Re: Hardening named.conf
On Wed, 28 Jan 2004, Dale Amon wrote:
> I've finally been annoyed enough by spammer hits on
> my DNS that I've pulled out the BOG for the first time
> in several years.
>
> What I'd like to accomplish is the following:
>
> * allow-query for a specific list of addresses
> to use the server for their dns resolution.
>
> * allow-query to the universe for zones
> (domains and subdomains) that are hosted
> as primary or secondary on the server but
> drop all other requests.
>
> * I already limit zone xfr's to specific
> machines.
>
> I'm not clear on how to do the first and second without
> them interfering with each other although I'm sure
> it can be done.
dont forget to harden the server itself ( lots of stuff ) ... :-)
and update/fix /etc/host.conf
http://burks.brighton.ac.uk/burks/linux/rute/node23.htm
c ya
alvin
>
> I am leaning towards an options allow-query with a
> an access list and adding allow-query to each zone
> to allow-query all if I can figure out how to do that.
>
> If some kind soul knows off the top of their head, it
> would save me the better part of an evening and perhaps
> wee hours of the morning.
>
#
#
# Example primary or secondary /etc/named/named.conf
# ---------------------------------------------------
# recreating off the top
#
#
# To Check the Syntax
# --------------------
# named-checkconf named.conf
# named-checkzone named.your-domain
#
#
# Other Example Files
# -------------------
# http://Linux-Sec.net/DNS/
#
#
// acl "allowed_to_transfer" {
// { 10.1.1.0/8; 1.2.3.4 ; 2.4.6.8; };
// };
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
//
// allow-transfer { allowed_to_transfer; };
//
allow-transfer { 1.2.3.4; 2.4.6.8; 192.168.1.; };
allow-query { any; };
version "Go away!";
};
//
// a caching only nameserver config
//
controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};
zone "." IN {
type hint;
file "named.ca";
};
zone "localhost" IN {
type master;
notify no;
file "named.local";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
notify no;
file "named.local.rev";
allow-update { none; };
};
include "/etc/rndc.key";
//
// Local machine names
//
zone "1.168.192.in-addr.arpa" IN {
type master;
notify no;
file "named.lan.rev";
allow-update { none; };
};
//
// Your Domain -- Primary DNS
// -------------
//
zone "z.y.x.w.in-addr.arpa" IN {
type master;
file "named.your-domain.rev";
allow-update { none; };
};
zone "your-domain.com" IN {
type master;
file "named.your-domain";
allow-update { none; };
};
//
// Secondary DNS -- uncomment for Secondary DNS
// -------------
//
//## zone "z.y.x.w.in-addr.arpa" IN {
//## type slave;
//## file "ZX/your-domain.rev.zx";
//## masters {
//## w.x.y.z;
//## };
//## };
//##
//## zone "your-domain.com" IN {
//## type slave;
//## file "ZX/your-domain.zx";
//## masters {
//## w.x.y.z;
//## };
//## };
//
// End of example primary named.conf
Reply to: