Hi,
I will just put here simple example how to configure dns server to:
- do recursive lookups only to localhost and internal network
- allow zone transfers only to configured secondaries
This I think is the minimum (and sufficient for most) security configuration
for a dns server.
Zone transfers use TCP port 53.
In named.conf (/etc/named.conf):
(...)
// Define global secondary servers
acl secondaries {
11.11.11.11;
22.22.22.22;
};
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
recursion yes;
allow-recursion { // Allow recursive queries only to these hosts/networks
localhost;
secondaries;
10.0.0.0/8;
};
allow-transfer { // Default for zones, may be overided in zone conf
secondaries;
};
notify yes; // Default for zones, may be overided in zone conf
// Notify of zone changes to their respective secondaries (NS
records)
};
zone "example.com" {
type master;
file "/var/named/example.com.db";
notify yes; // Notify our secondaries (listed as NS records) of zone
changes
allow-update {
none;
};
allow-transfer { // Allow zone transfer only to secondaries specific of
this zone
server2;
33.33.33.33;
};
also-notify {
33.33.33.33; // Also notify secondaries that are not listed in this zone
(without a NS record,
// not needed if listed with a NS record in this zone)
};
};
(...)
----- Original Message -----
From: "Adrian von Bidder" <[EMAIL PROTECTED]>
To: <[email protected]>
Sent: Thursday, July 26, 2007 9:42 AM
Subject: [time] DNS
> Could those with DNS expertise please take a quick look at 193.138.215.60
> (c.ntpns.org or zbasel.fortytwo.ch)? Since I noticed that some random
> people where using it as DNS server (outside of pool.ntp.org services),
> I'm
> now denying everything but service for the zones the server is
> authoritative for. ... and I just hope there's no mistake.
>
> I also deny zone transfers for pool.ntp.org now, except for 217.114.97.99
> (this is the only one who is close to one of the official nameservers, and
> it's regularly doing zone transfers. 217.114.97.98 is d.ntpns.org.) Zone
> transfers should really happen from 216.52.237.236, right?
> _______________________________________________
>
_______________________________________________
timekeepers mailing list
[email protected]
https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
