Hi,
maybe I'll upgrade bind in next time.
But I'm just wondering, because it's ok when I query TXT record from my internal network, so I think this version of bind has no problem with TXT record.
Maybe it's my firewall problem but port 53 TCP, UDP have been opened, and I tought those enough. Could you tell aother port should be opened?
Thanks a lot and regards,

----- Original Message ----- From: "Mark Andrews"
To: "Barry Margolin"
Cc:
Sent: Friday, August 25, 2006 6:50 AM
Subject: Re: TXT record problem (Timed out)


>
>> In article ,
>> Mark Andrews wrote:
>>
>> > > Hi,
>> > > my dns server is behind a firewall, and TCP and UDP port 53 have been
>> > > opene
>> > > d. Is there another port should be opened?
>> > > After running dig version.bind chaos txt or named -v, I got BIND 9.1.3.
>> > > Thanks and regards,
>> >
>> > No one should be running BIND 9.1.3 anymore. Upgrade.

>>
>> While that may be good advice, what's the chance that this is even
>> remotely related to his problem?

>
> I doubt it has anything, as the version.bind/txt/ch query
> failed and that has always worked which indicates that it
> is not named. This has already been pointed out by others
> and indicates a firewall problem.
>
> What had not been pointed out is that there are lots of
> major bugs including security bugs in what he is running.
>
> e.g.
> http://www.cert.org/advisories/CA-2002-15.html
>
> I suspect the whole OS needs to be upgraded. I don't know
> of any OS that shipped w/ BIND 9.1.3 that doesn't have other
> security flaws.
>
> Named is one of a few applications that is always exposed
> to external threats. You can often get away with not
> upgrading on a internal threat. You can rarely get away
> with not upgrading on a external threat. This machine is
> exposed to external threats.
>
>> I wish in my tech support job I could get away with ignoring questions
>> of customers who aren't running a recent release.

>
> BIND 9.1 has been out of support for 4 years. This is free
> support and asking someone to compile a recent version
> before getting free support is a reasonable request. It
> also gets rid of a multitude of potential problems.
>
> Anyone running a multi-threaded version of named shouldn't
> be running anything less than BIND 9.2.4 as all versions
> prior to that have a major race condition. This means most
> Linux boxes shouldn't be running anything prior to BIND 9.2.4.
>
> Mark
>
>> --
>> Barry Margolin, barmar@alum.mit.edu
>> Arlington, MA
>> *** PLEASE post questions in newsgroups, not directly to me ***
>> *** PLEASE don't copy me on replies, I'll read them in the group ***

> --
> ISC Training! October 16-20, 2006, in the San Francisco Bay Area,
> covering topics from DNS to DHCP. Email training@isc.org.
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
>
>
>
>
>


---------------------------------
Apakah Anda Yahoo!?
Kunjungi halaman depan Yahoo! Indonesia yang baru!