I always recommend the use of forwarders. The DNS System only works
because of all the caching, if everyone went to the root name servers
for every query, we'd flood the system. I always install bind,
bind-chroot & caching-nameserver.
I also change options to the following:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
forward only;
forwarders { DNSIP1; DNSIP2; };
allow-recursion { 127.0.0.1; };
version "Smart Ass Remark";
};
Thanks,
Erik
On 2/4/07, Alexey Loukianov <[EMAIL PROTECTED]> wrote:
Eric "Shubes" wrote:
>> bind-chroot is excess (give a bit more security, but the setup is more
>> complicated).
>
> Apparently I missed something (again). What's there to set up? I just
> install it and it runs.
>
Back in times to RHEL2 it was required to do additional setup to get
Bind chrooted correctly. I'm not sure that installing bind-chroot will
do all the work required, but I hadn't used it since that old times though.
>> It is more important to add to /etc/named.conf the following:
>>
>> to the options { }; clause:
>>
>> options {
>> allow-transfer{ none; };
>> allow-notify { none; };
>> allow-recursion { 127.0.0.0/8; your-subnet/mask; };
>> version "Mind your own business!";
>> };
>
> What does this do? Is it needed if the toaster's behind a firewall? How
> important is it?
It restricts access to Bind only for specified subnets (important),
refuses to allow IXRF zone transfers (not so important in case of just
caching nameserver, but it wouldn't hurt anyway), and prevents hackers
from querying the version of the Bing you've got (very important).
> Someone (EE I think) on the list a while back recommending "forward first"
> and "forwarders" for caching options too.
It is just a matter of habbit. Caching nameserver can do all the
recursion required to resolve a hostname by itself. But it can also use
DNS servers specified by admin to do resolving (forwarders). It is up to
admin to decide, which method to use.
--
Best regards,
Alexey Loukianov mailto:[EMAIL PROTECTED]
System Engineer,
IT Department,
Lavtech Corp.
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
