What Is this?

11 posts / 0 new
Last post
#1 Fri, 01/13/2006 - 04:02
LarsReimers
LarsReimers's picture

What Is this?

From time to time we get this message:

"A problem was detected with your Virtualmin licence : Failed to contact licence server : Failed to lookup IP address for software.virtualmin.com"

Fri, 01/13/2006 - 04:12
Joe
Joe's picture

Hey Lars,

It means that either your DNS server is having troubles or one of ours is. ;-)

I'm looking into it.

Anybody else seeing this?

BTW-It is pretty much harmless. You have thirty days of "license problem" status before anything bad happens to your Virtualmin (and a human looks into the flagged situation before a license gets suspended for violations...it's pretty hard to run into real disabling license problems, assuming you actually have a license!).

--

Check out the forum guidelines!

Fri, 06/15/2007 - 22:54 (Reply to #2)
MarkThomas

I'm seeing it too.

I installed virtualmin twice on the machine recently ... from scrap. I was alright until up to the point where I installed a virtual domain. After that, it seems that I am unable to resolve external addresses.

I can get to addresses contained within my own DNS. But I cannot log into the server and go out to google or virtualmin or anywhere else.

Sat, 06/16/2007 - 06:26 (Reply to #3)
MarkThomas

I've got a busy day. Later, however, I will try it again.

I'm running Fedora Core 6. The steps I took:

1 - Install Fedora with only Software Support turned on.

2 - Upgrade Fedora (I had to do gaim in a separate step because of all the module changes. It was somehow inconsistent.)

3 - Install Authen::PAM

4 - Install my second license of virtualmin - I did get a strange message but when I looked in the log file, I only saw command syntex.

5 - Set my Network Address in Apache, Protect DNS from Recursive Lookups, Set up communication to the slave DNS.

6 - Define primary website upon that server, add name servers to DNS A records, Add ARPA address.

... and I now cannot find external addresses. I really did not try between step 4 and here.

When I try again, I'll see if I can install Virtualmin before I upgrade Fedora. Maybe I'm getting a strange package configuration that's interfering with Virtualmin setup. I'll also make sure I can get out to other sites after each Virtualmin setup step.

Sat, 06/16/2007 - 06:35 (Reply to #4)
MarkThomas

Oops .. in Step 5, I also changed other Bind settings: In the Zone File Options, I set a default master for slave zones, and I set a default master server IP for remote slave zones. This has never hurt me in the past, and it seems to help me get my updates out correctly to my slaves.

Sat, 06/16/2007 - 12:01 (Reply to #5)
Joe
Joe's picture

Hey Mark,

The "Protect DNS from recursive lookups" is the problem here. No problem locking out others from using the recursion features...but the box itself needs to be able to use itself for resolution (this is a recent change to allow the WYSIWYG editor work correctly even for new unresolvable sites, among other things).

--

Check out the forum guidelines!

Sat, 06/16/2007 - 19:25 (Reply to #6)
MarkThomas

Hey Joe,

That was it! In the BIND Misc section, I'd always set "Do full recursive lookups for clients?" to 'No.' I set it back to 'Default' and it worked.

Do I have to worry about this being a security hole or anything?

Thanks for the tip. It saved me another re-installation. :-)

- Mark

Sun, 06/07/2009 - 07:03 (Reply to #7)
Joe
Joe's picture

Hey Mark,

It has been considered somewhat risky in the past, due to the security history of older versions of BIND, but I'm unaware of any current risks.

Cache poisoning is the most common threat, and BIND 8 and 9 have quite solid protection against this (assuming the network they're on is reasonably trustworthy).

Denial of Service is another possibility, but if someone has the resources to put into a DoS attack against you, they'll hit your webserver or mailserver rather than BIND. Both services are much harder on your box and easier on theirs, relatively speaking, and so much more effective a target.

A few folks have helpfully pointed out over the past two years that Virtualmin.com has an open recursive name server on it, and that's true...but we've never had any problems out of it. (And, quite frankly, I like having a nameserver that I know works and is publicly available when I'm working on customer boxes and they've got misconfigured DNS--since we can't install without working DNS, it's useful to point them to Virtualmin.com until a local name server is available.)

You can, of course, restrict recursive functionality to just localhost by adding a rule like this to the options { ... } section:

<i> allow-recursion {
127.0.0.0/8;
};</i>

--

Check out the forum guidelines!

Fri, 01/13/2006 - 04:24
LarsReimers
LarsReimers's picture

Yes we have a licencekey dated 2005-11-24

Fri, 01/13/2006 - 04:35
Joe
Joe's picture

Hey Lars,

I know you do. I was just trying to clarify some of the circumstances under which you'd need to <i>worry</i> about any kind of license problem errors. In your case, it is harmless, if a bit annoying.

--

Check out the forum guidelines!

Fri, 01/13/2006 - 04:47
LarsReimers
LarsReimers's picture

OK Joe!

I&Acirc;&acute;m just wondering, no problem, thank you!

Topic locked