Re: Hardening named.conf
Things don't seem to be working quite as expected. I have
something like this now:
acl mydomain {
localhost;
192.168.0.0/24;
10.1.1.0/24;
};
There are many etho:n and I tried it with each ip
specified individually, then added the localhost key
word in addtion.
options {
allow-recursion {
mydomain;
};
};
This seems to do much of what I want... but I am
seeing some things which are a bit dodgy. For instance,
if I run iptstate on the dns server and tell it to resolve
names, I get all the inverse lookups denied.
I now suspect at least some of the 10000 or so queries
I've blocked in the last couple hours are valid, but it
is hard to tell amidst the buzzing of the spammers on
the screen door...
I note that another person suggested this is the wrong
technique to use. Would that person say it was better
to do something like:
options {
allow-queries {
mydomain;
};
zone ....
allow-queries {
all;
};
???
I have to be careful with experimentation because this
is not a toy machine. Not exceedingly busy, but still
a real server doing real serving.
A slightly different problem, which I just started
looking into deeper, is that I have
zone .....
allow-transfer {
dnsip1;
dnsip2;
myworkstation;
};
where the object is to allow my workstation to
do host -a -l ... but it doesn't work. Says I
am not a primary or secondary. This is not quite
what I would expect since anyone can transfer if
there is no allow-transfer statement at all.
--
------------------------------------------------------
Dale Amon amon@islandone.org +44-7802-188325
International linux systems consultancy
Hardware & software system design, security
and networking, systems programming and Admin
"Have Laptop, Will Travel"
------------------------------------------------------
Reply to: