These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for What Is this? on the new forum.
This website is deprecated, and remains online only for historic access to old issues and docs for historic versions of Virtualmin. It has been unmaintained for several years, and should not be relied on for up-to-date information. Please visit www.virtualmin.com instead.
It means that either your DNS server is having troubles or one of ours is. ;-)
I'm looking into it.
Anybody else seeing this?
BTW-It is pretty much harmless. You have thirty days of "license problem" status before anything bad happens to your Virtualmin (and a human looks into the flagged situation before a license gets suspended for violations...it's pretty hard to run into real disabling license problems, assuming you actually have a license!).
I installed virtualmin twice on the machine recently ... from scrap. I was alright until up to the point where I installed a virtual domain. After that, it seems that I am unable to resolve external addresses.
I can get to addresses contained within my own DNS. But I cannot log into the server and go out to google or virtualmin or anywhere else.
I've got a busy day. Later, however, I will try it again.
I'm running Fedora Core 6. The steps I took:
1 - Install Fedora with only Software Support turned on.
2 - Upgrade Fedora (I had to do gaim in a separate step because of all the module changes. It was somehow inconsistent.)
3 - Install Authen::PAM
4 - Install my second license of virtualmin - I did get a strange message but when I looked in the log file, I only saw command syntex.
5 - Set my Network Address in Apache, Protect DNS from Recursive Lookups, Set up communication to the slave DNS.
6 - Define primary website upon that server, add name servers to DNS A records, Add ARPA address.
... and I now cannot find external addresses. I really did not try between step 4 and here.
When I try again, I'll see if I can install Virtualmin before I upgrade Fedora. Maybe I'm getting a strange package configuration that's interfering with Virtualmin setup. I'll also make sure I can get out to other sites after each Virtualmin setup step.
Oops .. in Step 5, I also changed other Bind settings: In the Zone File Options, I set a default master for slave zones, and I set a default master server IP for remote slave zones. This has never hurt me in the past, and it seems to help me get my updates out correctly to my slaves.
The "Protect DNS from recursive lookups" is the problem here. No problem locking out others from using the recursion features...but the box itself needs to be able to use itself for resolution (this is a recent change to allow the WYSIWYG editor work correctly even for new unresolvable sites, among other things).
That was it! In the BIND Misc section, I'd always set "Do full recursive lookups for clients?" to 'No.' I set it back to 'Default' and it worked.
Do I have to worry about this being a security hole or anything?
Thanks for the tip. It saved me another re-installation. :-)
It has been considered somewhat risky in the past, due to the security history of older versions of BIND, but I'm unaware of any current risks.
Cache poisoning is the most common threat, and BIND 8 and 9 have quite solid protection against this (assuming the network they're on is reasonably trustworthy).
Denial of Service is another possibility, but if someone has the resources to put into a DoS attack against you, they'll hit your webserver or mailserver rather than BIND. Both services are much harder on your box and easier on theirs, relatively speaking, and so much more effective a target.
A few folks have helpfully pointed out over the past two years that Virtualmin.com has an open recursive name server on it, and that's true...but we've never had any problems out of it. (And, quite frankly, I like having a nameserver that I know works and is publicly available when I'm working on customer boxes and they've got misconfigured DNS--since we can't install without working DNS, it's useful to point them to Virtualmin.com until a local name server is available.)
You can, of course, restrict recursive functionality to just localhost by adding a rule like this to the options { ... } section:
I know you do. I was just trying to clarify some of the circumstances under which you'd need to <i>worry</i> about any kind of license problem errors. In your case, it is harmless, if a bit annoying.
Hey Lars,
It means that either your DNS server is having troubles or one of ours is. ;-)
I'm looking into it.
Anybody else seeing this?
BTW-It is pretty much harmless. You have thirty days of "license problem" status before anything bad happens to your Virtualmin (and a human looks into the flagged situation before a license gets suspended for violations...it's pretty hard to run into real disabling license problems, assuming you actually have a license!).
--
Check out the forum guidelines!
I'm seeing it too.
I installed virtualmin twice on the machine recently ... from scrap. I was alright until up to the point where I installed a virtual domain. After that, it seems that I am unable to resolve external addresses.
I can get to addresses contained within my own DNS. But I cannot log into the server and go out to google or virtualmin or anywhere else.
I've got a busy day. Later, however, I will try it again.
I'm running Fedora Core 6. The steps I took:
1 - Install Fedora with only Software Support turned on.
2 - Upgrade Fedora (I had to do gaim in a separate step because of all the module changes. It was somehow inconsistent.)
3 - Install Authen::PAM
4 - Install my second license of virtualmin - I did get a strange message but when I looked in the log file, I only saw command syntex.
5 - Set my Network Address in Apache, Protect DNS from Recursive Lookups, Set up communication to the slave DNS.
6 - Define primary website upon that server, add name servers to DNS A records, Add ARPA address.
... and I now cannot find external addresses. I really did not try between step 4 and here.
When I try again, I'll see if I can install Virtualmin before I upgrade Fedora. Maybe I'm getting a strange package configuration that's interfering with Virtualmin setup. I'll also make sure I can get out to other sites after each Virtualmin setup step.
Oops .. in Step 5, I also changed other Bind settings: In the Zone File Options, I set a default master for slave zones, and I set a default master server IP for remote slave zones. This has never hurt me in the past, and it seems to help me get my updates out correctly to my slaves.
Hey Mark,
The "Protect DNS from recursive lookups" is the problem here. No problem locking out others from using the recursion features...but the box itself needs to be able to use itself for resolution (this is a recent change to allow the WYSIWYG editor work correctly even for new unresolvable sites, among other things).
--
Check out the forum guidelines!
Hey Joe,
That was it! In the BIND Misc section, I'd always set "Do full recursive lookups for clients?" to 'No.' I set it back to 'Default' and it worked.
Do I have to worry about this being a security hole or anything?
Thanks for the tip. It saved me another re-installation. :-)
- Mark
Hey Mark,
It has been considered somewhat risky in the past, due to the security history of older versions of BIND, but I'm unaware of any current risks.
Cache poisoning is the most common threat, and BIND 8 and 9 have quite solid protection against this (assuming the network they're on is reasonably trustworthy).
Denial of Service is another possibility, but if someone has the resources to put into a DoS attack against you, they'll hit your webserver or mailserver rather than BIND. Both services are much harder on your box and easier on theirs, relatively speaking, and so much more effective a target.
A few folks have helpfully pointed out over the past two years that Virtualmin.com has an open recursive name server on it, and that's true...but we've never had any problems out of it. (And, quite frankly, I like having a nameserver that I know works and is publicly available when I'm working on customer boxes and they've got misconfigured DNS--since we can't install without working DNS, it's useful to point them to Virtualmin.com until a local name server is available.)
You can, of course, restrict recursive functionality to just localhost by adding a rule like this to the options { ... } section:
<i> allow-recursion {
127.0.0.0/8;
};</i>
--
Check out the forum guidelines!
Yes we have a licencekey dated 2005-11-24
Hey Lars,
I know you do. I was just trying to clarify some of the circumstances under which you'd need to <i>worry</i> about any kind of license problem errors. In your case, it is harmless, if a bit annoying.
--
Check out the forum guidelines!
OK Joe!
I´m just wondering, no problem, thank you!