Security question, allow query to?

enrique at podernet.com.mx enrique at podernet.com.mx
Wed Feb 19 20:04:06 UTC 2003 

On 18 Feb 2003, Reckhart wrote:

=>Hello
=>
=>I am about to harden our dns servers (bind 9.2.1) and they act
=>as primary and secondary server for many of our customers zones.
=>I have turned off zone-transfers so that only the slave can get zones
=>from the primary server.
=>
=>My question is, can i let only our customers query our nameservers
=>or do i have to leave them open for anyone to ask?
=>
=>i was thinking about other nameservers asking our server about domains
=>they are authorative of.

=>They are running in recursive mode.

Here I would state a few considerations:

	1. All standard Name Servers are usally performing 2 avtivities:
		- Authoritative NS for registered domains of your company
		  and clients.
		- Resolver for your network clients

	2. If this is not the case and you have separated NS for each 
	   function then:
		+ Authoritative servers should:
		  - Accept queries from anyone
		  - Not accept recursive queries (they are authoritative only)
		  - Accept xfr queries only from slaves
		+ Resolve Only servers should
		  - Accept queries only from your clients (or any one)
		  - Accept recursive queries only from net clients
		  - Not accept any xfer queries
		  
	3. Under this scheme remember that Authoritative Servers will not
	   be able to forward, so you can't put a zone delegated to your 
	   servers as a 'forward zone' to another NS. For this you need 
	   recursion.

	4. If the previous scenario is not yours, then a NS that performs
	   both functions should be set as follows:

		- Accept queries from anywhere
		- Accept recursive queries only from net clients
		  including NS which point to yours as forwarder
		- Accept xfer queries only from slaves

In common environments this is the recommended security standards.
Also remember that you have to set your slaves to accept notifies from your 
masters.

Hope this gives you a guideline.



-- 

-- 'You tread upon my patience' -- William Shakespeare, "Henry IV"

The river is within us, the sea is all about us.
===============================================================================
José Enrique Díaz Jolly				e-mail: enrique at podernet.com.mx
===============================================================================
@(#) $Id: signature.podernet,v 1.1 2003/01/21 23:45:50 ediaz Exp $

More information about the bind-users mailing list