Antwort: Bind 8 hardening {Scanned}
holger.honert at signal-iduna.de
holger.honert at signal-iduna.de
Wed Dec 29 10:55:51 UTC 2004
Hello SW,
seems you have forgotten to add an A- and/or PTR-Record for the
nameservers 10.168.100.10 and 10.168.100.50.
Check this out and try again!
Kind Regards/Freundlichen Gruß
Holger Honert
KOMN-97851
SIGNAL IDUNA Gruppe
Joseph-Scherer-Str. 3
44139 Dortmund
Phone: +49 231/135-4043
FAX: +49 231/135-2959
mailto: holger.honert at signal-iduna.de
"SW" <wppiphoto at wppi.com>
Gesendet von: bind-users-bounce at isc.org
29.12.2004 10:00
Bitte antworten an "SW"
An: "Bind Usergroup" <bind-users at isc.org>
Kopie:
Thema: Bind 8 hardening {Scanned}
Hi folks,
I'm in the process of setting up 2 dns servers and after reading various
docs, I'm hoping someone can take a look at my /etc/named.conf's below and
tell me if I have everything I need to keep my servers safe from the
various
bind exploits. The goal is to allow internal clients access and allow the
world to be able to resolve local domains (ie our website, mail, etc).
Anything else I want to block without breaking bind.
Master 100.168.100.10 /etc/named.conf :
acl internal { 192.168.100/24; 100.168.100/24; };
acl slaves { 100.168.100.50; };
options {
directory "/hsphere/local/var/named";
listen-on { 127.0.0.1; 100.168.100.10; };
allow-transfer { 100.168.100.50; };
allow-query { internal; };
allow-recursion { internal; };
recursion no;
fetch-glue no;
use-id-pool yes;
version "NA";
transfer-source 127.0.0.1;
pid-file "/hsphere/local/var/named/named.pid";
};
Slave 100.168.100.50 /etc/named.conf:
acl internal { 192.168.100/24; 100.168.100/24; };
options {
directory "/hsphere/local/var/named";
listen-on { 127.0.0.1; 100.168.100.50; };
allow-transfer { 100.168.100.10; };
allow-query { internal; };
allow-recursion { internal; };
recursion no;
fetch-glue no;
use-id-pool yes;
version "NA";
transfer-source 127.0.0.1;
pid-file "/hsphere/local/var/named/named.pid";
};
Also, whenever I do a nslookup mydomain.com from a local client, I get the
following error:
# nslookup yahoo.com
*** Can't find server name for address 100.168.100.10: Non-existent
host/domain
*** Can't find server name for address 100.168.100.50: Query refused
*** Default servers are not available
Thanks,
SW
-------------------------------------------------
WPPi.com | WPPi.Net
-------------------------------------------------
http://www.wppi.com | http://www.wppi.net
-------------------------------------------------
WPPi.com & WPPi.Net MailScanner Signature
This message has been scanned for viruses
and dangerous content by WPPi MailScanner,
and has been found to be clean.
-------------------------------------------------
More information about the bind-users
mailing list