[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

securing bind - the answer




Just for anybody that was following my string on how to step up server
that will allow only recursive lookups for itself and no other resolvers,
but answer queries for domains that it is authoritative for...

I managed to lock the server down fairly tightly by doing the following:

acl self { 204.145.119.48/32; };
options { 
	directory "/usr/local/named";
	allow-transfer { a.b.c.d; };
	recursion yes;
	pid-file "/usr/local/named/pid/named.pid";
	transfers-per-ns 4;
	transfers-in 16;
	notify yes;
	transfer-format many-answers;
	allow-query { self; };
};

This is great, but if you implement this, it allows your machine, and only
your machine to make inqueries about domains, both recursive or those it  
is responsible for.

In order to allow for the rest of the world to be able to ask the server
about domains that its authoritative for, I had to add a line to each zone
statement:

zone "domain.com" { 
		type master; 
		file "forward/db.domain.com";
		allow-query { any; };
};


Once this was added, things started looking better. My server was
answering queries for domains it was listed as primary for, as well as
dumping recursive queries from machines that should be doing their own
lookups.


sandman:~# tcpdump -pn udp and port 53
tcpdump: listening on eth0
00:21:08.026792 203.135.3.85.1097 > 204.145.119.48.53: 25321 (28)
00:21:08.026792 204.145.119.48.53 > 203.135.3.85.1097: 25321 Refused 0/0/0
(28)
00:21:08.866771 194.170.31.33.53 > 204.145.119.48.53: 838 (28) (DF)
00:21:08.866771 204.145.119.48.53 > 194.170.31.33.53: 838 Refused 0/0/0
(28)


--
To unsubscribe, send email to majordomo@luci.org with
"unsubscribe luci-discuss" in the body.