Bind 8 hardening {Scanned}
SW
wppiphoto at wppi.com
Wed Dec 29 09:00:43 UTC 2004
Hi folks,
I'm in the process of setting up 2 dns servers and after reading various
docs, I'm hoping someone can take a look at my /etc/named.conf's below and
tell me if I have everything I need to keep my servers safe from the various
bind exploits. The goal is to allow internal clients access and allow the
world to be able to resolve local domains (ie our website, mail, etc).
Anything else I want to block without breaking bind.
Master 100.168.100.10 /etc/named.conf :
acl internal { 192.168.100/24; 100.168.100/24; };
acl slaves { 100.168.100.50; };
options {
directory "/hsphere/local/var/named";
listen-on { 127.0.0.1; 100.168.100.10; };
allow-transfer { 100.168.100.50; };
allow-query { internal; };
allow-recursion { internal; };
recursion no;
fetch-glue no;
use-id-pool yes;
version "NA";
transfer-source 127.0.0.1;
pid-file "/hsphere/local/var/named/named.pid";
};
Slave 100.168.100.50 /etc/named.conf:
acl internal { 192.168.100/24; 100.168.100/24; };
options {
directory "/hsphere/local/var/named";
listen-on { 127.0.0.1; 100.168.100.50; };
allow-transfer { 100.168.100.10; };
allow-query { internal; };
allow-recursion { internal; };
recursion no;
fetch-glue no;
use-id-pool yes;
version "NA";
transfer-source 127.0.0.1;
pid-file "/hsphere/local/var/named/named.pid";
};
Also, whenever I do a nslookup mydomain.com from a local client, I get the
following error:
# nslookup yahoo.com
*** Can't find server name for address 100.168.100.10: Non-existent
host/domain
*** Can't find server name for address 100.168.100.50: Query refused
*** Default servers are not available
Thanks,
SW
-------------------------------------------------
WPPi.com | WPPi.Net
-------------------------------------------------
http://www.wppi.com | http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------
More information about the bind-users
mailing list