acl misunderstanding?

Mipam mipam at ibb.net
Wed Aug 4 14:27:51 UTC 2004 

On Wed, 4 Aug 2004, Bill Larson wrote:

> I'm really not sure what you are trying to accomplish here with the 
> definition of your root/hints zone, but ...  (It looks like you are 
> trying to stop people from outside your network from getting the root 
> servers from your system.  But this won't stop it from serving "as dns 
> for the whole world".)
> 
> Take a look at the "Secure BIND Template" at 
> http://www.cymru.com/Documents/secure-bind-template.html.  I believe 
> that this will provide you with a very good starting point for 
> configuring a good name server.
> 
> On your firewall, be very careful with the configuration.  You may 
> easily cause problems here that have nothing to do with your DNS 
> server.  One point that I'm sure someone will tell you about is that 
> DNS isn't necessarily limited to just UDP, TCP can also be used for DNS 
> queries.  Trying to limit yourself to only UDP may cause definite 
> problems.  I would suggest also opening up TCP also.  If you think that 
> TCP is only used for zone transfers and want to block these, you can 
> easily set up this blocking in the configuration and the "Secure BIND 
> Template" explains how.

Thanks, i've read the template and see now how to stop being a dns for the 
mass. Indeed, tcp port 53 is also valid but only for zone transfers but 
not for queueries (or isnt this true??).

A second question would be: suppose i wish another server only as caching 
nameserver for internal clients. I could only allow my internal network 
for queueries. However, wouldnt it be more logical to only listen on 
127.0.0.1 and ip_internal_nic so that named doesnt even listen on the 
outside interface?

Third question is: I noticed that in bind 9 named-xfer is gone.
I guess i have to use dig instead? The thing is that i was able to specify 
the serial in named-xfer. The advantage of this was that "If the SOA RR we 
get from the primary server does not have a serial number higher than 
this, the transfer will be aborted."
Since dig doesnt have such a functionality a transfer is always done .. 
:-(
Bye,

Mipam.

More information about the bind-users mailing list