security
Daniel Voyer
daniel.voyer at cgi.ca
Thu Oct 21 20:45:05 UTC 1999
You have two options.....
First, from you firewall you can make a rule with permission only
"domain-udp" it's a query that's all you need for anybody on Internet to
join you mail server or your web server.
You can make a special rule with domain-tcp and domain-udp for only your
secondary dns, your secondary dns need to make a zone transfer if your
dns crash.
Second, up until bind 4.9, domain administrators had no way to control
who could look up data on their name servers. That makes a certain
amount of sense; the original idea behind dns was to make information
easily available all over the Internet.
But, bind 8 "allow-query" substatement allows you to place an ip
address-based access list on queries. The access list can apply to a
particular zone, or to any queries received by the server.
options {
allow-query { address_match_list; } #you
can put your external secondary dns there.
};
I recommand, if you can, put these two options.
You can also force all dns servers to talk to you only with domain-tcp,
if you are paranoid.
D a n
P.S: reference: Dns&Bind 3rd Edition, chapter 10: advanced features and
security, p.250
Shawn McPherson wrote:
> How do I prevent 'ls -d' lookups on a domain?
More information about the bind-users
mailing list