I always recommend the use of forwarders. The DNS System only works because of all the caching, if everyone went to the root name servers for every query, we'd flood the system. I always install bind, bind-chroot & caching-nameserver.
I also change options to the following: options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; forward only; forwarders { DNSIP1; DNSIP2; }; allow-recursion { 127.0.0.1; }; version "Smart Ass Remark"; }; Thanks, Erik On 2/4/07, Alexey Loukianov <[EMAIL PROTECTED]> wrote:
Eric "Shubes" wrote: >> bind-chroot is excess (give a bit more security, but the setup is more >> complicated). > > Apparently I missed something (again). What's there to set up? I just > install it and it runs. > Back in times to RHEL2 it was required to do additional setup to get Bind chrooted correctly. I'm not sure that installing bind-chroot will do all the work required, but I hadn't used it since that old times though. >> It is more important to add to /etc/named.conf the following: >> >> to the options { }; clause: >> >> options { >> allow-transfer{ none; }; >> allow-notify { none; }; >> allow-recursion { 127.0.0.0/8; your-subnet/mask; }; >> version "Mind your own business!"; >> }; > > What does this do? Is it needed if the toaster's behind a firewall? How > important is it? It restricts access to Bind only for specified subnets (important), refuses to allow IXRF zone transfers (not so important in case of just caching nameserver, but it wouldn't hurt anyway), and prevents hackers from querying the version of the Bing you've got (very important). > Someone (EE I think) on the list a while back recommending "forward first" > and "forwarders" for caching options too. It is just a matter of habbit. Caching nameserver can do all the recursion required to resolve a hostname by itself. But it can also use DNS servers specified by admin to do resolving (forwarders). It is up to admin to decide, which method to use. -- Best regards, Alexey Loukianov mailto:[EMAIL PROTECTED] System Engineer, IT Department, Lavtech Corp. --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]