From owner-freebsd-security  Wed Jun 16  4:12:38 1999
Delivered-To: freebsd-security@freebsd.org
Received: from metis.host4u.net (metis.host4u.net [209.150.128.22])
	by hub.freebsd.org (Postfix) with ESMTP id 25EDF14D09
	for <security@FreeBSD.ORG>; Wed, 16 Jun 1999 04:12:35 -0700 (PDT)
	(envelope-from dan.langille@dvl-software.com)
Received: from wocker (210-55-152-36.ipnets.xtra.co.nz [210.55.152.36])
	by metis.host4u.net (8.8.5/8.8.5) with SMTP id GAA26982;
	Wed, 16 Jun 1999 06:12:00 -0500
Message-Id: <199906161112.GAA26982@metis.host4u.net>
From: "Dan Langille" <dan.langille@dvl-software.com>
Organization: DVL Software Limited
To: Dag-Erling Smorgrav <des@flood.ping.uio.no>
Date: Wed, 16 Jun 1999 23:12:21 +1200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: named timeouts
Reply-To: dan.langille@dvl-software.com
Cc: security@FreeBSD.ORG, Mike Nowlin <mike@argos.org>
References: "Dan Langille"'s message of "Wed, 16 Jun 1999 22:00:18 +1200"
In-reply-to: <xzpzp20csx1.fsf@flood.ping.uio.no>
X-mailer: Pegasus Mail for Win32 (v3.01d)
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On 16 Jun 99, at 12:59, Dag-Erling Smorgrav wrote:

> "Dan Langille" <junkmale@xtra.co.nz> writes:
> > There messages aren't from ipfilter.  I believe they are from my 
> > kernel.log.  I apologise for not pointing that out in the first place:
> > 
> > $ tail kernel.log 
> > Jun 16 09:16:42 ns /kernel: Connection attempt to UDP 127.0.0.1:1391
> > from 127.0.0.1:53 Jun 16 09:17:02 ns /kernel: Connection attempt to UDP
> > 127.0.0.1:1393 from 127.0.0.1:53
> 
> Ah, these are log_in_vain messages. What they mean is that named isn't
> listening on 127.0.0.1. You need to add localhost or localnets to the
> allow-query clause in named.conf (either in the options section or in each
> zone).

This is sounding better.  I just checked named.conf.  At present, I don't 
have any allow-query statements.  According to p250 of DNS and BIND, 
I could just add the following:

options {
               allow-query {  127.0.0.1/32; }
}

But would that prevent everyone else from getting in?
--
Dan Langille - DVL Software Limited
The FreeBSD Diary     - http://www.FreeBSDDiary.org/freebsd/
NZ FreeBSD User Group - http://www.nzfug.nz.freebsd.org/
The Racing System     - http://www.racingsystem.com/racingsystem.htm


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message