named.conf
M. Yu
myu at websprinter.net
Fri Mar 16 14:34:59 UTC 2001
Hello all,
I just wish to run my named.conf by you guys and see if I understood the
docs correctly. It is included here at the bottom. Basically here's the
situation, my server has two IPs on the same interface 208.164.85.1 (dns
server) and 64.110.177.129 (dhcp server). I don't want anyone to transfer
any zone information (they are only done by secondary servers right? other
servers need not transfer my zones?). I only wish to allow certain servers
(indicated with the server tag) to be able to transfer the 64.110.177.128/28
RDNS zone. I also wish to deny recursive queries except from my own IPs.
Keeping this in mind I drafted the named.conf below however, I see entries
in the log saying "denied query from [some.ip].53 for websprinter.net" if I
put in "allow-query { 208.164.85.0/28; 64.110.177.128/25; };". If I put in
"allow-query { any; };", everything seems to work ok. I also perform DDNS
from ISC's DHCP server on the same machine but gives out IPs via
64.110.177.129. The problem is my ISP has delegated its RDNS to me even if
the block is a partial one. I suspect they're acting as secondary server
and transferring zones from me (that's why I allow them to transfer zones,
but only for the 64.110.177.128/25 block). I also see several of these in
my log files "named[5149]: 64.110.177.hosts:52: data
"239.177.110.64.in-addr.arpa outside zone 128/25.177.110.64.in-addr.arpa
(ignored)". I suspect this is caused by bind refusing the DDNS from my DHCP
server.
Can anyone help me figure out these 2 problems? Any comments on the
included named.conf would also be appreciated (is it secure enough, does it
make sense, are there redundancies, etc.).
TIA,
M. Yu
[named.conf]
server 216.226.222.62 {
bogus no;
support-ixfr no;
transfer-format many-answers;
};
server 209.198.244.2 {
bogus no;
support-ixfr no;
transfer-format many-answers;
};
server 209.198.248.226 {
bogus no;
support-ixfr no;
transfer-format many-answers;
};
options {
version "You gotta be kidding me!";
directory "/var/named";
notify no;
recursion yes;
rfc2308-type1 yes;
treat-cr-as-space yes;
allow-query { 208.164.85.0/28; 64.110.177.128/25; };
allow-transfer { none; };
allow-recursion { 208.164.85.0/28; 64.110.177.128/25; };
listen-on 53 { 208.164.85.1; };
query-source address 208.164.85.1 port *;
transfer-source 208.164.85.1;
maintain-ixfr-base yes;
statistics-interval 720;
topology { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
sortlist {
{ localhost; localnets; };
{ localnets; };
};
};
logging {
channel update_debug {
file "/var/log/update-debug.log";
severity debug 3;
print-category yes;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named-auth.info";
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
};
zone "." {
type hint;
file "named.root";
};
zone "128/25.177.110.64.in-addr.arpa" {
type master;
file "64.110.177.hosts";
allow-update { 64.110.177.129; };
allow-transfer { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
also-notify { 216.226.222.62; 209.198.244.2; 209.198.248.226; };
};
zone "85.164.208.in-addr.arpa" {
type master;
file "208.164.85.hosts";
};
zone "websprinter.net" {
type master;
file "WEBSPRINTER.NET.hosts";
allow-update { 64.110.177.129; };
};
[end]
More information about the bind-users
mailing list