bind zone in BIND 9

[Don Stokes]

"Cricket Liu" <cricket at menandmice.com> wrote:
["bind" domain not controlled by "options { allow-query { none; }; };"]
>> (a) Why?!?!?
>
>Probably because, unless you use views, BIND 9's default view is
>in the Internet class, and version.bind queries are in the CHAOSNET
>class.

I guess when I say "allow-query { none; };" I kinda expect it to mean
"don't allow any queries", rather than "don't allow any queries except
ones you think are kinda special".

I also would have thought that the default ought to be global -- it was
in BIND 8, and I think this is a retrograde step.  If you want views, go
ahead and configure 'em, but if you don't, don't.   

(I'm still happier with the idea of running separate processes for
caching forwarders and authoritative name servers, preferably in
separate chroot environments and under separate UIDs.  I don't see views
as adding a heck of a lot in the most common cases.)

>> (b) How can I stop it, short of defining a completely separate
>> "bind" zone and then denying access to it?  This seems messy to me.
>
>You could use the version options substatement.  (In BIND 9.3.0, you
>can use "version none" to tell the name server not to respond to version
>queries.) 

Does the "version none" statement disable all of the bind domain, or
just version.bind?  

> Or you could create a CHAOSNET view with a bind zone in it.

OK, this works:

options {
	...
}
// controls and other stuff goes here too

view "chaos" chaos {
	match-clients { any; };
	allow-query { none; };
};

view "internet" {
	zone "." {
		type hint;
		file "named.ca";
	};
	// other zone statements follow
};

Still, it's a bit of a departure from a "normal" configuration file, and
I still don't like it.

(And before anyone climbs into me about whether disabling BIND version
numbers hides vulnerabilities, I'm looking at this from a "don't enable
functionality you don't need" point of view, rather than "let's be
secure by pretending we're not vulnerable" one...)

-- don