Troubleshooting Information
Bob McDonald
bmcdonaldjr at gmail.com
Wed Aug 26 10:28:20 UTC 2015
That's brilliant! Thanks.
I'd still include the hint zone (as I'm partial to not having unnecessary
warnings on startup).
Also a lot of folks use localhost and/or localnets in DNS configuration.
Just from a security standpoint, I prefer to be more specific. localhost
and/or localnets can be much more template friendly, I know.
However, your suggestion changes my response for excluded addresses from
SERVFAIL to REFUSED. Much better.
Cheers!
On Wed, Aug 26, 2015 at 5:02 AM, Tony Finch <dot at dotat.at> wrote:
> Bob McDonald <bmcdonaldjr at gmail.com> wrote:
>
> > To further lock this information down I would suggest adding the
> > following view statements to any internet facing DNS device
> configuration:
> >
> > view "outsiders" chaos {
> > match-clients { !127.0.0.1; !your-inside--nets; any; };
> > allow-query { none; };
> > # we need a zone within a view and Bind complains on startup if there is
> no hint file in classes
> > # other than internet. (it is provided with the software for the
> internet class)
> > zone "." chaos {
> > type hint;
> > file "/dev/null"; // or any empty file
> > };
> >
> > };
>
> Another way is to use BIND's syntax for explicitly configuring the special
> server information zones, like below. This view handles all queries for
> the chaos class, and rejects queries from nonlocal clients.
>
> view bind chaos {
> recursion no;
> allow-query { localhost; localnets; };
> zone authors.bind ch { type master; database "_builtin authors"; };
> zone hostname.bind ch { type master; database "_builtin hostname"; };
> zone version.bind ch { type master; database "_builtin version"; };
> zone id.server ch { type master; database "_builtin id"; };
> };
>
> Tony.
> --
> f.anthony.n.finch <dot at dotat.at> http://dotat.at/
> Viking, North Utsire: Easterly 4 or 5, increasing 6 at times. Slight or
> moderate, but rough in southwest Viking. Showers later. Good, occasionally
> poor later.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20150826/d275aaca/attachment.html>
More information about the bind-users
mailing list