Troubleshooting Information

Bob McDonald bmcdonaldjr at gmail.com
Wed Aug 26 10:28:20 UTC 2015 

That's brilliant! Thanks.

I'd still include the hint zone (as I'm partial to not having unnecessary
warnings on startup).

Also a lot of folks use localhost and/or localnets in DNS configuration.
Just from a security standpoint, I prefer to be more specific. localhost
and/or localnets can be much more template friendly, I know.

However, your suggestion changes my response for excluded addresses from
SERVFAIL to REFUSED. Much better.

Cheers!

On Wed, Aug 26, 2015 at 5:02 AM, Tony Finch <dot at dotat.at> wrote:

> Bob McDonald <bmcdonaldjr at gmail.com> wrote:
>
> > To further lock this information down I would suggest adding the
> > following view statements to any internet facing DNS device
> configuration:
> >
> > view "outsiders" chaos {
> >         match-clients { !127.0.0.1; !your-inside--nets; any; };
> >         allow-query { none; };
> > # we need a zone within a view and Bind complains on startup if there is
> no hint file in classes
> > #  other than internet. (it is provided with the software for the
> internet class)
> >         zone "." chaos {
> >                 type hint;
> >                 file "/dev/null";  // or any empty file
> >         };
> >
> > };
>
> Another way is to use BIND's syntax for explicitly configuring the special
> server information zones, like below. This view handles all queries for
> the chaos class, and rejects queries from nonlocal clients.
>
>   view bind chaos {
>     recursion no;
>     allow-query { localhost; localnets; };
>     zone  authors.bind ch { type master; database "_builtin authors";  };
>     zone hostname.bind ch { type master; database "_builtin hostname"; };
>     zone  version.bind ch { type master; database "_builtin version";  };
>     zone     id.server ch { type master; database "_builtin id";       };
>   };
>
> Tony.
> --
> f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
> Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
> moderate, but rough in southwest Viking. Showers later. Good, occasionally
> poor later.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150826/d275aaca/attachment.html>

More information about the bind-users mailing list