[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

host & DNS



Hi,

I am trying to understand how the hosts.allow and hosts.deny files work as 
well as DNS.

So far, I have a nameserver, but kept getting an error:

warning: /etc/hosts.allow, line 11: can't verify hostname:  gethostbyname 
(gomez.star.cd) failed

I finally figured out that something was wrong as one of this ISP's user 
complained that they couldn't send an email to my mailserver (which is the 
nameserver as well).

I did a host lookup and got the following:

host 203.36.43.17
Name: gomez.star.cd
Address: 203.36.43.17

then later:

host gomez.star.cd
gomez.star.cd does not exist, try again

Why would cause this to fail?  When I put "ALL: 203."  in the 
/etc/hosts.allow file and commented out the "ALL: PARANOID" in the 
/etc/hosts.deny file, it then allowed access to my mailserver. 
 Incidentally, I did try to dig the address and hostname and it did work 
fine.  I am using qmail as the mailserver, but know that it uses your DNS 
to resolve hostnames instead of /etc/resolv.conf.  Also, I am using xinetd 
as well for mail and other services.

Is there anywhere that tells you how these files actually work and what's 
the best way of making sure the system is reasonably secure without barring 
out legitimate servers?  For example, I tried to do the following, but it 
didn't work.  The man pages didn't really shed much light on this.

in the /etc/hosts.allow file:

ALL: ALL

in the /etc/hosts.deny file:

in.telnetd: ALL EXECEPT 192.168.1.

I expected that you wouldn't be able to telnet to the machine unless you 
had the address 192.168.1.XXX, but I could still do it for some reason. In 
the /etc/hosts.allow file, I previously had "ALL: .mydomain.com.au", and in 
the /etc/hosts.deny I had "ALL:PARANOID", but this seemed to bounce 
everyone in the above category, which annoyed some of our users.  I thought 
that the DNS server (bind) handled all these requests and that the host 
files didn't matter much, until I saw what was happening.

Rob...






Reply to: