman/listinfo/tclug-list >> >> > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mailman.mn-linux.org/pipermail/tclug-list/attachments/20080703/e84677b1/attachment.htm