On 7/11/08, William L. Maltby <CentOS4Bill@xxxxxxxxxxxx> wrote:
<snip>
> Sshd is for incoming connections.
> You need to enable it on IPCop (using
> web interface is easiest). I also suggest using ssh keys instead of
> password *if* you want increased security. Paranoia level is the
> determining factor.
Paranoia level has me wanting to: (a) Be able to dig +trace and verify
that opendns.com is not in the loop; Preferably from both my Desktop
and from the ipcop box (b) Be using Authoritative DNS servers at all
times, as dnscache does. (c) Avoid DNS Cache poisoning, if possible.
:-)
<http://en.wikipedia.org/wiki/DNS_cache_poisoning>
> You should not need to fron the trace (dig or nslookup from the IPCop
> box.
I cannot dig +trace from my Desktop, as me or as root and I also
cannot dig +trace from the ipcop box as of this time.
> [wild-bill@centos501 ~]$ dig +trace smtp-server.triad.rr.com
> ; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com
> ;; global options: printcmd
<snip results of Bill's dig +trace from his Desktop>
Here's what happens when I try that from my Desktop:
[lanny@dell2400 ~]$ dig +trace smtp-server.triad.rr.com
; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[lanny@dell2400 ~]$ su -
Password:
[root@dell2400 ~]# dig +trace smtp-server.triad.rr.com
; <<>> DiG 9.3.4-P1 <<>> +trace smtp-server.triad.rr.com
;; global options: printcmd
;; connection timed out; no servers could be reached
[root@dell2400 ~]#
<snip>
Here's what happened, when I tried dig +trace from the ipcop box:
After SSH into ipcop.homelan I can dig gmail.com but I cannot dig
+trace gmail.com as Scott Silva did on his IPCop box.
root@ipcop:~ # dig +trace gmail.com
; <<>> DiG 9.4.0 <<>> +trace gmail.com
;; global options: printcmd
;; connection timed out; no servers could be reached
root@ipcop:~ # dig gmail.com
; <<>> DiG 9.4.0 <<>> gmail.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26895
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4
;; QUESTION SECTION:
;gmail.com. IN A
;; ANSWER SECTION:
gmail.com. 55 IN A 209.85.171.83
gmail.com. 55 IN A 64.233.171.83
gmail.com. 55 IN A 64.233.161.83
;; AUTHORITY SECTION:
gmail.com. 311436 IN NS ns1.google.com.
gmail.com. 311436 IN NS ns3.google.com.
gmail.com. 311436 IN NS ns2.google.com.
gmail.com. 311436 IN NS ns4.google.com.
;; ADDITIONAL SECTION:
ns4.google.com. 345468 IN A 216.239.38.10
ns1.google.com. 345285 IN A 216.239.32.10
ns2.google.com. 345383 IN A 216.239.34.10
ns3.google.com. 341939 IN A 216.239.36.10
;; Query time: 166 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Jul 11 06:18:17 2008
;; MSG SIZE rcvd: 218
I need to get out of here now. Later, I will try this on our backup IPCop box.
I want to be able to ssh into the IPCop box, and make the change Scott
Silva suggested for the DNS Server, rather than using the IPCop web
interface / GUI, because I know that it is common for GUI's not to
work as advertised. If I screw up the backup IPCop box, I can continue
using the one we are now using and we will still be online until I get
this working the way I want it to. :-)
I have the Firewall running in my Desktop, which possibly is a factor here.
I greatly appreciate the time and help of everyone in this mailing list!
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
