Re: Hardening named.conf
On Wed, 28 Jan 2004 23:20:26 +0100, Dale Amon <amon@vnl.com> wrote:
> What I'd like to accomplish is the following:
>
> * allow-query for a specific list of addresses
> to use the server for their dns resolution.
>
> * allow-query to the universe for zones
> (domains and subdomains) that are hosted
> as primary or secondary on the server but
> drop all other requests.
>
> * I already limit zone xfr's to specific
> machines.
See if this helps.
//
// Access control lists
//
acl "mynet" {
10.0.0.0/24; localhost; // my subnet
};
//
// global options
//
options {
auth-nxdomain no; // default
allow-query {
mynet; // restrict query access
};
allow-recursion {
mynet; // restrict recursive queries
};
allow-transfer {
mynet; // restrict domain transfers
};
};
//
// mynet.internal (master)
// Allow access from all private subnets
//
zone "mynet.internal" {
type master;
file "master/fwd.internal_mynet";
notify explicit; // only notify certain servers
also-notify {
10.0.0.1; // secondary server
};
allow-transfer {
10.0.0.1; // secondary server
mynet;
};
};
//
// mynet.external (master, static)
// Allow access from all, we are authoritative
//
zone "mynet.external" {
type master;
file "master/fwd.external_mynet";
notify explicit; // Only notify certain servers
also-notify {
192.168.0.1; // secondary server
192.168.0.2; // secondary server
};
allow-query { any; }; // anyone may query this zone
allow-transfer {
192.168.0.1; // secondary server
192.168.0.2; // secondary server
mynet;
};
};
Hope this helps.
--
Devin L. Ganger <devin@thecabal.org>
"Aikido is based around the central precept of letting an attack take
its natural course. You, of course, don't want to impede that natural
flow by being in its way." -- overheard on the PyraMOO
Reply to: